A cookie is a text file that is set down by the provider of a website on the computer, telephone or other terminal of the user of a site or application, allowing the collection of information relating to the latter and his interaction with the site or application, and in particular personal data.
These may include HTTP cookies, “flash” cookies, the result of a unique terminal fingerprint, web beacons, or any other identifier generated by a software or operating system.
They can have multiple uses, and in particular serve to keep in memory the contents of a shopping cart, to personalize the language of the sites, to study the use of the site for statistical or advertising purposes, to measure the audience of the site…
Pursuant to the ePrivacy Directive 2009/136/EC, the provider of a publicly available electronic communications service may place cookies on the user’s computer to the extent and for the duration necessary for the provision or marketing of those services and, provided that the user has given his prior consent.
Thus, the site provider must in principle obtain the user’s prior consent before setting down cookies on his terminal. As an exception, if the cookies have the exclusive purpose of enabling or facilitating communication by electronic means or are strictly necessary for the provision of an online communication service at the express request of the user, consent is not required.
The following cookies are exempt from the requirement to obtain the user’s prior consent:
- Keeping the choice expressed by the users on the deposit of tracers ;
- Intended for authentication to a service, including those intended to ensure the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts;
- Intended to keep track of the contents of a shopping cart on a merchant site or to bill the user for the product(s) and/or service(s) purchased;
- Customization of the user interface (for example, for the choice of language or the presentation of a service), when such customization is an intrinsic and expected element of the service;
- Allowing the load balancing of the equipment contributing to a communication service;
- Allowing paying sites to limit free access to a sample of content requested by users (predefined quantity and/or over a limited period).
Some audience measurement trackers may also be exempt from user consent when:
- They do not allow the global tracking of the user’s navigation on different sites;
- They do not allow cross-checking of data with other treatments;
- They are to be used only to produce anonymous statistical data;
- They do not allow data to be transferred to third parties.
For all other categories of cookies subject to the prior consent of the user, the user must have the possibility to withdraw his consent at any time and to set the parameters at his convenience.
The consent collected by the provider must therefore meet the conditions set out in the GDPR. It must be given through a clear positive act by which the data subject expresses in a free, specific, informed and unambiguous way his consent to the processing of his personal data.
Thus, the simple continuation of navigation on a site cannot be considered as a valid expression of the Internet user’s consent to the deposit of cookies.
Finally, the user’s choice to consent or refuse all or part of the cookies must be kept by the publisher for a limited period of time, assessed on a case-by-case basis, with regard to the nature of the site or application concerned and the specific characteristics of its audience.
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
Article 7 of the GDPR
Point of jurisprudence
European Data Protection Committee, May 3, 2021, No. 2019-0878
The Bouchara Law firm assists you in particular in :
- Making your organization GDPR compliant;
- Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
- Obtaining certifications and adhering to codes of conduct;
- The study of the legal feasibility of the implementation of a new personal data processing;
- The drafting and transmission of your codes of conduct to the CNIL for approval;
- Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
- Drafting and negotiating your data processing agreements (DPA);
- Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
- Training and awareness of your employees.