Page 1

Updates information

NATIONAL LAW
IN FORCE

BULLETINS
OFFICIALS

OFFICIAL CONVENTIONS BULLETINS
COLLECTIVES

Official publications

PUBLICATIONS
OFFICIAL

NEWSPAPER
OFFICIAL

|

AROUND
OF THE LAW

DEBATES
PARLIAMENTARIANS

Managing cookies

|

Law and jurisprudence
of the European Union

Contact us

Right
international

WRITTEN QUESTIONS
PARLIAMENTARIANS

DOCUMENTS
ADMINISTRATIVE

Official newspaper Deliberation n ° 2019-093 of 4 July 2019 adopting guidelines relating to the application of ...

Search in:
All contents

In all fields

Ex .: L. 121-1, CGI, 10-15056, fraud, protected adults

ADVANCED SEARCH

Select a fund
Back to OJ Summary
Codes

‹ Previous text

Next text ›
Consolidated texts

"

TO PRINT

Official newspaper

COPY TEXT

case law
Deliberation n ° 2019-093 of 4 JulyConstitutional
2019 adopting
guidelines relating to Administrative case law
the application of article 82 of the law of 6 January 1978 as amended to reading operations and
Judicial case law
Financial case law
Branch agreements and collective agreements
writing to a user's terminal (in particular to cookies and other tracers)
Circulars and Instructions

Company
agreements
NOR:
CNIL1920776X

CNIL

All contents

JORF n ° 0165 of July 18, 2019
Text n ° 124

Extract from the Official Journal
authenticated electronics
PDF - 237.7 KB

Search in text ...
Reset

Initial version

The National Commission for Informatics and Freedoms,
Having regard to convention n ° 108 of the Council of Europe for the protection of individuals with regard to automatic processing of personal data;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data
personal character and the free movement of such data, and repealing Directive 95/46 / EC;
Having regard to Directive 2002/58 / EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the sector of
electronic communications amended by Directive 2009/136 / EC of 25 November 2009;
Having regard to Directive 2008/63 / EC on competition in the markets for telecommunications terminal equipment, in particular Article 1 thereof;
Considering the amended law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 8-I-2 ° b and 82;
Considering the decree n ° 2019-536 of May 29, 2019 taken for the application of the law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms;
Having regard to the guidelines on consent within the meaning of Regulation (EU) 2016/679 adopted on April 10, 2018 by the "Article 29" working group on the protection of
data and endorsed by the European Data Protection Board (EDPS) on May 25, 2018;
Having regard to the declaration of 25 May 2018 by the European Data Protection Board on the revision of the “privacy and electronic communications” directive and its
impact on the privacy and confidentiality of electronic communications;
Having regard to opinion 5/2019 on the relationship between the “privacy and electronic communications” directive and the GDPR, in particular concerning the competence, missions and powers
of data protection authorities, adopted by the European Data Protection Board (EDPS) on March 12, 2019;
Considering deliberation n ° 2013-378 of December 5, 2013 adopting a recommendation relating to cookies and other tracers referred to in article 32-II of the law of 6
January 1978;

Item
After hearing Mr François PELLEGRINI, Commissioner, in his report, and Ms Nacima BELKACEM, Government Commissioner, in his observations,
Adopts the following guidelines:
The National Commission for Informatics and Freedoms (CNIL) is responsible for ensuring compliance with the provisions of Law No. 78-17 of January 6, 1978

amended relating to

data processing, files and freedoms (hereinafter the Data Protection Act), as well as other texts relating to the protection of personal data.
The purpose of these guidelines is to recall the law applicable to read or write operations in a user's terminal, and in particular the use
cookies and other trackers. They result in particular from the provisions of Directive 2002/58 / EC amended on privacy and electronic communications (or ePrivacy)
transposed into French law in article 82 of the Data Protection Act, and the definition of consent appearing in article 4 of the general protection regulations
data (GDPR) as interpreted in the guidelines of the European Data Protection Board (EDPS).
In the event of a breach of these provisions, the Commission recalls that it may take all corrective measures and sanctions vis-à-vis the bodies which are subject to them,
in application of article 3 of the law, and in particular independently of the provisions of chapter VII of the GDPR in terms of cooperation and consistency, in
insofar as Article 82 results from the transposition of a separate directive.
Article 82 of the law provides that:
Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he has been previously informed by the person in charge.
of the treatment or its representative:
1 ° The purpose of any action aimed at accessing, by electronic transmission, information already stored in its terminal equipment
electronic communications, or to record information in such equipment;
2 ° The means at his disposal to oppose it.
These accesses or registrations can only take place on condition that the subscriber or the user has expressed, after receiving this information, his consent which
may result from appropriate parameters of its connection device or any other device under its control.
This article, which transposes Article 5 (3) of the Directive on privacy and electronic communications, thus requires the collection of consent before any action aimed at
store information or access information stored in the terminal equipment of a subscriber or user, apart from the applicable exceptions.
The Commission recalls that these guidelines only concern the implementation of the provisions of Article 82 of the Data Protection Act; the
any processing of personal data using data collected via read or write operations must, moreover, comply with all
applicable legal provisions.
The consent provided for by these provisions must comply with the definition and the conditions provided for in Articles 4 (11) and 7 of the GDPR.
The GDPR has come to strengthen the requirements in terms of people's consent, by providing clarifications on the conditions for obtaining it and on the need for it.
demonstrate the collection.
Strengthening the rights of individuals leads the Commission to repeal its deliberation n ° 2013-378 of December 5, 2013

adopting a recommendation

relating to cookies and other tracers referred to in Article 32-II of the Law of 6 January 1978 (hereinafter the recommendation on cookies and other tracers) to replace it by the
these guidelines. These guidelines will be supplemented subsequently by sectoral recommendations aimed in particular at specifying the
practical arrangements for obtaining consent.
Related links

Article 1
On the scope of the guidelines.
These guidelines apply to all operations aimed at accessing, by electronic transmission, information already stored in the
subscriber or user's terminal or to enter information in this equipment.
The Commission notes that Article 1 of Directive 2008/63 / EC defines terminal equipment as any equipment which is connected directly or
indirectly at the interface of a public telecommunications network to transmit, process or receive information; in both cases, direct or indirect, the
connection can be established by wire, optical fiber or electromagnetic channel; a connection is indirect if a device is interposed between the terminal equipment and
the interface of the public network.
This definition encompasses many commonly used devices, such as a tablet, a multifunction mobile (smartphone), a fixed or mobile computer, a
video game console, a connected television, a connected vehicle, a voice assistant, as well as any other object connected to a telecommunications network
open to the public.
These guidelines apply regardless of the operating systems, application software (such as browsers) or terminals used.
The guidelines relate to the use of HTTP cookies, by which these actions are most often carried out, but are also intended to apply to
use of other techniques: local shared objects sometimes called Flash cookies, local storage implemented within
HTML 5, identifications by calculating the fingerprint of the terminal, identifiers generated by the operating systems (whether advertising or not: IDFA, IDFV,
Android ID, etc.), hardware identifiers (MAC address, serial number or any other identifier of a device), etc. For the application of these lines
guidelines, the word tracer will designate all the devices referred to in article 82 of the law.
Whether or not the information (stored and / or consulted) is personal data within the meaning of the GDPR is not a prerequisite for
the application of Article 5, paragraph 3 of Directive 2002/58 / EC. Consequently, the aforementioned Article 82 applies regardless of whether the data
concerned may or may not be personal.
Finally, the Commission draws the attention of the bodies concerned to the fact that any processing relating to a tracer, since it falls within the category of
personal data - sometimes directly identifying (for example, an email address) and often indirectly identifying (for example,
the unique identifier of a cookie, an IP address, an identifier of the terminal or of a component of the user's terminal, the result of the fingerprint calculation in the case of
a fingerprinting technique, or an identifier generated by a software or an operating system) - requires compliance with the provisions of the GDPR.

Article 2
On the methods of obtaining consent.
In application of the Data Protection Act, the GDPR and the EDPS guidelines on consent, tracers requiring consent collection
cannot be used for writing or reading until the user has previously expressed his will to this end, in a free, specific, informed and
unequivocal by a declaration or by a clear positive act.
Regarding the free nature of consent
The Commission considers that consent can only be valid if the data subject is able to validly exercise his choice and does not suffer
major inconveniences in the event of absence or withdrawal of consent.
In this regard, the Commission recalls that the EDPS, in his statement on the review of the ePrivacy Directive and its impact on the protection of privacy and
confidentiality of electronic communications, considered that the practice of blocking access to a website or a mobile application for which
not consent to be tracked (cookie walls) is not GDPR compliant. The EDPS considers in fact that, in such a case, users are not in a position to
to refuse the use of tracers without suffering negative consequences (in this case the inability to access the site consulted).
Regarding the specific nature of consent
The Commission recalls that the data subject must be able to give their consent independently and specifically for each purpose.
distinct. It is also acceptable to offer the individual the possibility of consent in a comprehensive manner, provided that this is in addition to, but not in place of, the
possibility of consenting specifically to each purpose.
As such, the global acceptance of general conditions of use cannot be a valid method of obtaining consent, insofar as this does not
can be given separately for each purpose.
Regarding the informed nature of consent
The Commission recalls that the information must be written in simple and understandable terms for all, and that it must allow users to be
fully informed of the different purposes of the tracers used. It considers that the use of too complex legal or technical terminology does not answer
not the requirement of prior information.
The Commission recalls that the information must be complete, visible, and highlighted when obtaining consent. A simple referral to
general conditions of use are not sufficient.
The information that must be brought to the attention of users, prior to obtaining consent, in application of article 82, is at least:

- the identity of the data controller (s);
- the purpose of the data reading or writing operations;
- the existence of the right to withdraw consent.

When a processing of personal data follows the reading or writing operation and this is based on consent, the prior information
given to users must then be completed in order to meet the requirements of the EDPS Consent Guidelines.
The Commission recalls that in order for consent to be informed, the user must be able to identify all the entities using tracers before
to be able to consent to it. Thus, the exhaustive and regularly updated list of these entities must be made available to the user directly during the collection.
of his consent.
Regarding the unambiguous nature of the consent
The Commission stresses that consent must be manifested through positive action by the person who has been informed beforehand of the consequences of his
choice and having the means to exercise it. Continuing to browse a website, use a mobile application or scroll through a site page
web or mobile application do not constitute clear positive actions amounting to valid consent.
It also considers that the use of pre-checked boxes, as well as the overall acceptance of general conditions of use, cannot be considered.
as a clear positive act aimed at giving consent.
Appropriate systems must therefore be put in place to collect consent in practical ways that allow users to benefit from
user-friendly and ergonomic solutions.
On proof of consent
Article 7 of the GDPR requires consent to be demonstrable, which means that organizations operating tracers must implement mechanisms
allowing them to demonstrate, at any time, that they have validly obtained the consent of users. In the situation where these organisms do not collect
themselves the consent of the persons, the Commission recalls that such an obligation cannot be fulfilled by the mere presence of a contractual clause
committing one of the organizations to obtain valid consent on behalf of the other party.
On the withdrawal of consent
The Commission recalls that it must be as easy to refuse or withdraw consent as to give it. This means in particular that people who have given
their consent to the use of tracers must be able to withdraw it at any time. User-friendly solutions must therefore be implemented so that
people can withdraw their consent as easily as they could have given it.

Article 3
On the roles and responsibilities of the actors.
The technologies concerned by the obligation to collect consent do not systematically involve the processing of personal data.
However, in a large number of cases, read or write operations will concern personal data and will be an integral part of a
processing of personal data subject to the other provisions of the law and the GDPR, which implies the need to qualify the parties concerned.
While, in a number of cases, the use of tracers involves a single entity which is therefore fully responsible for the obligation to collect the data.
consent (for example a website publisher who uses tracers to himself carry out statistics on the use of his service), in other cases,
several actors contribute to carrying out the reading or writing operations covered by these guidelines (for example a website editor and a
advertising agency depositing cookies when consulting the website). In the latter case, these entities may be considered responsible for
single processing, jointly responsible or as subcontractors.
The Commission notes that, in other cases, third parties who use tracers will be fully and independently responsible for the tracers they place.
implemented, which means that they will have to independently assume the obligation to obtain user consent.
In the case of joint liability, in which the controllers jointly determine the purposes and means of the processing, the Commission
recalls that under Article 26 of the GDPR, they will have to define their respective obligations in a transparent manner in order to ensure compliance with the requirements of the
GDPR, in particular with regard to the collection and demonstration, where applicable, of valid consent.
Finally, a subcontractor is defined as an actor who enters information and / or accesses information stored in the terminal equipment of a subscriber or of a
user, exclusively on behalf of a data controller and without re-use for his own account of the data collected via the tracker. The
Commission recalls that if a subcontracting relationship is established, the controller and the subcontractor must establish a contract or other act
legal specifying the obligations of each party, in compliance with the provisions of Article 28 of the GDPR.

Article 4
On the terminal settings.
Article 82 of the law specifies that consent may result from appropriate parameters of the person's connection device or any other device placed
under his control.
The Commission considers that these browser settings cannot, in the state of the art, allow the user to express the manifestation of a
valid consent.
First of all, if web browsers offer many settings allowing users to express choices in terms of cookies, it is clear
that these are expressed under conditions that do not ensure a sufficient level of prior information to individuals.
Then, whatever the existing mechanisms, browsers do not allow cookies to be distinguished according to their purposes, which means that
the user is also not able to consent specifically for each purpose.
Finally, the browser settings do not currently allow a choice to be made on technologies other than cookies (such as fingerprinting by
example) for navigation tracking purposes.
However, browsers could evolve to incorporate mechanisms to collect GDPR compliant consent. The Commission considers
that such a development would be likely to guarantee, on the one hand, that Internet users have effective and simple tools enabling them to consent in a simple and,
on the other hand, that publishers who do not have the means or the skills to set up mechanisms for collecting consent can
rely on such mechanisms.

Article 5
On the specific case of audience measurement tracers.
A publisher may need to measure the audience of his website or his application, or to test different versions in order to optimize his choices.
editorials according to their respective performances. Tracers are frequently used for this purpose and these devices can, in certain cases, be
considered necessary for the provision of the service explicitly requested by the user, without being particularly intrusive for them, and
thus be exempted from obtaining consent. For example, attendance statistics and tests to measure the relative performance of different
versions of the same website (commonly called A / B tests) notably allow publishers to detect navigation problems on their site or their
application or even organize content.
Therefore, the Commission considers that this exemption from the collection of consent can benefit from processing operations meeting the following conditions:

- they must be implemented by the site editor or by its subcontractor;
- the person must be informed prior to their implementation;
- it must have the ability to oppose it through an opposition mechanism that can be easily used on all terminals, systems
operating systems, applications and web browsers. No read or write operation should take place on the terminal from which the person logged in.
opposite;
- the purpose of the device must be limited to (i) measuring the audience of the content viewed in order to allow the evaluation of the content published and the ergonomics of the site or
application, (ii) segmentation of the website audience into cohorts in order to assess the effectiveness of editorial choices, without this leading to targeting a
single person and (iii) the dynamic modification of a site as a whole. The personal data collected must not be cross-checked with
other processing (customer files or statistics of visits to other sites, for example) or transmitted to third parties. The use of tracers should also be
strictly confined to the production of anonymous statistics. Its scope must be limited to a single website or mobile application publisher and must not allow
the tracking of the navigation of the person using different applications or browsing different websites;
- the use of the IP address to geolocate the Internet user must not provide more precise information than the city. The collected IP address must also be
deleted or anonymized once geolocation has been carried out;
- the tracers used for these treatments must not have a lifespan exceeding thirteen months and this duration must not be automatically extended during
new visits. The information collected through the tracers must be kept for a maximum period of twenty-five months.

Article 6
On read or write operations not subject to prior consent.
Article 82 provides that the requirement of prior consent does not apply if access to information stored in the user's terminal equipment or
entering information in the user's terminal equipment:

- has the sole purpose of enabling or facilitating communication by electronic means; Where
- is strictly necessary for the provision of an online communication service at the express request of the user.

The law does not require either to offer the possibility of opposing the use of tracers allowing or facilitating communication by electronic means, or even
strictly necessary for the provision of an online communication service at the express request of the user.
However, in order to ensure full transparency on these operations, users must be informed of their existence and their purpose by integrating,
for example, a mention in the privacy policy of the organizations using it.

Article 7
Repeal of recommendation n ° 2013-378 of December 5, 2013.

Related links

Item
This deliberation repeals deliberation n ° 2013-378 of December 5, 2013 adopting a recommendation relating to cookies and other tracers concerned.
by article 32-II of the law of January 6, 1978.
This deliberation will be published in the Official Journal of the French Republic.
Related links

The president,
M.-L. Denis

our opinion
V

Extract from the authenticated electronic Official Journal
PDF - 237.7 KB

About this version | Legal notices | Privacy Policy | Site map | Open data and API |

Accessibility: partially compliant

service-public.fr

| data.gouv.fr

| Digital Labor Code

| government.fr

| france.fr

