The French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), recently issued its final guidance on the application of the General Data Protection Regulation (GDPR) when it comes to  reading and writing information on user’s devices, including cookies and similar technologies. The country’s publishers, advertisers and their technology partners now have 12 months to come into compliance with the updated guidelines.

Here are the eight areas publishers and brands in France should be paying attention to:

  1. Cookie rules aren’t just about cookies: They also apply to similar tracking technologies, such as device fingerprints, or identifiers of operating systems and hardware devices such as MAC addresses.
  2. Consent means prior consent: This means that consent must be given before cookies or similar technologies are used.
  3. Users must be allowed to refuse or withdraw consent “without major inconvenience”: While legal opinion varies, the CNIL is firm in its view that users have a right to access websites and apps whether or not they give consent.
  4. Users must be allowed to give consent “independently and specifically for each purpose”. The CNIL also says that a user can consent to a slate of purposes as long as users have the ability to make granular choices.
  5. All information relevant for consent must be “complete, visible and highlighted” before the user consents: At a minimum the CNIL is looking for (i) the identity of the data controllers; (ii) the purposes of the cookies or similar technologies; and (iii) the right to withdraw consent. If personal data is processed through the help of these cookies or similar tracking technologies, all information required under the GDPR must be presented in addition.
  6. Au revoir, soft opt-in: While it’s offering a 12 month grace period, the CNIL stresses that consent obtained by “continuing to browse a website, or using a mobile application, scrolling through the page of a website or mobile applications are not clear positive actions that amount to valid consent.” It goes without saying that pre-ticking checkboxes is a big no-no.
  7. Keep records. Prove valid consent. Companies using cookies, including third parties, must be able to demonstrate at any time that valid consent has been obtained from users. Contractual clauses committing one party to obtain consent on behalf of third parties don’t count. Indeed, the CNIL takes the view that third parties are “fully and independently responsible for the cookies and other trackers they use,” so working with non-compliant publishers and marketers will put your business at risk.
  8. Surprisingly, very limited first party measurement is okay without consent. The CNIL won’t require French companies using cookies to acquire consent for first party measurement. The exception is limited: the user still has to be informed of the use and the purpose of such cookies, and be able to object. Moreover, there can’t be any cross-referencing of data from across websites or apps and must serve the sole purpose of creating anonymous statistics for a single publisher or advertiser. You can rely on third parties for such measurement, but only if they are your data processor and not a data controller.

Providing the right information, offering and managing user choices, and enabling third party advertising partners to demonstrate consent are complex technical problems. But these problems have already been solved thanks to the IAB Europe Transparency & Consent Framework (TCF).

The TCF has been designed to help industry meet the challenge of providing information and obtaining valid consent in accordance with the GDPR and in line with the CNIL’s new guidelines.

So… What should French publishers and advertisers do? 

  • Use the 12-month grace period to gradually transition to GDPR-compliant consent: Failing to do so may render all of your cookies illegal at the end of the grace period and force you to reacquire consent for all of your users. This could significantly impact ad revenue for publishers or campaign performance for brands.
  • Implement a TCF-compliant Consent Management Platform (CMP) such as Quantcast Choice: The TCF is the only industry standard solution that allows all of your partners to have confidence in the way you present information to users and obtain their consent by managing all relevant  requirements effectively for the entire supply chain

GDPR-compliant consent doesn’t have to come at the expense of business performance. Since May 2018, Quantcast Choice has empowered consumers worldwide to signal their consent decisions billions of times across tens of thousands of websites worldwide. On average, consent rates are above 90%, enabling publishers and brands to continue to deliver relevant content and advertising.

Following the CNIL’s ruling, additional product options for Quantcast Choice and Quantcast Choice Premium will be released in the coming weeks for our clients based in France and will be available until the grace period ends on July 18, 2020. To learn more about why over 26,000 domains adopted Choice and Choice Premium, click here.