Analytics Cookies to Be Exempt from Consent Requirement in France

As reported by DataGuidance, the UK Information Commissioner the enforcement of the “cookie law” will be “pragmatic and realistic” in the UK. “Pragmatic” and realistic”: Sounds good doesn’t it? Doesn’t sound very German, though, does it? As explained here, the cookie situation in Germany is still unresolved, largely due to the (my take on the matter) inability to come up with a draft for transforming the Directive’s into German law that provides for a workable solution the problem. It seems that at least the current government feels uncomfortable to pass a law the wording of which would effectively rule out a good portion of how websites work today.

Even more interestingly, in the same DataGuidance post they report that the French Data Protection Authority (CNIL) will exempt analytics cookies from the new requirement of prior consent. Now that seems like truly bending the termini

“for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

But that is how CNIL plan it. I have dug out my school French and actually read through the details. The bottom line of CNIL’s approach, to me, is to efeectively ignore the wording of the Directive and make an attempt at publishing a set of compulsory (but manageable) conditions that website owners have to observe if they wish to make use of analytics tools. Those rules, in summary, are:

  • Inform the user on what tool you are using, and to that in clear, transparent and complete fashion;
  • Make sure that the user can exercise his/her “right of access”, meaning the right to be informed on
  • the purposes of the data processing,
  • the type of recorded data,
  • the origin and destination of the data,
  • any transfers of the data to countries outside the European Union,

 as well as the right to have personal data rectified and/or deleted;

  • Provide for an effective opt out tool to facilitate the user’s “right to object” that is easy to get and easy install for everyone and on all operating systems/browsers as well as smart phones. If a user decides to use the tool, make sure that no information about that user is transmitted to whoever is “the editor” of the analytics tool you are using;
  • The purpose of the analytics tool of your choice must be limited to analyzing web traffic on your site, and must not allow the identification of individual users. There may be no cross referencing of data of any sorts. Cookies used by the analytics tool may only lead to producing anonymous statistics, and must not allow for tracking over various websites;
  • You may use the IP address allocated to the user’s device for locating the user’s device, but not “more precisely than on city level” [meaning you’ll have to do without the last octet of an IPv4 address). After doing your geolocation, you will have to delete or “anonymize” the IP address;
  • Cookies must be limited to a duration of 6 months, just as any data containing an “identifier” (such as an IP address) should not be kept longer that six months. Afterwards data must be deleted or “anonymized”.

I would assume that the suggested rules simply reflect what is industry best practice in France today. At least they almost completely reflect the guidelines that you will get to hear from the authorities in Germany regarding the (lawful) use of web analytics tools today (we do need an additional “data controller/data processor agreement” on top of all that as a legal fig leaf).

It will be truly interesting to see if our transformation of the Cookie Directive will do away with all this and require “prior consent” of the user if other countries such as France not known for any particular laxness in data protection take a much more pragmatic approach. After all, wasn’t it the idea that EU Directives lead to a greater degree of harmonization of the national laws in the EU?


For more updates on German and EU IT law and other IT-related matters please follow us on Twitter @germanitlaw.

Leave a Reply

Your email address will not be published. Required fields are marked *