GDPR vs. ePrivacy Directive

GDPR vs. ePrivacy Directive: CNIL's Revised Guidelines for Use of Cookies and Other Trackers

In Short

The Situation: The European Union's General Data Protection Regulation ("GDPR") has been effective since May 2018 and has resulted in increased requirements for obtaining consent for the processing of personal data. However, France's current rules on the use of cookies and other trackers are still based on the ePrivacy Directive.

The Result: The French data protection authority CNIL has updated its 2013 guidelines on the use of cookies to take GDPR into account.

Looking Ahead: Website owners and publishers of applications established in France should begin reviewing their use of cookies and other tracking technologies to ensure compliance.

On July 18, 2019, the CNIL released its new guidelines on the use of cookies. Pursuant to those new guidelines and resulting from the national implementation of the ePrivacy Directive 2002/58, the rules applicable to HTTP cookies also apply to many other tracking technologies ("trackers"), including local shared objects, terminal equipment fingerprints, hardware identifiers, and identifiers generated by operating systems. These trackers may be deployed on not only smartphones and computers but also all connected devices. Regardless of the type of tracker, clear information relating to its purpose and implementation should be provided to the user.

Trackers implemented for analytics purposes do not require consent, subject to certain strict limited conditions. The implementation of trackers may be exempt from prior user consent only if:

  • The trackers' purpose is to enable or facilitate electronic communication;
  • The trackers are necessary for the provision of an online communication service requested by the user; or
  • The trackers are implemented by the editor/publisher of a website or application for analytics purposes, subject to restrictive conditions.

However, the implementation of trackers that are not essential to the provision of an online service, and that therefore require consent, is not possible until the user has provided consent.

The consent of the user required for the implementation of trackers must be freely given and purpose-specific. The user should be able to choose each purpose for which he/she consents to the implementation of cookies.

In addition, consent must be informed: sufficient plain-language information should be provided to users to ensure that their valid consent has been obtained. This includes, at a minimum: (i) the identity of the data controller(s) implementing the trackers; (ii) the purpose for the implementation of the trackers; and (iii) the right to withdraw consent.

Importantly, when tracking results in the further processing of personal data based on a data subject's consent, all GDPR requirements for such data processing must be met, and consent must be unambiguous and provable. As a result, a positive action from the user is now required to formalize consent. The mere continued browsing or use of a website/app is no longer sufficient, nor are pre-ticked checkboxes or acceptance of general terms, including a provision on cookies.

The CNIL has granted a 12-month interim period before enforcement of its new guidelines. During this period, continued browsing will still be accepted as valid consent.

The new CNIL guidelines on trackers are part of its broader plan to address targeted advertising. As the discussions on the ePrivacy regulation are still ongoing, stakeholders in the online marketing ecosystem should monitor the upcoming sector-specific further discussions with the CNIL that will take place later this year.

Four Key Takeaways

  1. Clear and sufficient information must be provided in relation to the use of all trackers.
  2. Trackers implemented for analytics purposes can be implemented without prior consent, subject to restrictive conditions.
  3. For trackers that require consent, continued browsing/use of the website or application will not be sufficient. Valid consent will require a positive action from the user, and consent must be provable.
  4. Website operators and publishers of apps established in France should evaluate their use of cookies and other tracking technologies based on the revised CNIL guidelines.

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.