Understanding cookies

A cookie banner is a tool displayed on a web page, allowing the user to be informed and to customize cookie settings.

This banner must provide details about the purposes for which cookies are used.

In addition to the information displayed in the banner, it may link to the website's cookie policy. This document provides comprehensive information about all cookies used by the website and explains how users can manage them.

For cookies that require user consent, the cookie banner allows users to either accept or decline them.

The CNIL reminds in its guidelines that withdrawing consent should be as easy as giving it.

The exercise of the right to withdraw consent must be facilitated through the cookie banner.

Cookie walls consist in conditioning access to a website on the acceptance of cookies or obtaining compensation from the user if they refuse cookies.

The Council of State rendered a decision on June 19, 2020, regarding the CNIL's 2019 guidelines, in which it addresses the issue of cookie walls. The Council of State ruled that cookie walls cannot be prohibited in a general manner based on the requirement for free consent. The freedom of consent of individuals must be assessed on a case-by-case basis. It is necessary to consider "the existence of a real and satisfactory alternative offered in case of cookie refusal".

In 2022, the CNIL published its first criteria for evaluating cookie walls. To summarize, it follows the following reasoning:

• Does the website offer a fair alternative?

• If the alternative proposed is paid, is the price reasonable?

• Does the cookie wall distinguish cookies based on their purposes?

• If the user chooses paid access without consenting to cookies, in which cases will non-consent-based cookies be deposited?

• All the purposes of usage related to trackers must be presented to the visitor at the moment of making their choice.

• The visitor must have access to a list, regularly updated, of the data controllers for the data processing accessible directly or indirectly.

• The visitor must be able to consent to cookies through a clear positive action (e.g., a checkbox system): silence or mere continuation of navigation must be interpreted as a refusal.

• The visitor must be able to make a choice per purpose: it is recommended to allow the visitor to give their consent independently and specifically for each purpose. It is possible to offer the user the option to give global consent to a set of purposes, for example, by integrating buttons such as "accept all" or "refuse all," but only if the entire list of purposes is presented beforehand.

• The visitor's choices should, in principle, be retained throughout their navigation on the site. The CNIL recommends that the expressed choice, whether it is consent or refusal, be recorded in a way that does not prompt them again for a certain period. A duration of six months, for both consent and refusal, is generally considered appropriate.

• The visitor must be able to change their decision at any time: they must have the possibility to withdraw their consent at any time, for example, with a link in the footer or another cookie management mechanism, accessible at any time on the relevant service.

• People must be able to refuse to give their consent as easily as granting it;

• People must be able to withdraw their consent as easily as they gave it;

• People must be informed of the identity of the data controllers who place cookies: the list containing the identity of the data controllers must be made available to them when obtaining consent and be regularly updated;

• Data controllers must be able to demonstrate to the CNIL that they have obtained valid consent.