🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Understand everything about cookies

Home Understand everything about cookies

Today we are launching a new series of articles. They follow our episodes d’1 min to understand everything that you will find on our LinkedIn page.
1 min to understand everything is a short video in which our lawyers who are experts in personal data protection simply define the key concepts of the General Regulation on the Protection of Personal Data (GDPR) and give you concrete examples. Follow us so you don't miss any news!  

Sit comfortably with your coffee and a biscuit, we'll explain everything to you in 5 minutes! ☕️?

 What are cookies? What are cookies used for?  

Cookies are small files placed on the user's terminal while browsing a website or application.  

Cookies have several uses. Each category of cookie has its own purpose. Cookies can, for example, be used to remember the contents of a basket on a merchant website, the user's preferred language or to establish statistics. We distinguish third-party cookies from first-party cookies. Internal cookies are placed directly by the site on which the user is browsing. Third-party cookies are placed by other actors (domains other than that of the site on which the user is browsing) and are useful in particular for advertising purposes.    

 Certain cookies are strictly necessary for the provision of an online communication service expressly requested by the user or have the exclusive purpose of allowing or facilitating communication by electronic means, these are functional cookies and their deposit is not subject to to the user's consent. The CNIL has drawn up a non-exhaustive list of these cookies in its guidelines Cookies and other trackers " from 2020:  

  •  "Tracers retaining the choice expressed by users on the tracer repository;  
  •  Trackers intended for authentication with a service, including those aimed at ensuring the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts;  
  •  Trackers intended to remember the contents of a shopping cart on a merchant site or to invoice the user for the products and/or services purchased;  
  •  User interface personalization trackers (for example, for the choice of language or presentation of a service), when such personalization constitutes an intrinsic and expected element of the service;  
  •  Tracers allowing the balancing of the load of equipment contributing to a communication service;  
  •  Trackers allowing paid sites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period);   
  •  Certain audience measurement trackers, subject to the reservations mentioned below.  

 [...] These trackers must have a purpose strictly limited to the sole measurement of the audience on the site or application for the exclusive account of the publisher. In particular, these trackers must not allow overall monitoring of the navigation of the person using different applications or browsing different websites. Likewise, these trackers must only be used to produce anonymous statistical data, and the personal data collected cannot be cross-checked with other processing or transmitted to third parties, these various operations being not necessary for the operation of the service.   

The CNIL offers the tool CookieViz in order to view cookies placed from third-party domains when visiting a site.  

 What is a cookie banner?  

It is a tool displayed on a web page allowing the user to be informed and to configure cookies. This banner must detail the purposes for which cookies are used. For additional information, it can refer to the website's cookies policy. This document completes the information given in the banner, the cookies policy informs users about all the cookies used by the site and explains how to manage them.  

For cookies subject to user consent, the cookies banner allows them to be accepted or refused.      

  • On the free nature of consent, recital 42 of the GDPR specifies "consent should not be considered to have been given freely if the data subject does not have genuine freedom of choice or is unable to refuse or withdraw consent without prejudice". In this sense, the CNIL considers that cookie walls are likely to infringe on freedom of consent.  
  • Regarding the specific nature of consent, the user must be able to accept or refuse (when filing is subject to consent) each category of cookies independently. The options offered to the user should not be general/global.  
  • The requirement for informed consent is met once the person has been informed, in an understandable manner, that is to say without using overly legal vocabulary. According to the CNIL guidelines, people's information regarding cookies must contain at least:  
  • The identity of the person(s) responsible for processing reading or writing operations,  
  • The purpose of the operations carried out using cookies,  
  • How to accept or refuse trackers,  
  • The consequences attached to the refusal or acceptance of trackers,  
  • The existence of the right to withdraw consent.  
  • Finally, the unambiguous nature of consent results from a positive action by the user. The CNIL considers in this sense that the simple fact of continuing to browse the website, without accepting or refusing cookies, does not constitute a clear positive act which can be assimilated to consent. User silence is more like refusing cookies.  

In the event that the deposit of cookies is subject to consent, the person has the right to withdraw it. The CNIL recalls in its guidelines that withdrawing consent must be as simple as giving it. Exercising the right to withdraw consent must be facilitated through the cookies banner.  

 What are "cookie walls" or "tracer walls"?  

The data of users who browse websites and applications is often monetized. Their use is not free, since this data is used in particular to carry out targeted advertising or resell these databases, which generates income. The fact that the user can refuse cookies that are not functional therefore causes the website publisher to lose a financial advantage. These actors then look for a way to compensate for this loss.  

Cookie walls consist of making access to the site conditional on the deposit of cookies or obtaining compensation from the user if they refuse cookies. Some sites close access to the site if cookies are refused or require financial compensation, this is called a pay wall. The options offered to the user can be for example "Refuse everything and pay 2€ to access the site for 2 months" or "Accept everything and access the site for free".  

The Council of State rendered a decision on June 19, 2020, relating to 2019 CNIL Guidelines, in which he addresses the subject of cookie walls. He judges that tracer walls cannot be banned generally, on the basis of the requirement of free consent. The freedom of consent of individuals must be assessed on a case-by-case basis. In particular, it is necessary to take into account "the existence of a real and satisfactory alternative proposed in the event of refusal of cookies".  

The CNIL published its first in 2022 criteria for evaluating cookie walls. To summarize, she follows the following reasoning:  

  • Does the site offer a fair alternative?  
  • If the proposed alternative is chargeable, is the price reasonable?  
  • Does the cookie wall allow cookies to be distinguished based on their purpose?  
  • If the user chooses paid access, without consenting to cookies, in which cases cookies not subject to consent will be placed?

To summarize, you should pay attention to the following points:  

  • All of the purposes of use linked to trackers must be presented to the visitor when making their choice. For reasons of clarity and conciseness, this first description may be limited to a brief presentation of the objectives pursued by the trackers; a more detailed description can be provided to the user later.  
  • The visitor must have access to a list, regularly updated, of those responsible for the processing of data accessible directly or indirectly (via a hyperlink for example) on the first level of information.    
  • The visitor must be able to consent to cookies through a clear positive act (system of check boxes): silence or simple continuation of navigation must be interpreted as a refusal.    
  • The visitor must be able to make a choice by purpose: it is recommended to allow the visitor to give consent independently and specifically for each purpose. It is possible to offer the user global consent to a set of purposes, by integrating, for example, "accept all" or "refuse all" buttons, but only if all of the purposes are presented beforehand.  
  • The visitor's choices must, in principle, be kept throughout navigation on the site. The CNIL recommends that the choice expressed, whether consent or refusal, be recorded in such a way as not to request them again for a certain period of time. A period of six months, both for consent and refusal, is generally considered appropriate.  
  • The visitor must be able to reconsider his decision at any time: he must have the possibility to withdraw his consent at any time, for example with a link at the bottom of the page or another cookie management mechanism, accessible at any time on the service concerned.  
  • People must be able to refuse to give consent as easily as granting it;  
  • People should be able to withdraw their consent as easily as they gave it;  
  • Individuals must be informed of the identity of the data controllers who place cookies: the list containing the identity of the data controllers must be made available to them when obtaining consent and be updated regularly;  
  • Data controllers must be able to demonstrate to the CNIL that they have obtained valid consent.  

Data Comply One (formerly Mission GDPR) and cookies  

You do not have time? You are lost? Are you having trouble managing your compliance and more specifically people's rights?  

With Data Comply One (formerly Mission RGPD) you have a cookies policy ready to use! All you have to do is fill in the text fields identified by our experts and add this document to your website, it's simple.    

Manage your compliance with ease and peace of mind!  

Request a demo
Other articles
on the same subject