France’s data protection authority is giving publishers until the spring of 2020 to design and deploy GDPR-compliant cookie consent notices.
Until then, scroll consent – aka, soft or tacit consent – will be acceptable.
At a meeting in late April, representatives from the Commission nationale de l'informatique et des libertés told French industry trade organizations about the reprieve and shared additional details about the CNIL’s agenda for the coming year.
The assembled trade orgs – which included IAB France, the French arm of the Mobile Marketing Association, publisher-focused group Geste and SNCD, France’s answer to the Direct Marketing Association – had requested the meeting in an urgent mid-March letter to newly appointed CNIL president, Marie-Laure Denis.
Several public formal notices issued over the past year by the CNIL have called out specific companies in the digital advertising sector for improperly collecting user consent. As a result, there’s been some clarification on how to comply consent wise, but there’s still confusion about exactly what’s required.
The CNIL’s first order of business is to update its 2013 consent recommendations, which are obsolete now that GDPR is on the scene.
The commission is planning to release updated rules in June to bring its recommendations more in line with GDPR principles. Between June and November, the CNIL will work with industry groups to make sure the guidelines are practical. Finalized consent guidelines will be published in January 2020.
Companies will then have six months to get themselves sorted before the new guidelines will be enforced. In the meantime, the 2013 consent recs, which allow implied consent, will continue to apply.
The CNIL’s willingness to work with industry representatives appears to acknowledge the lack of clarity in the law as it stands.
Consent under GDPR needs to be affirmative, informed, specific, freely given and unambiguous. Preticked consent boxes or passively scrolling past a cookie notice doesn’t count as consent.
The ePrivacy Directive was meant to have been updated and replaced with an ePrivacy Regulation back when the GDPR was first coming into force in May of last year. That still hasn’t happened yet, which is partly why many data protection authorities, unlike the CNIL, have yet to take steps to update their country’s own outmoded cookie policies.
The CNIL and IAB France did not respond in time for publication.