The French data protection watchdog CNIL, is back. But Is the bite bigger than the bark? Absolutely not and this isn’t the first time that the French privacy watchdog has tightened legislation. According to the CNIL, “organisations that have not yet taken the appropriate measures to comply risk financial penalties of up to 2% of their turnover”.Therefore, we have compiled a short list that makes it easy for you to check whether your website still complies with the stricter legislation in terms of obtaining consent.
The clarifications recently passed by French legislators are an extension of the EU’s General Data Protection Regulation (GDPR). The increased measures consider that “consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her”. And definitions are only getting tighter from here:
As stated in article by Euractiv, Between 2020 and 2021, the French supervisory authority adopted almost 70 corrective measures regarding noncompliance with the regulation on cookie usage.
Scrolling isn’t an opt-in
The main takeaway is that websites that choose to interpret the user’s regular act of scrolling as providing an opt-in, are failing to be data privacy compliant when it comes to consent. But this isn’t just for French companies. The French data protection agency CNIL states that “In 60% of cases, organisations whose parent company is located outside France, were also affected by the tightened stance.” That makes this news especially relevant for international business strategy. While perfecting a data privacy strategy might take some time, we have compiled three simple checks to help you ensure that you’re compliant.
Three simple checks to help you ensure compliance
1. Be transparent
The CNIL states: “users must be clearly informed of the purposes of the cookies collected before consenting to them.”
⇨ Transparency is key when it comes to asking for consent. State which data processing services your website is using and for which reasons you are collecting the data. This might also be a good time to re-evaluate if the third-party cookies your website is setting are actually relevant for the customer’s experience.
2. Offer a clear opt in and opt out
The CNIL states: “It must be as easy to withdraw consent as it is to give it.”
⇨ Enabling website users to rescind consent shouldn’t be hidden in a tricky UX design. Provide users with buttons that are clear and easy to use so that they can opt in or opt out at any time, even if they have made previous consent choices on your site. In fact, studies show that users will be more inclined to provide consent if they are given the choice. A win-win for your advertising revenue.
3. Collect, manage and store consent
The CNIL states “consent must be collected by a clear and positive act.”
⇨ A consent management platform can be your guardian angel, especially in the case of a privacy audit so be sure to collect consent in the correct way. A CMP, makes the three steps mentioned above feasible, with an out-of-the-box solution. Privacy can be complicated, but achieving and remaining compliant shouldn’t be.
The implementation of a data protection-compliant implementation of a Consent Management Platform is ultimately at the discretion of the respective data protection officer or legal department.
These explanations therefore do not constitute legal advice. They merely serve to support you with information about the current legal situation when implementing a Consent Management Platform solution. If you have any legal questions, you should consult a qualified attorney.