Home Privacy French Regulators Gift Pubs With A One-Year Break Before They Need To Comply With New Cookie Consent Rules

French Regulators Gift Pubs With A One-Year Break Before They Need To Comply With New Cookie Consent Rules

SHARE:

France’s data protection authority is giving publishers until the spring of 2020 to design and deploy GDPR-compliant cookie consent notices.

Until then, scroll consent – aka, soft or tacit consent – will be acceptable.

At a meeting in late April, representatives from the Commission nationale de l’informatique et des libertés told French industry trade organizations about the reprieve and shared additional details about the CNIL’s agenda for the coming year.

The assembled trade orgs – which included IAB France, the French arm of the Mobile Marketing Association, publisher-focused group Geste and SNCD, France’s answer to the Direct Marketing Association – had requested the meeting in an urgent mid-March letter to newly appointed CNIL president, Marie-Laure Denis.

Several public formal notices issued over the past year by the CNIL have called out specific companies in the digital advertising sector for improperly collecting user consent. As a result, there’s been some clarification on how to comply consent wise, but there’s still confusion about exactly what’s required.

The CNIL’s first order of business is to update its 2013 consent recommendations, which are obsolete now that GDPR is on the scene.

Under the recs, as long as users are shown a banner that explains why cookies are being collected and then given an easy way to opt out, sites can drop cookies even if the only form of affirmative action on the part of visitors is to scroll on the page.

The commission is planning to release updated rules in June to bring its recommendations more in line with GDPR principles. Between June and November, the CNIL will work with industry groups to make sure the guidelines are practical. Finalized consent guidelines will be published in January 2020.

Companies will then have six months to get themselves sorted before the new guidelines will be enforced. In the meantime, the 2013 consent recs, which allow implied consent, will continue to apply.

The CNIL’s willingness to work with industry representatives appears to acknowledge the lack of clarity in the law as it stands.

Consent under GDPR needs to be affirmative, informed, specific, freely given and unambiguous. Preticked consent boxes or passively scrolling past a cookie notice doesn’t count as consent.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

The CNIL’s existing 2013 guidelines, however, allow for passive consent as long as visitors are given clear information about the site’s cookie policy, usually in banner form, along with the opportunity to opt out of tracking. Most websites continue to operate in this way.

These now outdated guidelines were created with the ePrivacy Directive in mind, which ushered in all of those pop-up banners you see every time you hit a European website alerting you that simply by visiting the site you accept the use of cookies.

The ePrivacy Directive was meant to have been updated and replaced with an ePrivacy Regulation back when the GDPR was first coming into force in May of last year. That still hasn’t happened yet, which is partly why many data protection authorities, unlike the CNIL, have yet to take steps to update their country’s own outmoded cookie policies.

In a recent interview with French publication Journal Du Net, the CNIL’s secretary general, Jean Lessi, noted that, because the ePrivacy Regulation will likely not be finalized in 2019, there is “urgency” to update the commission’s stance on the use of cookies to bring it in line with GDPR.

The CNIL and IAB France did not respond in time for publication.

Must Read

Can Publishers Trust The Trade Desk’s New Wrapper?

TTD says OpenAds is not just a reaction to Prebid’s TID change, but a new model for fairer, more transparent ad auctions. So what does the DSP need to do to get publishers to adopt its new auction wrapper?

Scott Spencer’s New Startup Wants To Help Users Monetize Their Online Advertising Data

What happens when an ad tech developer partners with a cybersecurity expert to start a new company? You end up with a consumer product that is both a privacy software service and a programmatic advertising ID.

Former FTC commissioner Alvaro Bedoya speaks to AdExchanger Managing Editor Allison Schiff at Programmatic IO NY 2025.

Advertisers Probably Shouldn’t Target Teens At All, Cautions Former FTC Commissioner

Alvaro Bedoya shared his qualms with digital advertising’s more controversial targeting tactics and how kids use gen AI and social media.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Wall Street Turned Against Ad Tech – But May Learn To Love It Again

What can pureplay ad tech companies do to clean up their rep on the Street?

AppsFlyer and Roku’s New SRN Integration Will Shed Light On CTV Campaign Impact

Roku and AppsFlyer announced the launch of a new self-reporting network (SRN) integration between both companies, which will allow mobile app advertisers to more effectively measure their streaming video campaigns

Comic: Gamechanger (Google lost the DOJ's search antitrust case)

DOJ v. Google: How Judge Brinkema Seems To Be Thinking After Week One

Where the DOJ v. Google ad tech antitrust trial stands after one week’s worth of remedies arguments.