Trackers implemented for analytics purposes do not require consent, subject to certain strict limited conditions. The implementation of trackers may be exempt from prior user consent only if:
However, the implementation of trackers that are not essential to the provision of an online service, and that therefore require consent, is not possible until the user has provided consent.
The consent of the user required for the implementation of trackers must be freely given and purpose-specific. The user should be able to choose each purpose for which he/she consents to the implementation of cookies.
In addition, consent must be informed: sufficient plain-language information should be provided to users to ensure that their valid consent has been obtained. This includes, at a minimum: (i) the identity of the data controller(s) implementing the trackers; (ii) the purpose for the implementation of the trackers; and (iii) the right to withdraw consent.
Importantly, when tracking results in the further processing of personal data based on a data subject's consent, all GDPR requirements for such data processing must be met, and consent must be unambiguous and provable. As a result, a positive action from the user is now required to formalize consent. The mere continued browsing or use of a website/app is no longer sufficient, nor are pre-ticked checkboxes or acceptance of general terms, including a provision on cookies.
The CNIL has granted a 12-month interim period before enforcement of its new guidelines. During this period, continued browsing will still be accepted as valid consent.
The new CNIL guidelines on trackers are part of its broader plan to address targeted advertising. As the discussions on the ePrivacy regulation are still ongoing, stakeholders in the online marketing ecosystem should monitor the upcoming sector-specific further discussions with the CNIL that will take place later this year.
Four Key Takeaways