Affiliate cookies and consent exemption: from a general prohibition to an exception for cashback and reward cookies
Seized of an appeal for excess of power by Cabinet Bouchara & Avocats, representing the National Union of Performance Marketing (SNMP), as well as by the Collective of Digital Marketing Actors (CPA) contesting the legality of the question- response no. 12 from the CNIL reproduced above, the Council of State was able to confirm on April 8, 2022 that the connection tracers used for billing purposes for affiliation operations could in no case be exempted from consent while specifying that this obligation to obtain the prior consent of Internet users did not apply to connection tracers implemented for the purposes of reimbursement services, known as " cash back », or of reward, said of « reward ».
By its question-answer n°12, the CNIL had then prohibited the use of tracers for the invoicing of affiliation operations without the consent of the persons concerned, on the grounds that such tracers would not have the exclusive purpose of allowing or facilitate communication by electronic means and would not be strictly necessary for the provision of an online communication service expressly requested by the user.
The CNIL therefore declares that the use of these tracers necessarily requires the prior consent of the persons concerned.
Considering that this general obligation exceeds the powers of the CNIL, harms its interests and is legally unfounded, in particular concerning its application to tracers of " cash back " and of " reward » nevertheless considered in practice as being used for the invoicing of affiliation operations, Cabinet Bouchara & Avocats seized the Council of State on behalf of the SNMP in order to request the cancellation of the answer n ° 12 published on the site website of the CNIL, after a graceful appeal remained unanswered.
In its decision of April 8, 2022, the Council of State nevertheless considered, not without surprise, that the CNIL had not issued a general and absolute ban on answer no. 12 "NO" (I-) and that the latter did not disregard article 82 of the Data Protection Act (II-), while expressly acknowledging that it does not apply to tracers of cash back and of reward (III-).
I- The CNIL's incompetence to enact a general and absolute ban
In accordance with the provisions of article 8 of the Data Protection Act, the CNIL has a certain number of powers:
" I.-The National Commission for Computing and Liberties is an independent administrative authority. It is the national supervisory authority within the meaning and for the application of Regulation (EU) 2016/679 of April 27, 2016. It performs the following tasks:
1° It informs all data subjects and all data controllers of their rights and obligations and may, to this end, provide appropriate information to local authorities, their groups and small and medium-sized enterprises;
2° It ensures that the processing of personal data is implemented in accordance with the provisions of this law and the other provisions relating to the protection of personal data provided for by legislative and regulatory texts, Union law European Union and France's international commitments.
a) It gives an opinion on the processing mentioned in Articles 31 and 32;
b) It draws up and publishes guidelines, recommendations or benchmarks intended to facilitate compliance of the processing of personal data with the texts relating to the protection of personal data and to carry out the prior assessment of the risks by controllers and their processors. It encourages the development of codes of conduct defining the obligations incumbent on data controllers and their subcontractors, taking into account the risk inherent in the processing of personal data for the rights and freedoms of natural persons, in particular minors. It approves and publishes the reference methodologies intended to promote compliance in the processing of personal health data. It takes into account, in all areas of its action, the situation of people without digital skills, and the specific needs of local authorities, their groups and micro, small and medium-sized enterprises; […]”
As such, the CNIL may establish and publish guidelines, recommendations or reference systems intended to facilitate the compliance of the processing of personal data with the applicable texts, and to carry out the prior assessment of the risks by the data controllers and their subcontractors.
However, the CNIL cannot deduce a general and absolute prohibition that would not be clearly provided for by the applicable texts without exceeding what it can legally do within the framework of a flexible legal instrument, as recently recalled by the Conseil of State in its judgment of June 19, 2020 (EC, June 19, 2020, Association of Communication Consulting Agencies, No. 434684).
By indicating in his answer n°12 “ Nope ", the CNIL seems to clearly interpret article 82 of the Data Protection Act which does not prohibit in a general and absolute manner the filing of tracers used for the invoicing of affiliation operations, without the prior consent of the persons concerned, but provides that " Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he has been informed beforehand, by the controller or his representative:
1° The purpose of any action seeking to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment;
2° The means at his disposal to oppose it.
This access or registration can only take place on condition that the subscriber or user has expressed, after having received this information, his consent which may result from appropriate parameters of his connection device or any other device placed under his control.
These provisions are not applicable if the access to information stored in the user's terminal equipment or the registration of information in the user's terminal equipment:
1° Either, has the exclusive purpose of allowing or facilitating communication by electronic means;
2° Either, is strictly necessary for the provision of an online communication service at the express request of the user »
However, the Council of State considers that the CNIL's response " Nope ", at the question " Are the tracers used for the billing of affiliate operations exempt from consent? » constitutes a interpretation of applicable law aimed at informing any interested person and helping to bring practices into compliance, and does not come under the enactment of a general and absolute prohibition deposit of such tracers.
Gold Article 82 does not enshrine this general and absolute prohibition the deposit of tracers used for the invoicing of affiliate operations, without the prior consent of the persons concerned, as it does not provide for the general and absolute prohibition of Cookie Walls either.
It results de facto that the interpretation made by the CNIL of this article necessarily enacts a general and absolute prohibition, and consequently exceeds what it can legally do within the framework of a flexible legal instrument, which the Council of State which nevertheless did so in its judgment of June 19, 2020 (CE, June 19, 2020, Association of Communication Consulting Agencies, No. 434684).
II- Non-disregard of article 82 of the Data Protection Act
Article 82 of the Data Protection Act, ensures the transposition into French law of Article 5, point 3, of European Directive 2002/58/EC of July 12, 2002 concerning the processing of personal data and the protection Privacy in the Electronic Communications Sector (e-Privacy Directive), which provides that:
" Member States shall ensure that the use of electronic communications networks to store information or to access information stored in the terminal equipment of a subscriber or user is permitted only on condition that the subscriber or user, are provided, in compliance with Directive 95/46/EC, with clear and complete information, including on the purposes of the processing, and that the subscriber or user has the right to object to such processing by the data controller. This provision does not preclude storage or technical access aimed exclusively at carrying out or facilitating the transmission of a communication by means of an electronic communications network, or strictly necessary for the provision of a service of the information company expressly requested by the subscriber or user. [emphasis added].
The notion of " information society service » covers any service provided, normally against remuneration, at a distance by means of electronic data processing and storage equipment, at the individual request of a recipient of services (Recital 17 of Directive 2002/58/EC).
Furthermore, recital 18 of this same directive 2002/58/EC specifies that “information society services […], insofar as they represent an economic activity, extend to services that are not remunerated by those who receive them, such as services that provide online information or commercial communications, or those that provide tools for searching, accessing and retrieving data. Information society services also include services which consist of transmitting information through a communication network, providing access to a communication network or hosting information provided by a recipient of services. […] [emphasis added].
The provisions of Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms must therefore be interpreted in the light of the provisions of Directive 2002/58/EC.
The requirement of consent therefore does not apply to operations which have the exclusive purpose of enabling or facilitating communication by electronic means or are strictly necessary for the provision of an online communication service / a service of the company. information expressly requested by the user.
Tracers only fall outside the scope of the consent requirement if they are used exclusively for one or more purposes that may relate to the aforementioned exceptions.
In its guidelines relating to the application of article 82 of the law of January 6, 1978 as amended to read and write operations in a user's terminal (in particular to "cookies and other tracers"), the CNIL " thus expressly considers that the following tracers may, in particular, be regarded as exempt:
- the tracers retaining the choice expressed by the users on the deposit of tracers;
- tracers intended for authentication with a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts;
- tracers intended to store the contents of a shopping cart on a merchant site or to invoice the user for the product(s) and/or services purchased;
- user interface personalization tracers (for example, for the choice of language or presentation of a service), when such personalization constitutes an intrinsic and expected element of the service;
- tracers for balancing the load of equipment contributing to a communication service;
- tracers allowing paid sites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period);
- certain audience measurement plotters, subject to the reservations mentioned below. "
The CNIL thus considers in its answer n°12, by extension to the above, that the tracers used for the invoicing of affiliation operations do not fall within the exemptions of article 82 of the Data Protection Act since they would not be necessary for the provision of an online communication service expressly requested by the user.
The Council of State limits the interpretation of the CNIL specifying however that it is only valid with regard to operations by which the editor of a commercial site and that of another site agree that the first remunerates the second each time that an Internet user performs an act of purchase on the merchant site after clicking on a link, taking the form of an advertising banner, an image, a text or any other form, appearing on the affiliate's website. The implementation of such a partnership would involve the use of connection tracers in order to determine the origin of the connection to the merchant site and to proceed, if necessary, with the invoicing of the operation.
The use of tracers for such an exclusive purpose would not allow or facilitate communication by electronic means and would not be strictly necessary for the provision of an online communication service expressly requested by the user.
Indeed, these tracers would not be strictly necessary for the Internet user to connect to the merchant site from a site published by a third party and make a purchase there. They would also not be strictly necessary for the supply of a service insofar as the remuneration of the affiliate by the editor of the merchant site would not respond to a request from the user.
In this regard, the Council of State considers that the fact that these tracers are necessary for the economic viability of a site or a partnership would not make it possible to make them strictly necessary for the Internet user and therefore exempt from consent.
III- The exemption of tracers from " cash back " and of " reward » to the collection of consent
At the origin of the appeal, the SNMP considers that within the framework of the services of cash back and of reward at the express request of the user registered for these services, the use of tracers for the invoicing of affiliation operations is strictly necessary for the provision of said information society services.
The services of cashback and of rewards in fact mean services aimed at retroceding to their members part of the commission that the merchant sites pay them. These commissions are paid in return for sales generated by registrants sent by cashback sites to merchant sites. Subscribers to the sites of cashback and of rewards therefore wish that their route be traced, from the site of cashback and of rewards until their purchase on the merchant site, in order to be awarded their commission.
It would thus result that the answer n°12 of the CNIL would disregard both its competence but would also constitute a manifestly extensive and incorrect interpretation of article 82 of the Data Protection Act.
However, while considering that the CNIL did not disregard its competence and article 82 of the Data Protection Act, the Conseil d'Etat has come to expressly exclude from answer n°12 the connection tracers implemented for the needs of cashback and of rewards " even if these same tracers can also be used for the invoicing of operations similar to affiliation between these publishers ».
Answer 12 would then not have the effect of requiring that the deposit and use of such tracers be preceded by the collection of the Internet user's consent, insofar as they would be strictly necessary for the provision of a service. of online communication at the express request of the user.
Consequently, the Council of State implicitly recognizes that the general and absolute nature of answer no. 12 is not appropriate.
Thus, independently of the rejection of the SNMP and CPA appeals requesting the cancellation of answer no. 12, a reformulation of the latter - in particular by expressly excluding cash back and of reward – would prove to be of general interest in order to really specify the applicable rules and to support the actors concerned in their compliance.
Concerned about the defense of the interests of its collective, the SNMP then sent the CNIL a new gracious appeal dated April 27, 2022, requesting the modification of question-answer n ° 12 in order to expressly exclude tracers from it. cashback and of rewards as indicated by the Council of State.
Following this appeal and in the general interest of professionals in the sector, the CNIL then finally agreed to publish a new question-answer n°13 expressly and specifically excluding tracers of cashback and of rewards the obligation to obtain the consent of Internet users prior to their deposit and their use, recalling the terms of the Council of State:
Updated on 07/01/2021 To be registered as a trademark, the chosen sign must, in addition to being lawful and distinctive, be available(…)
How can a banal brand become notorious or not, VENTEPRIVEE.COM a future textbook case?
Updated on 16/12/2021 The VENTE PRIVEE.COM trademark was adopted without the holder apparently asking itself the question of its distinctive character(…)
Under what circumstances can a competitor lawfully use a third party's trademark on the Internet?
Updated on 12/16/2021 The brand has the power to unite customers. Impulsively, instinctively, thoughtlessly. Sometimes, blind (...)
The use of a third party's product in an advertisement: the assessment of the accessory nature by the Courts.
Updated on 23/12/2021 It often happens that advertisers use products from third-party companies in their advertisements which are creations protected by copyright (…)