This website is edited by PENTALOG FRANCE S.A., with a capital of 813 680 euros, with its headquarters in 1 rue des Hauts – 45380 LA CHAPELLE SAINT-MESMIN, registered in the Registry of Commerce and Companies of Orléans with number B 400 300 190.
SIRET number 400 300 190 00057 – APE 6201Z
Tel.: +33 (0)2 38 25 30 30
Editing director: Frédéric LASNIER
What is a cookie or tracker?
The term concerns trackers that are dropped and identified, for example, when a person looks at a website, reads an email, installs or uses software or a mobile application, whether it be on a computer, Smartphone, digital reader or an online video game console connected to the Internet. If trackers meet certain requirements, this obligation may be waived.
As such, the term “cookie” covers the following:
- HTTP cookies,
- “flash” cookies,
- the outcome of identifying a device when using a “fingerprinting” method (registering a device’s unique identifier based on its configuration for tracking purposes),
- invisible pixels or “web bugs”,
- any other identifier generated, for example, by a software or operating system.
These are all tracking methods, whether or not the cookie collects personal information.
Which cookies require prior notification and consent?
Among the cookies requiring prior notification and consent, we can mention especially:
- the cookies related to targeted advertising campaigns,
- certain audience measurement cookies (see the exemptions below),
- the cookies from social networks generated via share buttons collecting personal information without the concerned persons’ consent.
This list is not exhaustive.
Cookies for audience measurement solutions (Analytics)
In order for audience measurement cookies to be exempt from prior consent, they must comply with the following conditions:
- notification must be given so that users can reject its usage (a user must be able to reject any kind of cookies on qny kind of device),
- information collected must not be corroborated with other information (client files or traffic statistics from other websites, for example),
- the dropped tracker can only be used to create anonymous statistics and cannot monitor browsing on different sites. It must not be saved for more than 13 months and cannot be extended with new visits,
- raw traffic data that includes identification information can also not be saved for more than 13 months,
- an IP address used for geolocation is not allowed to identify the users’ street: only the first two octets of the IPv4 address can be kept and potentially used for geolocation (for IPv6 only the first 6 octets can be saved).
Nowadays, few tools allow compliance with these different conditions.
The analytics solutions that do not respect the above conditions must receive the users’ prior consent before being used.
How do websites obtain the users’ consent?
Users must be informed and they must give prior consent before cookies and trackers can be dropped on to their device
- If the concerned person has not given his/her consent, the cookies and trackers cannot be dropped or identified on to his/her device.
- Users must be informed each time a new cookie objective is added to the other initially planned objectives.
- The users’ consent is a free, specific expression of will: the consent’s validity is thus related to the quality of the received information.
- Information must be visible, highlighted and complete.
- It must be written in simple, understandable terms.
- It must allow users to be perfectly informed about different cookie objectives.
- The consent is only valid if the user makes an actual choice.
- The consent is only valid if the concerned person is able to make a valid choice without any important negative outcomes in case he/she refuses to give his/her consent. The user refusing a cookie that requires his/her consent must be able to continue to benefit from the service (access to a website, for example).
This choice must be available on all applications and Internet sites.
How can compliance be concretely achieved?
Consent must consist in a positive action of a person that has been previously informed about the consequences of his/her choice and that is free to make that choice. Adapted systems must thus be implemented to obtain the users’ consent according to the practical means that allow them to benefit from user-friendly and ergonomic solutions. The acceptance of the terms and conditions cannot be considered a valid method of obtaining consent.
After consulting the concerned professionals, the CNIL recommends obtaining consent using a two-pronged approach.
STEP 1: Prior notification
At first, the user that accesses the site of a publisher (main or second web page) must be informed of the following:
- the exact objectives of the cookies used,
- the possibility to object to these cookies and change the configuration by clicking on a link in the banner,
- the fact that continuing to browse on the website will be considered as consent for dropping cookies on to his/her device.
For example, in case of use of trackers for advertising or audience measurement purposes, the notification may be as follows:
- Model of a prior information banner.
- Below is a model that can be used for advertising and audience measurement cookies. It must be adapted to the purposes of the cookies used.
- By continuing to browse on this website, you consent to the use of [cookies or other trackers] for being offered [for example, targeted ads adapted to your interests]and [For example, generating site visit statistics].
To learn more and configure trackers.
To the extent to which consent must not be ambiguous, this banner should not disappear as long as the user does not continue to browse, namely as long as it does not go to another page or click on anything else (like an image, link, “Search” button).
Unless given prior consent, cookies cannot be dropped and identified:
- if the user goes to the website (home page or another page on the site from a search engine, for example) and does not continue to browse: taking no further action cannot be construed as an expression of consent,
- if the user clicks on the link in the banner taking him/her to the page where he/she can configure the cookies and, if need be, refuse their use.
STEP 2: “Learn more” page
- must be possible for all the tracking technologies used by the publisher (cookies, flash cookies, fingerprinting, plugins, certain images stored in the browser, memory space specific to different browsers, etc.),
The methods used to allow a user to exercise his/her choices may vary according to the following:
- cookies configuration tool directly available on the website or application,
- redirect to tracking opposition tools proposed by audience measurement, advertising or social network solutions; on condition that these solutions are user-friendly and operational on all devices and browsers. No information regarding Internet-goers who have either not given their consent or have objected can be collected.
- in certain conditions, the browser settings.
This two-pronged kinematics can be waived in other contexts, such as for mobile applications.
The message can thus be displayed after the first use of the application or after its installation.
Other means to obtain the users’ consent
There are various methods used to obtain the users’ prior consent, such as:
- a banner indicating the purposes of the cookies used, explicitly asking if he/she would accept the dropping of cookies by type, all the while explaining the methods used in order to remove them at a later date,
- a superimposed consent request form,
- buttons that activate cookie dropping service features (for example, social network plugins).
How can users retract their consent?
User-friendly solutions must be implemented and allow the concerned person to freely withdraw his/her consent.
The cookies’ life cycle
User may forget that they have previously consented to be tracked. This is why CNIL considers it necessary to limit the consent validity period.
- the recommended consent validity period should be of maximum 13 months. At the expiry of this period, consent must be obtained one more time.
- in consequence, cookies must have a lifetime limited to thirteen months following their first dropping on the user’s device (with his/her prior consent).
- their life cycle must not be extended for new site visits.