The CNIL further protects users and their personal data in its new recommendations. The user's consent is indeed at the centre of the spotlights and must be the topic of all attention for each of the websites dealing with personal data.
Understand the user's consent and its nuances :
Scope of application
The recommendations of the CNIL cover all plotters except those that are exempt from consent. All actors depositing such tracers must ask for the consent of the end user. The editor remains the best role to collect consent for cookies deposited on its website even when they are deposited by a third part who defines the purposes of its treatment.
This is still possible to collect consent globally on the banner first level of information. The purposes must be clear and complete and the user who can accept globally must also be able to refuse globally on this first level of information. A link presenting the detailed purposes must be proposed, it can allow the information to be displayed directly on the first page or to be linked to a second level of information.
CNIL recommends in its "good practices" that information concerning the categories of data processed, be accessible.
Users must also be informed of the data controllers who process their data from the first level of information. A link to this list, easily accessible by the user, is recommended. Furthermore, this is not mandatory to request consent each time a new partner is added (e.g. Youtube / Facebook / Google...) except in the case of "qualitatively or quantitatively" substantial additions.
On the other hand, a link must be available to the user so that he can keep up to date with partner updates. This link can be included in the module that allows the consent collection banner to be re-displayed. The CNIL proposes to change the colour of the link to partners to warn users of a change in the list.
If a collection of consent between different websites and applications is set up, the user must be informed, at the first level of information, of the other websites and applications on which his consent is collected.
For consent to be free, the button allowing to accept all cookies present at the first level of information must be accompanied by a button allowing to refuse all cookies (new recommendation of CNIL). The buttons must have the same visual appearance and the same size so as not to influence the user's choice. The presence of a simple "Learn more" link next to the "I accept all" button is no longer sufficient.
This must be as easy to accept as it is to refuse the installation of cookies.
The user must not be penalised and suffer any prejudice in the event of refusal. The refusal must be registered for the same length of time as if he had accepted. This is in order not to impose the banner too frequently on a user who has refused to accept cookies.
Global acceptance and refusal buttons can be presented at the first level of information. As seen above, the "ACCEPT ALL" button must be accompanied by a "REFUSE ALL" button.
All the purposes (details of the cookies) used must be presented in detail (link or scrolling text below).
Of course, a specific consent by purpose must be made possible and can be proposed as a second level of information. The text leading to the second view must be clear. BRIDGE recommends a wording such as "Learn more" or "Set my cookies".
The "ACCEPT ALL" and "REFUSE ALL" buttons must be similar or even identical in design and no visuals should influence the visitor's choice.
Withdrawal and duration of consent
The user must be informed on the first page of the possibility to change his choices at any time. The link allowing him to change his choices must be accessible on all pages in a visible place and for the entire duration of navigation.
On BRIDGE Store Locators, we propose a permanent link "Manage cookies" in the footer of each page.
Concerning the duration of the consent, CNIL recommends a duration of 6 months after which it would be necessary to request the user's consent again.
Proof of consent
This is necessary to be able to provide proof of the user's consent. The data must be accurate and indicate the date, time, version of the banner used and the websites/applications on which consent has been given.
However, no information should be collected more than necessary.
If you wish to ask us any questions about the CNIL standards, and the legal aspect of the actions to be implemented, you can write to us at firstname.lastname@example.org.
If you wish to co-formulate your Store Locator, please consult our Support team, who will be able to advise you and direct you towards good practices.