I often describe Data Protection Authorities (aka “Supervisory Authorities”, “Regulators”) as the referees of the Data Protection rulebook. They don’t make the rules but they do enforce them. Add they also have to live by them for the data services they manage themselves. So that’s why I like to look at what these regulators are doing on their own website and hopefully try and learn something.

France (CNIL)

The French regulator (CNIL) has been particuarly active in recent times with a number of enforcement actions, most notably on Google. So you’d think their own cookie consent would be on point.

It’s not.

Here’s an extract of their Cookie Policy as of 3rd January 2019 saved by the Internet Archive

Ces fonctionnalités utilisent des cookies tiers directement déposés par ces services. Lors de votre première visite sur cnil.fr, un bandeau vous informe de la présence de ces cookies et vous invite à indiquer votre choix. Ils ne sont déposés que si vous les acceptez ou que vous poursuivez votre navigation sur le site en visitant une seconde page de cnil.fr. Vous pouvez à tout moment vous informer et paramétrer vos cookies pour les accepter ou les refuser en vous rendant sur la page [Gestion des cookies] présente en haut de chaque page du site. Vous pourrez indiquer votre préférence soit globalement pour le site, soit service par service.

https://web.archive.org/web/20190103132738/https://www.cnil.fr/fr/donnees-personnelles 23rd January 2019 at 3pm

According to Google Translate, in English this is:

These features use third-party cookies directly deposited by these services. During your first visit on cnil.fr, a banner informs you of the presence of these cookies and invites you to indicate your choice. They are only deposited if you accept them or continue your navigation on the site by visiting a second page of cnil.fr. You can always inform yourself and set your cookies to accept or reject them by visiting the [Cookie Management] page at the top of each page of the site. You can indicate your preference either globally for the site or service by service.

Google Translated version

I added the Bold for emphasis. CNIL is stating that if you ignore the cookie banner and visit another page on the website, they will assume this is you giving consent. This is often named “implied consent”, since an action was made but not an overt one (and certainly not explicit). As you’ll see below, the GDPR doesn’t recognise implied consent and specifically discusses this scenario. It is therefore my view that the cookie policy of the CNIL is not compliant with the GDPR. Do as I say but not as I do…

GDPR and Implied Cookie Consent

Implied consent used to be generally accepted across the EU for cookie banners, but when GDPR came along the requirement for consent to have an “affirmative action” demanded a higher standard. This is reflected in guidance from the EPDB (formerly known as the WP29) in their consent guidance on cookies where they state:

Scrolling down or swiping through a website will not satisfy the requirement of a clear and affirmative action. This is because the alert that continuing to scroll will constitute consent may be difficult to distinguish and/or may be missed when a data subject is quickly scrolling through large amounts of text and such an action is not sufficiently unambiguous.

https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51030 Example 16, Page 17

It is pretty clear from this guidance that just continuing to browse through a site does not meet the requirements for consent. Thus these cookies should only be loaded when a user affirmatively agrees, such as with a clicking of an “Accept” button.