The Ordinance n°2011-1012 of August 24, 2011, issued by the French Government, states that cookies (except the ones used only to enable or facilitate the carrying out of the transmission of an electronic communication or which are strictly necessary to provide an online communication service explicitly requested by the internet user), can be used only if the subscriber or user of an electronic communication service:

• has been provided with information concerning the purpose of the cookie or of any similar technology and of the means at his disposal to object to such use ;
• has “expressed” his consent, after having received the aforementioned information ;
•  this consent can result from the “appropriate” settings of his browser or of any other system under his control.

Neither the Ordinance nor the French Data Protection Act  provide a definition of consent. Hence the ongoing debates about whether consent must be express or whether it can be implied consent resulting from inaction (i.e. let the browser settings as they are) and also whether the browser settings accepting  or refusing ALL cookies at a time are sufficient to express a valid consent.

The article 29 Working Party has made its position clear in its opinion WP 187 of July 13, 2011 by  referring to the definition of consent of the Directive 95/46/EC as a freely given, specific, informed indication of the wish of the data subject to agree to the use of her personal data. It pointed out that the notion of « indication » :

• should be interpreted as a kind of signal sufficiently clear to indicate the wish of a data subject and to be understandable by the data controller ;
• indicates that an action is needed to express consent and that the absence of behaviour or a passive behaviour cannot be an « indication » among others for browser settings.

The G29 also considered that to be specific, consent must refer clearly and precisely to the scope and to the consequences of the data processing for which it is given. Moreover, it stressed that consent should be « unambiguous » to legitimize a data processing. The text of the French Ordinance provides us with a few indications. It is stated that the user must have “expressed” his/her consent.  An “expression” being an indication resulting from a behaviour, it could mean that consent should result from a positive action.  The text also provides that the consent may result from browser settings. However these settings  must be  « appropriate ». This precision  may signify that consent should not be general but specific (i.e. by taking into account the purpose of cookies).On this last point, the CNIL has expressed its views in a press release of September 19, 2011. It is of the opinion that the consent of an internet user must be specific, in compliance with the Directive 95/46/EC and that the use of browser settings accepting all cookies whatever their purpose cannot be considered as a valid consent.Implementing regulations are expected before the end of the year to hopefully clarify the debate.

 

Pascale Gelly & Caroline Doulcet
Published in the Privacy Advisor the IAPP newsletter Oct 2011 Volume 11 n°8