Understanding cookies

Today we're launching a new series of articles. They follow our 1 min pour tout comprendre episodes, which you'll find on our LinkedIn page.
1 min pour tout comprendre is a short video in which our expert data protection lawyers simply define the key concepts of the General Data Protection RegulationGDPR) and give you concrete examples. Follow us so you don't miss any news! 

Sit back with your coffee and a cookie, and we'll explain everything in 5 minutes! ☕️ ?

What are cookies? What are cookies used for? 

Cookies are small files deposited on the user's terminal while browsing a website or application. 

Cookies serve several purposes. Each category of cookie has its own purpose. For example, cookies can be used to memorize the contents of a shopping cart on a merchant's website, the user's preferred language, or to compile statistics. A distinction is made between third-party cookies and internal cookies. Internal cookies are deposited directly by the site on which the user is browsing. Third-party cookies are deposited by other parties (domains other than that of the site on which the user is browsing) and are useful in particular for advertising purposes.  

Some cookies are strictly necessary for the provision of an online communication service expressly requested by the user, or their sole purpose is to enable or facilitate communication by electronic means. These are known as functional cookies, and their deposit is not subject to the user's consent. The CNIL drew up a non-exhaustive list of these cookies in its 2020 "Cookies and other tracers" guidelines: 

• "Tracers preserving the choice expressed by users on the deposit of tracers ; 
• Tracers intended for authentication to a service, including those designed to ensure the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts; 

• Tracers intended to store the contents of a shopping cart on a merchant site or to bill the user for the product(s) and/or service(s) purchased; 
• Tracers for personalizing the user interface (e.g. for choosing the language or presentation of a service), when such personalization constitutes an intrinsic and expected element of the service; 
• Tracers for balancing the load of equipment providing a communication service; 
• Tracers enabling paying sites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period);  
• Certain audience measurement tracers, subject to the reservations mentioned below. 

[...] The purpose of these tracers must be strictly limited to measuring the audience on the site or application for the exclusive account of the publisher. In particular, they must not be used to track the overall browsing habits of individuals using different applications or browsing different websites. Likewise, these tracers may only be used to produce anonymous statistical data, and the personal data collected may not be cross-referenced with other processing or transmitted to third parties, nor are these operations necessary for the operation of the service".  

The CNIL offers the CookieViz tool for viewing cookies deposited by third-party domains when visiting a site. 

What is a cookie banner? 

This is a tool displayed on a web page enabling the user to be informed about and configure cookies. This banner must detail the purposes for which cookies are used. For further information, it may refer to the website's cookie policy. The cookie policy informs users about all the cookies used by the site and explains how to manage them. 

For cookies subject to user consent, the cookies banner allows you to accept or reject them.   

• On the free nature of consent, Recital 42 of the GDPR states "consent should not be considered to have been freely given if the data subject does not have a genuine freedom of choice or is not able to refuse or withdraw consent without suffering prejudice". In this sense, the CNIL considers that cookie walls are likely to undermine the freedom of consent. 

• With regard to the specific nature of consent, the user must be able to accept or refuse (when consent is required) each category of cookie independently. The options offered to the user must not be general/global. 

• The requirement for informed consent is fulfilled when the person has been informed, in a comprehensible manner, i.e. without using overly legal vocabulary. According to CNIL guidelines, the information provided to individuals concerning cookies must contain at least : 

• The identity of the person(s) responsible for processing read/write operations, 
• The purpose of operations carried out using cookies, 
• How to accept or refuse cookies, 

• The consequences of refusing or accepting cookies, 
• The right to withdraw consent. 

• Finally, the unambiguous nature of consent results from a positive action on the part of the user. In this respect, the CNIL considers that the simple fact of continuing to browse the website, without accepting or refusing cookies, does not constitute a clear positive act that can be assimilated to consent. The user's silence is more akin to a refusal to accept cookies. 

Where the deposit of cookies is subject to consent, the individual has the right to withdraw it. The CNIL guidelines state that withdrawing consent should be as simple as giving it. Exercising the right to withdraw consent should be facilitated by means of the cookies banner. 

What are cookie walls? 

User data from websites and applications is often monetized. The use of this data is not free of charge, as it is used for targeted advertising or for the resale of databases, which generates revenue. The fact that the user can refuse cookies that are not functional means that the website publisher loses out financially. These players are looking for ways to compensate for this loss. 

Cookie walls consist of making access to the site conditional on the deposit of cookies, or obtaining compensation from the user if they refuse cookies. Some sites close access to the site if cookies are refused, or ask for financial compensation - this is known as a pay wall. The options offered to the user may be, for example, "Refuse everything and pay €2 to access the site for 2 months" or "Accept everything and access the site for free". 

The Conseil d'État issued a decision on June 19, 2020, relating to the CNIL's 2019 guidelines, in which it addresses the subject of cookie walls. It rules that cookie walls cannot be banned across the board, on the basis of the requirement for free consent. Free consent must be assessed on a case-by-case basis. In particular, "the existence of a real and satisfactory alternative offered in the event of refusal of cookies" must be taken into account . 

In 2022, the CNIL published its first evaluation criteria for cookie walls. To summarize, it uses the following reasoning: 

• Does the site offer a fair trade alternative? 
• If the proposed alternative has to be paid for, is the price reasonable? 
• Does the cookie wall make it possible to distinguish cookies according to their purpose? 
• If the user chooses paid access, without consenting to cookies, in what cases will cookies not subject to consent be deposited?

To sum up, you need to pay attention to the following points: 

• All the purposes for which cookies are used must be presented to visitors when they make their choice. For reasons of clarity and conciseness, this initial description may be limited to a brief presentation of the purposes pursued by the trackers; a more detailed description may be provided to the user at a later stage. 
• Visitors must have access to a regularly updated list of data controllers, accessible directly or indirectly (via a hypertext link, for example) on the first level of information.  
• Visitors must be able to give their consent to cookies by means of a clear positive act (checkbox system): silence or simply continuing to browse must be interpreted as a refusal.  

• The visitor must be able to make a choice by purpose: it is recommended to allow the visitor to give consent independently and specifically for each purpose. It is possible to offer the user global consent for a set of purposes, by integrating, for example, "accept all" or "refuse all" buttons, but only if all purposes are presented in advance. 
• In principle, the visitor's choices should be retained throughout the site's navigation. The CNIL recommends that the choice expressed, whether consent or refusal, be recorded in such a way as not to be called upon again for a certain period of time. A period of six months for both consent and refusal is generally considered appropriate. 
• Visitors must be able to reconsider their decision at any time: they must be able to withdraw their consent at any time, for example by means of a link in the footer or another cookie management mechanism, accessible at all times on the service concerned. 
• People must be able to refuse consent as easily as give it; 
• Individuals must be able to withdraw their consent as easily as they gave it; 

• Individuals must be informed of the identity of the data controllers who deposit cookies: the list containing the identity of the data controllers must be made available to them when consent is obtained, and must be updated regularly; 
• Data controllers must be able to demonstrate to the CNIL that they have obtained valid consent. 

Data Comply One (ex Mission RGPD) et les cookies 

No time? Are you at a loss? Struggling to manage your compliance and, more specifically, people's rights? 

Avec Data Comply One (ex Mission RGPD) vous disposez d’une politique cookies prête à être utilisée ! Il vous suffit de remplir les champs textes identifiés par nos experts et d’ajouter ce document sur votre site internet, c’est simple.  

Manage your compliance with ease and peace of mind!