News & media > News >
Florian Viel
Affiliate cookies and consent exemption: from a general ban to an exception for cashback and reward cookies
An appeal for excess of power was lodged by Bouchara & Avocats, representing the Syndicat National du Marketing à la Performance (SNMP), as well as by the Collectif des acteurs du marketing digital (CPA) challenging the legality of the CNIL’s question-answer n°12 reproduced above. On April 8, 2022, the French Conseil d’Etat confirmed that connection data used for billing purposes in affiliation operations could not be exempted from consent, while specifying that This obligation to obtain the prior consent of Internet users did not apply to connection data collected for the purposes of ” cashback” or ” reward” services.
A
s part of its action plan on ad targeting and following the adoption of guidelines and recommendations ” Cookies and other trackers ” on September 17, 2020, the CNIL had indeed published on its website a series of 32 ” Questions and answers on the CNIL’s amending guidelines and recommendation on “cookies and other trackers” with the aim of answering questions from stakeholders and Internet users on the use of cookies and other trackers.
In its question-answer n°12, the CNIL prohibited the use of cookies for the invoicing of membership operations without the consent of the persons concerned, on the grounds that such cookies would not have the exclusive purpose of allowing or facilitating communication by electronic means and would not be strictly necessary for the provision of an online communication service expressly requested by the user.
The CNIL therefore declared that the use of these trackers required the prior consent of the persons concerned.
Considering that this general obligation exceeds the powers of the CNIL, is detrimental to its interests and is legally unfounded, in particular concerning its application to tracking devices “cashback ” and ” reward “In the name of the SNMP, Bouchara & Avocats referred the matter to the Conseil d’Etat, requesting the cancellation of the response n°12 published on the CNIL website, after an informal appeal that remained unanswered.
However, in its decision of April 8, 2022, the Conseil d’Etat considered, not without surprise, that the CNIL had not issued a general and absolute prohibition on answer n°12 “NO” (I-) and that the latter did not infringe article 82 of the French Data Protection Act (II-), while expressly recognizing that it does not apply to cashback and reward (III-).
I- Incompetence of the CNIL to issue a general and absolute ban
In accordance with the provisions of Article 8 of the Data Protection Act, the CNIL has a number of powers:
” I.-The National Commission on Data Processing and Liberties is an independent administrative authority. It is the national supervisory authority within the meaning and for the application of Regulation (EU) 2016/679 of 27 April 2016. It carries out the following missions:
1° It informs all data subjects and data controllers of their rights and obligations and may, to this end, provide appropriate information to local authorities, their groupings and small and medium-sized enterprises;
2° It shall ensure that the processing of personal data is carried out in accordance with the provisions of this Act and other provisions relating to the protection of personal data provided for by legislative and regulatory texts, European Union law and France’s international commitments.
As such:
a) It gives an opinion on the processing operations mentioned in Articles 31 and 32;
b) It establishes and publishes guidelines, recommendations or benchmarks intended to facilitate the compliance of personal data processing with the texts relating to the protection of personal data and to carry out the prior assessment of risks by data controllers and their processors. It encourages the development of codes of conduct defining the obligations of data controllers and their processors, taking into account the risk inherent in the processing of personal data for the rights and freedoms of natural persons, including minors. It approves and publishes reference methodologies designed to promote the compliance of personal health data processing. It takes into account, in all the fields of its action, the situation of people without digital skills, and the specific needs of local authorities, their groups and micro, small and medium enterprises; […] “
The CNIL may, in this respect, establish and publish guidelines, recommendations or reference systems intended to facilitate the compliance of personal data processing with the applicable texts, and to carry out prior risk assessment by data controllers and their processors.
However, the CNIL cannot deduce a general and absolute prohibition that is not clearly provided for by the applicable texts without exceeding what it can legally do in the context of a flexible law instrument, as the Conseil d’Etat recently recalled in its decision of June 19, 2020 (CE, 19 juin 2020, Association des agences-conseil en communication, No. 434684).
By indicating in his answer #12 ”
No
“The CNIL clearly seems to interpret Article 82 of the French Data Protection Act, which does not prohibit in a general and absolute manner the storage of data used for the invoicing of affiliation operations, without the prior consent of the persons concerned, but stipulates that ” Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless previously informed by the controller or his representative:
1° The purpose of any action to access, by electronic transmission, information already stored in his electronic communications terminal equipment, or to write information into such equipment;
2° The means available to him to oppose it.
Such access or registration may only take place if the subscriber or user has expressed consent, after receiving such information, which may result from appropriate settings on the subscriber’s or user’s connection device or any other device under the subscriber’s control.
These provisions shall not apply if the access to information stored in the user’s terminal equipment or the recording of information in the user’s terminal equipment :
1° Or, has as its exclusive purpose to allow or facilitate communication by electronic means ;
2° Or, is strictly necessary for the provision of an online communication service at the express request of the user “.
However, the Council of State considers that the CNIL’s response ” No “, to the question Are tracking devices used for billing of affiliate operations exempt from consent? “is a interpretation of the applicable law to inform all interested persons and assist in the compliance of practices, and is not a matter of imposing a general and absolute ban on such trackers.
However, Article 82 does not provide for a general and absolute prohibition on the storage of cookies used for the invoicing of affiliation operations, without the prior consent of the persons concerned, nor does it provide for a general and absolute prohibition on cookie walls.
The de facto result is that the CNIL’s interpretation of this article necessarily lays down a general and absolute prohibition, and therefore exceeds what it can legally do in the context of a flexible law instrument, which is not recognised by the Conseil d’Etat, which did so in its decision of 19 June 2020
(CE, June 19, 2020, Association des agences-conseil en communication, No. 434684).
II- Non-observance of Article 82 of the Data Protection Act
Article 82 of the French Data Protection Act transposes into French law Article 5, point 3, of European Directive 2002/58/EC of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (e-Privacy Directive), which provides that:
” Member States shall ensure that the use of electronic communications networks to store or access information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user is provided, in accordance with Directive 95/46/EC, with clear and comprehensive information, inter alia, about the purposes of the processing, and that the subscriber or user has the right to refuse such processing by the data controller. This provision shall not prevent storage or technical access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary for the provision of an information society service explicitly requested by the subscriber or user. “
The notion of ” information society service ” covers any service provided, normally for remuneration, at a distance by means of electronic data processing and storage equipment, at the individual request of a recipient of services (Recital 17 of Directive 2002/58/EC).
Moreover, recital 18 of the same Directive 2002/58/EC states that “Information society services […], to the extent that they represent an economic activity, extend to services that are not paid for by those who receive themThese include services that provide online information or marketing communications, or those that provide tools for data search, access and retrieval. Information society services also include services that consist of transmitting information over a communications network, providing access to a communications network, or hosting information provided by a service recipient. […] “.
The provisions of Law No. 78-17 of January 6, 1978 on information technology, files and freedoms must therefore be interpreted in light of the provisions of Directive 2002/58/EC.
The consent requirement does not therefore apply to operations whose sole purpose is to enable or facilitate communication by electronic means or are strictly necessary for the provision of an online communication service / information society service expressly requested by the user.
Trackers are only exempt from the consent requirement if they are used exclusively for one or more purposes that can be related to the exceptions listed above.
In its guidelines on the application of Article 82 of the amended Act of January 6, 1978 to read and write operations on a user’s terminal (including “cookies and other trackers”), the CNIL ” thus expressly considers that the following trackers, in particular, can be considered as exempted
- Trackers retaining the choice expressed by users on the trackers storage;
- Trackers for authentication to a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts;
- Trackers intended to keep track of the contents of a shopping cart on a merchant site or to bill the user for the product(s) and/or service(s) purchased;
- user interface customization trackers (e.g., for language selection or service presentation), where such customization is an intrinsic and expected feature of the service;
- trackers allowing the load balancing of the equipment contributing to a communication service;
- Trackers allowing paying sites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period);
- certain audience measurement trackers, subject to the reservations mentioned below. “
The CNIL thus considers in its answer n°12, by extension to what precedes, that the trackers used for the invoicing of the affiliation operations do not enter the exemptions of article 82 of the Data-processing law and Freedoms since they would not be necessary for the supply of a service of communication on line expressly requested by the user.
The Council of State limits the interpretation of the CNIL by specifying, however, that it is only valid with regard to operations by which the publisher of a merchant site and the publisher of another site agree that the former will remunerate the latter every time a user makes a purchase on the merchant site after having clicked on a link, taking the form of an advertising banner, an image, a text or any other form, appearing on the affiliate’s website. The implementation of such a partnership would imply the use of connection trackers in order to determine the origin of the connection to the merchant site and to proceed, if necessary, to the invoicing of the operation.
The use of trackers for such an exclusive purpose would not allow or facilitate communication by electronic means and would not be strictly necessary for the provision of an online communication service expressly requested by the user.
Indeed, these trackers would not be strictly necessary to the connection of the Internet user on the merchant site from a site published by a third party and makes a purchase. Nor would they be strictly necessary for the provision of a service insofar as the remuneration of the affiliate by the publisher of the merchant site would not respond to a user request.
In this respect, the Conseil d’Etat considers that the fact that these trackers are necessary for the economic viability of a site or a partnership does not make them strictly necessary for the Internet user and therefore exempt from consent.
III- Exemption of ” cashback ” and ” reward ” trackers from the collection of consent
At the origin of the appeal, the SNMP considers that in the context of the services of cashback and reward at the express request of the user registered for these services, the use of trackers for the billing of membership operations is strictly necessary for the provision of the said information society services.
Cashback and rewards services are services that aim to give back to their subscribers a part of the commission that merchant sites pay them. These commissions are paid in return for sales generated by registrants sent by the cashback sites to the merchants. Cashback and rewards registrants want their journey from the cashback and rewards site to their purchase on the merchant site to be tracked in order to receive their commission.
As a result, CNIL’s answer n°12 would not only disregard its competence but would also constitute a manifestly extensive and incorrect interpretation of article 82 of the French Data Protection Act.
However, while considering that the CNIL has not disregarded its competence and Article 82 of the Data Protection Act, the Conseil d’Etat has expressly excluded from answer n°12 the connection trackers implemented for the needs of cashback and rewards services cashbacks and rewards services ” even though these same trackers may also be used for the invoicing of operations similar to affiliation between these publishers “..
The answer n°12 would not require that the storage and use of such trackers be preceded by the consent of the Internet user, insofar as they are strictly necessary for the provision of an online communication service at the express request of the user.
Accordingly, the State Council implicitly recognizes that the general and absolute nature of Answer No. 12 is not appropriate.
Thus, regardless of the rejection of the SNMP and CPA appeals requesting the annulment of Response No. 12, a rewording of the latter – in particular by expressly excluding the trackers of cashback and reward – would be of general interest in order to really specify the applicable rules and to accompany the actors concerned in their compliance.
Concerned about defending the interests of its collective, the SNMP then sent the CNIL a new appeal dated April 27, 2022, requesting the modification of the question-answer n°12 in order to expressly exclude the tracking of cashbacks and rewards as indicated by the State Council.
Following this appeal and in the general interest of the professionals of the sector, the CNIL finally agreed to publish a new question-answer n°13 expressly and specifically excluding the tracking of cashbacks and rewards the obligation to collect the consent of Internet users prior to their deposit and use, recalling the terms of the Council of State:
Recent news
The availability of the sign
Updated on 07/01/2021 To be registered as a trademark, the chosen sign must, in addition to being lawful and distinctive, be available (…)
How can a banal brand become notorious or not, VENTEPRIVEE.COM a future case study?
Update on 16/12/2021 The trademark VENTE PRIVEE.COM has been adopted without the owner apparently questioning its distinctive character (…)
Under what circumstances can a competitor lawfully use a third party’s trademark on the Internet?
Updated on 16/12/2021 The brand has the power to unite customers. Impulsively, instinctively, thoughtlessly. Sometimes, blind (…)
The use of a third party’s product in an advertisement: the Courts’ assessment of the incidental character.
Updated on 23/12/2021 Advertisers frequently use third-party products in their ads that are copyrighted creations.