Last year, the French Data Protection Authority (CNIL) changed its rules on cookies. While EU law binds companies as a baseline, member state laws can go above and beyond those rules, according to their perceptions of how to best protect consumers.
Per the new rules, Osano now provides a consent-banner configuration that applies to French users and complies with the CNIL’s rules.
When a user encounters a consent banner, there’s an order to operations. Under EU rules, you can disclose data uses on a tiered basis. In that way, users can choose how much information they need to make a decision on whether to consent. Typically, Osano’s Consent Manager discloses cookie practices within the consent banner’s “drawer,” or the second layer of notification. The CNIL dislikes that model and said sites gathering consent from French users should announce up-front, at the “first-layer,” what they plan to do with user data.
In Osano’s French banner, then, the user is shown details about data collection and use at the first point-of-contact with the site.
Why does this matter?
In October 2020, the French Data Protection Authority (CNIL) published revised cookies guidelines on obtaining user consent to collect or store non-essential cookies -- cookies deployed for advertising purposes.
The CNIL guidelines call for entities to give more information than previously required under GDPR guidelines to collect consent. Now, the minimum information described to users must include the identity of the data controller and the purpose of the cookies deployed. It must also tell users how they can withdraw consent and the potential consequences of either choice.
The new guidelines also state that a user’s failure to opt-in to cookies must, by default, be considered non-consent.
In addition, the rules no longer completely ban cookie walls. But the CNIL indicates it frowns upon it because it’s less representative of true “affirmative consent.”
Previously, the CNIL allowed sites to collect user consent for a group of sites, provided they notified users. Now, the CNIL “strongly recommends” seeking consent for each site from each user if an entity other than the first-party website deploys non-essential cookies.
CNIL gave sites six months to comply with the new rules. That window closed in March 2021, and the regulator has since started auditing sites and issuing non-compliance letters.
Now, Osano customers can provide the correct consent banner for CNIL compliance.