Cookie assessment criteria published by the CNIL of France

The CNIL of France has published a cookie assessment criteria guide to aid businesses in determining the validity of cookies and other tracers. 

 

The CNIL has published guidelines on the use of cookies and other tracers, which initially prohibited cookie walls as they were seen as a violation of the principle of free consent. A cookie wall requires users to consent to cookies, in order to gain access to a site or service. The CNIL concluded that the validity or legality of cookie walls was better determined on a case by case basis, rather than prohibiting cookie walls altogether. The authority deemed it necessary to publish a guide containing preliminary criteria, to assess the legality of the use of cookie walls, in the absence of a position from the CJEU. 

 

While not prohibited in France, a careful assessment is required prior to the implementation of cookie walls. 

 

Cookie walls require an internet user to accept cookies or other tracking devices in order to access the content of a website. In most cases, there is an alternative, paid option, in the form of a subscription, to compensate for any loss of advertising revenue from targeted ads made possible by the collection of cookies. The validity and legality of cookies is intended to be assessed on a case by case basis based on what alternatives are offered to users if they choose to decline cookies, and how reasonable these alternatives are. This will require a careful assessment of the alternative options, as suggested by the CNIL. 

 

CNIL outlined several key factors which are considered in determining the validity of cookie consent and cookie walls. 

 

While the validity of a cookie wall is to be determined on a case by case basis, there are a few key determining factors which the CNIL highlighted. For one, it matters whether or not the Internet user who refuses cookies still has a fair alternative to access the content. In some cases, paid access can be granted, replacing the cookie wall with a paywall. In cases where there is a paywall to access content, CNIL will consider whether the price is deemed reasonable. This, in most cases, will be determined by the amount of ad revenue which would be lost as a result of the user refusing cookies. Another important point to consider is whether the cookie wall can cover “all” cookies indiscriminately, or just certain types of cookies. 

 

CNIL recommends that the publisher offers a real and fair alternative allowing users access to the site, in the event that they refuse cookies, which does not does not include having to consent to the use of their data. In cases where the user chooses paid access without consenting to cookies, there may be limited cases where cookies can still be deposited. The CNIL stressed that users should be able to accept and refuse cookies based on their purpose, and should be able to access the site setting and revoke consent at any time. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

New cookie consent popup launched by Google following CNIL fine

Google is rolling out a new cookie consent pop up, after receiving a fine from the CNIL under the EU GDPR.

 

Google recently shared a preview of its new cookie consent popup. This new popup will initially be available on YouTube in France. However Google has expressed that it plans to roll out the new design across all Google services in Europe. This new cookie consent popup comes a few months after the CNIL of France fined Google €150 million for breaching data protection law. According to CNIL, Google failed to comply with current regulation with regard to presenting tracking choices to users with the previous cookie consent popup. Not only has the text been updated, but more importantly, the choices offered at the bottom of the cookie consent popup are very different.

 

Google made some drastic changes to the choices offered at the bottom of the new cookie consent pop up.

 

The choices at the bottom of the screen, as will be reflected in the new cookie consent popup, are radically different. With the old design, users had two options — “I Agree” and “Customize”. With the old popup, users who clicked on “Customize”, would be taken to a separate web page with several options. In order to disable all personalization settings, they would have to click “off” three times and then click confirm. In the new design, there is now a third option, a “Deny All” button that lets users opt out of tracking altogether with a single click, with the two main buttons being the same color, size and shape. Under the EU GDPR and the ePrivacy rules, online services have to obtain clear consent from their users before they can process not-strictly necessary cookies data. Consent must be informed, specific and freely given in order for it to be legally obtained. The new approach will allow Google to get more meaningful consent from users.

 

Inspired by guidance from the CNIL, under the EU GDPR, Google has overhauled its approach to managing cookies.

 

After the initial roll out of the updated popup on YouTube in France, Google plans to use the same design for its search engine as well across the European Economic Area, the U.K. and Switzerland. Many users won’t see the updated popup. Users who are already logged into a Google account have settings that are already stored in their profiles. Also, people who are using Google Chrome more than likely have their web browser tied to their Google accounts if they have ever logged into a Google service in the past. New users will soon experience more options with the new cookie consent popup. Existing users can however review their privacy settings. “Following conversations and in accordance with specific directives from the Commission nationale de l’informatique et des libertés (CNIL), we carried out a complete overhaul of our approach. In particular, we have changed the infrastructure we use to manage cookies,” Google wrote in a recent blog.

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Cookie consent pop-ups among the ICO’s intended topics of discussion at the recent G7 meeting

Cookie consent pop-ups need to be tackled in order to provide more meaningful consent and a better browsing experience, according to the ICO.

 

At a recent meeting for the data protection authorities of G7 countries, the ICO decided to tackle the topic of cookie consent pop-ups. The ICO has mentioned that there have been complaints among the general population about the need to constantly interact with cookie consent pop-ups when arriving on a website. More importantly, the ICO believes that these cookie consent pop-ups, especially when configured awkwardly, tend to have the effect of causing people to consent to giving more personal information than they would like. The ICO released a statement earlier this month discussing their intent to bring this topic up at a recent G7 meeting.

 

The ICO is of the opinion that currently, cookie consent pop-ups may cause individuals to consent to more use of their personal data than they would have liked.

 

Cookie consent pop-ups and requirements have been a topic of conversation for quite some time, not only among the general population on the interwebs, but also by relevant data protection authorities. Recently we published an article discussing the best practices for cookie consent pop-ups and banners, as outlined by the Malta DPA. In preparation for the virtual meeting on September 7-8, the ICO expressed interest in discussing this with fellow G7 data protection and privacy authorities. The Information Commissioner expressed a belief that, in their current form, some cookie consent pop ups and banners may cause individuals to consent to more access to and use of their personal data than they would have liked.

 

While the current model is already compliant with data protection law, the ICO believes that the G7 authorities have the power to influence further development.

 

The ICO has recently announced several intended changes to their data protection model, and cookie consent pop-ups were one of the key points the authority expressed interest in. While the current model is already compliant with data protection law, the ICO believes that the G7 authorities have the power to influence further development. The ICO holds a vision for the future where web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing, instead of having to do that through pop-ups each time they visit a website. This may allow individuals to be more intentional in their selections, rather than selecting whatever they feel that they need to, in order to get past a banner. This approach is definitely already technologically possible and compliant with data protection law as well, however the ICO believes that more can be done to effect change and promote more privacy oriented solutions.

 

The current regulations governing cookies are split between the GDPR and the ePrivacy Directive, which together ensure the protection of natural persons with regard to cookie consent pop-ups and banners.

 

The current regulations governing cookies are split between the GDPR and the ePrivacy Directive. There are several types of cookies, which in most cases users can choose from. For example, a user can choose to only allow the storage of necessary cookies, and reject any additional cookies for marketing or preferences. Recital 30 of the GDPR, does make mention of the importance of cookies, insofar as they can be used to identify individuals, especially with the amount of information on a user, which can be stored through the use of cookies. The ePrivacy Directive is sometimes known as the “cookie law” as it has been very instrumental in influencing the current use of cookie consent pop-ups, and ensuring that consent is ethically sourced for the use and storage of cookies. The rules regulating cookies are continuously being set, and cookies themselves are continually evolving, which means maintaining a current cookie policy will naturally be a continuous job.

 

 

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

French DPA provides GDPR recommendations

French DPA provides GDPR recommendations regarding chatbots

CNIL of France has provided GDPR recommendations regarding chatbots and insights on the implications of their use. 

 

Chatbots are a fairly common feature on websites today, providing users with an experience of having frequently asked questions answered quickly and easily, and providing other useful information in an interactive way. Personal data is typically processed during this process and as such, it is important that data controllers and processors remain mindful of any issues relating to the rights and freedoms of individuals during this process. If available, a Data Protection Officer would be helpful in this regard, as there are cases where Data Protection Impact Assessments are recommended or necessary. 

 

Chatbots require cookie placing and must remain within regulation. 

 

Chatbots save the conversation history between the different website pages where it is present, and in order for that to be successfully executed, cookies are frequently placed on user devices. This must be done in accordance with data protection laws. The CNIL has published recommendations regarding chatbots, and navigating the use of cookies in accordance with the Data Protection Act, particularly article 82, which provides guidance on the use of cookies. 

 

Two ways to place cookies. 

 

Because the presence or use of a chatbot requires the deposit of cookies onto a user’s computer, permissions may be required in order to do so. There are two available options for the chatbot operator. The first option would be to obtain prior consent from the user in order to deposit the cookie. This consent must be free, specific, informed and unambiguous. The second option would be to place the cookie only when the user activates the chatbot. This would involve the user clicking a button specifically triggering the opening of the chatbot. In this case it does not require specifically obtaining consent of the user, as the cookies would be specifically for the purpose of the provision of the chatbot service. However, if the tracker used for the chatbot is attached to any other purpose apart from that chatbot, user consent would be required. The data collected by this tracker must only be stored for as long as is necessary to achieve the purpose of the processing. 

 

French DPA recommendations on the collection of special categories of data by a chatbot. 

 

The CNIL advises that special attention should be paid when collecting data of a special category. This may include information relating to health, religious affiliation, political opinions etc. In some cases the collection of this information is predictable and therefore the processing is relevant. For example a chatbot for a health related assistance service may collect and process relevant health data. In those cases it is necessary to ensure that the data processing is in accordance with Article 9.2 of the GDPR. The processing of special categories of data is one of nine criteria which can make a Data Protection Impact Assessment necessary. In the case where more than one of these criteria is met, a Data Protection Impact Assessment may become mandatory. “This might be the case where minor’s data is involved or where the data gathered by the chatbot is combined, compared or matched with data from other sources”, comments Cristina Contero Almagro, Partner in Aphaia .

 

In some cases the collection of such sensitive data is not predictable as chatbots often offer the option to freely write or type, and the data controller or subcontractor may not have anticipated sensitive data being provided by a user. In those cases prior consent is not required. However, mechanisms must be put in place to minimize the risks to the rights and freedoms of individuals. This can be done by communicating before or when the chatbot is launched, urging people to refrain from communicating special categories of data. In addition a purge system can be set up since the conservation of the sensitive data is not necessary.

 

Conversations with a chatbot may not be used for decision making affecting an individual.

 

Regardless of the nature of the conversation with a chatbot human intervention is required to lead to important decisions affecting an individual. A conversation with a chatbot, without any human intervention alone cannot lead to important decisions for the person concerned. This includes the refusal of an online credit application, the application of higher rates or the inability to submit an application for a position. Conversations with chatbots, however, may form part of a larger process that would include meaningful human interaction.

 

Article 22 of the GDPR prohibits automated decision-making where there are legal ramifications significantly affecting an individual. Exceptions include  cases where the person has given expressed consent, as well as when decision making is necessary for a contract between the user and the controller. A data subject must in either case be provided with the means to obtain a human intervention, which a chatbot alone cannot provide.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.