As EU states grapple with implementing changes to the Privacy and Electronic Communications Directive requiring consent for the dropping of so called “cookie” tracking devices on laptops etc CNIL, the French ICO equivalent, has taken a radical position on analytics cookies. Thomas Spanyol reports.
Topic: Online advertising
Who: La Commission Nationale de l'Informatique et des Libertés ("CNIL")
When: April 2012
Law stated as at: June 2012
CNIL, the French equivalent to the UK Information Commissioner's Office ("ICO") has published a revised version of its cookie law guidance concerning the changes to the regime brought about by directive 2002/58/EC as amended by directive 2009/136/EC (the "directive"). This guidance was initially issued on 20 December 2011. The December guidance is available in an English translation, but the revised version, from 26 April 2012 is available in French only here.
What has changed
Further guidance on informing users, gaining consent
There is a new section 5 discussing best practice for giving information to the user and gaining consent. The key principles are (1) that the purpose of the cookie must be specified, and (2) that the user must be clearly informed how they can reject it. The guidance also gives an example of a graphic which can be superimposed on a website that would achieve this end. This is similar to the ICO guidance which also gives graphical examples of how consent can be implemented.
The main change: analytical cookies exemption
The main change is a section explaining CNIL's position on analytical cookies. Analytical or analytics cookies gather user data which can include where users are visiting from, which link, if any they have followed to reach the site, IP addresses, time spent on the site, which pages were viewed and for how long and so on. This data can then be used by the webmaster to improve the visibility, user-friendliness and structure of the site.
The basis of CNIL's position relates to the exemptions built in to the directive which exempt cookies from the requirement for consent which,
"…[have] the sole purpose of enabling or facilitating electronic communication;
or [are] strictly necessary for the provision of an online communication service at the express request of the user".
CNIL's position is that, given the specific purposes of analytical cookies (from which one can presumably infer that CNIL either means their use in site maintenance may constitute "enabling or facilitating electronic communication", or that this renders them "strictly necessary") they will fall into the exemption if they meet certain requirements, as follows:
2. Right of access to data. It must be possible for the user to have access to any of their personal data that is being collected.
3. Right to refuse. It must be possible for the user to refuse to have their presence on the site tracked by analytics cookies.
The method of doing so must meet certain requirements. It must be accessible and easy to implement for users on all devices (including smartphones), and on all operating systems and browsers. Also, no information about the user having exercised their right to refuse must be sent to the analytics service.
4. Limited purpose. The purpose of the analytics cookie must be limited to measuring site audience statistics to evaluate the content and usability of the site. It must not be possible to identify individuals from the data gathered. Similarly, the data must not be cross-referenced or combined with other data, such as customer records or visitor statistics to other sites. The cookie must only generate anonymous statistics for one site and must not, for example, monitor how the user navigates the Internet between other sites owned by the publisher.
5. IP address. Geotagging of users using the IP address should be limited in accuracy to city-wide. The IP address must also be deleted or anonymised once the geolocation has been done to avoid abuse of that personal data or overlap with other personal information.
6. Shelf life. The expiration date of analytics cookies must be a maximum of 6 months. The duration should not be extended during future visits to the site. Similarly, any raw traffic data collected containing identifiers such as IP addresses should not be kept longer than 6 months. Beyond this period, the data should be deleted or anonymised.
What are the practical implications?
Webmasters in France may take comfort that the knotty issue of analytics cookies, so widely used across the web, has been clearly addressed by CNIL. Where websites maintain a bespoke analytics solution, those running such sites will now have the choice of adapting their analytics cookies programme to comply with CNIL's requirements or gaining consent for analytics cookies along with all other cookies used.
However, many analytics services are run, and cookies set, by independent third parties. In such cases, French webmasters may not have the ability to ensure that such tracking cookies comply with CNIL's requirements. If CNIL wishes to ensure that all analytics cookies comply, they will also need to engage with entities such as Google and other suppliers of analytics services.
Is this position of CNIL's fixed?
Not exactly. CNIL have caveated this advice, stating that implementation of the directive across the EU is due to be reviewed by the Article 29 Working Party (the "Working Party") (the group of all European data protection regulators). They have reserved the right to change their advice on this topic depending on any common position that may be thrashed out by the Working Party in the coming months.
In the UK, the ICO's position on analytics is rather different. In its latest guidance, while acknowledging that gaining consent for analytics cookies was difficult, the ICO also states that web users' understanding of what analytics cookies are and do is, in general, too limited for this to be something that does not require consent. There is no attempt to bring analytics within the exemptions in the directive.
Why this matters:
There is clearly no international consensus on this issue at present, so it is unclear what the Working Party will recommend when it considers the implementation of the directive. However, there have been signs that the tendency of individual national regulators has been to attempt to soften their initial position – the ICO's recent apparent acceptance of implied consent is one such example, the CNIL's exemption for analytic cookies another. Whether this will lead to the Working Party recommending a less restrictive interpretation or amendments to the directive remains to be seen.