Table of Contents Hide
The CNIL has published its new guidelines and recommendations. The countdown has begun, and you have six months to bring your websites and applications into GDPR compliance. We’ll show ain points and provide you with a list of must-read articles from our blog. This is our market news.
Buttons “Accept all” and “Refuse all” from the first screen
The user must be able to choose what the publishers want to deposit.
What about giving a global choice:
- For all site cookies;
- For those related to a specific purpose (advertising, social networks…)?
The CNIL accepts this, but its requirements are strict.
For example, on the first screen (where the primary purposes of the cookies deposited are learned), there must be an “Accept all” button and a “Refuse all” button.
On the other hand, according to the Commission, “consent collection interfaces that require only one click to accept, while several actions are necessary to ‘configure’ a refusal to consent, present, in most cases, the risk of biasing the user’s choice, who wants to be able to view the site or use the application quickly.”
So it is not prohibited, but strongly discouraged.
This is good news because these recommendations align with the philosophy of the Axeptio cookie module. And if displaying a refusal button at this stage scares you, check out our opt-in rate statistics. They are perfect.
The cookie wall, yes, but on a case-by-case basis
Do you need more clarification about the form your consent interface should take? Banner, notification bubble, cookie wall?
Following the ruling by the Conseil d’État, the CNIL was unable to ban this practice altogether. The conformity analysis will, therefore, be done on a case-by-case basis.
If you are interested in this format, check out our tips for making a privacy-friendly cookie wall.
Clear information about the actors depositing cookies via the visited site
Now you must inform your visitors of all cookies deposited through your site.
- those deposited by module providers playing a purely subcontracting role. For example, an audience measurement provider.
However, some companies deposit cookies and collect data for their own needs, which are added to yours:
- a social network provider;
- an advertising agency operating multi-site targeting;
These companies are more complex subcontractors. They are data controllers, sometimes jointly responsible with you. Your site should at least include a link listing these companies.
Axeptio goes further from this point of view since we accept or refuse a cookie by purpose and based on its issuer’s identity.
Harsh on multi-purpose cookies
Like many players, you may use online browsing data to measure your audience and segment and target your audience.
Technically, the temptation is great to use the same cookie for several different purposes. The CNIL recommends no longer doing this and assigning only one goal to each cookie.
- This ensures that each purpose is subject to prior consent.
- Refusal of consent does not affect other purposes. Your visitor can ideally refuse the personalization of ads displayed on the site but accept to be counted as a visitor.
No dark patterns, no consent fatigue
- No ambiguous phrasing, no complicated wording. The statement accompanying the checkbox or switch must be clear. An unchecked box or a turned-off button means you do not accept the cookie or anything else.
- The “Accept” and “Reject” buttons must be on equal footing. Your acceptance button cannot be more significant, brighter, or of a more brilliant color than the other. Do not influence your audience’s choices.
- If your visitor has refused all cookies, wait to display your cookie module until they change their mind! You will store your visitors’ acceptance and rejection traces for at least six months. Only after this time can you ask your user to update their choices.
On this topic, check out our UX design approach to cookie management.
What should you do? Don’t panic
You have six months to bring your websites and mobile applications into compliance with the CNIL’s new requirements.
- The CNIL can now audit you. Failure to obtain consent, invalid opposition methods, or an incomplete cookie information section may be grounds for reproach.
- From March 2021, audits will also cover consent collection methods.
The gradual end of third-party cookies is also a topic that should lead you to rethink your cookie management.
And if you need help, Axeptio is here with its module and marketing approach to cookie management.