• Français

Cookies & tracers: what does the law say?

In application of the European directive called « telecom package », Internet users must be informed and give their consent prior to the insertion of tracers. They must have an option to choose not to be traced when they visit a site or use an application. Publishers therefore have the obligation to seek prior consent from users. This consent is valid for a maximum of 13 months. Some tracers are, however, exempt from the collection of this consent.

What does the term « cookies » or « tracers » mean?

it means all tracers entered and read for example when consulting a website, reading an email, installing or using a software or a mobile application, regardless of the type of terminal used such as a computer, a smartphone, a digital reader and a video game console connected to the Internet. If they fill some conditions, some tracers derogate from this obligation.

As such, the term « cookie » covers for example:

  • HTTP cookies
  • « flash » cookies,
  • the result of the fingerprinting calculation in the case of « fingerprinting » (calculation of a unique identifier of the machine based on elements of its configuration for tracing purposes),
  • the invisible pixels or « web bugs »,
  • any other identifier generated by a software or operating system, for example. These obligations apply whether cookies collect personal data or not.

What does the law say?

By amending Article 5 (3) of Directive 2002/58 /EC by adopting Directive 2009/136 /EC, the European legislator laid down the principle:

  • prior consent of the user prior to storing information on a user’s equipment or accessing information already stored.
  • except, if these actions are strictly necessary for the issuance of a service of the information society expressly requested by the subscriber or the user.

Article 32-II of the Act of 6 January 1978, as amended by Ordinance No. 2011-1012 of 24 August 2011 which transposed Directive 2009/136 /EC, incorporates this principle.

In application of the law and freedoms, tracers (cookies or others) requiring a consent can not be deposited or read on his terminal, as long as the person has not given his consent.

Which cookies require the prior consent of users?

Among the cookies requiring prior information and a request for consent, we may mention:

  • Cookies related to targeted advertising operations;
  • Some audience measurement cookies (see the exemptions below);
  • Social network cookies generated in particular by their share buttons when they collect personal data without the consent of the persons concerned.This list is not comprehensive.

The lifetimes of cookies

people may forget the consent to be followed they gave, the CNIL (French National Agency regulating Data Protection) considers that it is necessary to limit the scope of the latter in time.

  • It recommends that the period of validity of the consent to the deposit of Cookies be increased to a maximum of 13 months. At the end of this period, the consent will have to be collected again.
  • As a result, cookies must have a limited lifespan of thirteen months after their first deposit in the terminal equipment of the user (following the expression of consent)
  • Their lifespan should not be extended during new visits to the site.