Earlier this week, we tried to set the CNIL Vectaury notice in context. In summary, consent is going to be tough, but we need it and the CNIL is, at least in theory, not opposed to it. Now let’s dive deeper into what the CNIL expects of consent in a digital media context.
CNIL uses the GDPR definition of consent, as expected, and focuses on two areas of the definition in particular. Consent must be ‘informed’ and ‘specific.’
For consent to be ‘informed,’ the data subject must have all the necessary information to provide consent before making a consent decision. Consent collected before the consumer is provided with clear information about who is asking, and for which purposes, is invalid. ‘Specific’ consent cannot be ‘generalized,’ and must lay out full conditions and provide granular options, if applicable.
Tactical requirements from the CNIL:
- The consent interface needs to explain the consequences of declining to provide consent. The CNIL interprets the lack of an explanation to be an implied threat that the service will be withheld. Do I have the option of proceeding without providing consent? Will I suffer some kind of penalty? Right now, most consent UIs omit this information, focusing exclusively on the nature of the processing that will take place and the business model the processing supports. Many third parties think of the consequences of declining consent as reduced relevance for advertising, but the impact the CNIL is more concerned with is the underlying value exchange on the site the consumer is browsing. Will content be withheld? Will they have to pay?
- Purposes must be specifically explained. There is a clear tension between having a detailed explanation of each purpose for each company, which would be exhausting and very unfriendly to the user, and high level summaries that render disclosures meaningless. The CNIL can be seen here pushing the needle further in the direction of specificity. Both the IAB EU and Google will need to extend their current models to address this guidance. Will granular cross-industry purposes suffice? Or does each company needs to somehow disclose purposes in their own unique manner? The latter direction would be extremely challenging for the current digital media market.
- Controllers must be immediately accessible. Modern websites often include references to dozens, or in the case of ad-supported sites, many dozens of 3rd parties to support their user experiences and business models. Disclosing these various companies in a single consent UI can be challenging. To date, most companies have either refrained from disclosing all of their partners, or have disclosed them through a kind of preference management tool available at some point during the experience. The CNIL are insisting that every partner is accessible before the consent indication is collected, or that consent is invalid. A list of every company by name on the initial landing page of the consent UI would fit nicely within this guidance. But any list that includes more than 3–5 companies would be overwhelming and would require scrolling and companies would likely not be able to ensure visibility. Layered notices where companies are listed in a secondary UI might still be possible, but these will be subjected to additional scrutiny. Be very careful about listing companies more than a single click away from the consent collection page, and be sure to avoid presenting this page as a ‘preference management’ or ‘choices’ or ‘customize’ tool. You need to be able to argue that the list is plainly labeled, immediately accessible, and directly relates to the choice you are asking the consumer to make.
- Controllers should be organized by purpose. Consumers don’t know 95% of marketing tech companies from a hole in the wall, so following the CNIL guidance in good faith requires mapping the individual companies listed in your consent interface to the purposes that you have laid out. Ideally, a consumer will be able to make decisions by purpose or by controller.
- Consent cannot be the default. Companies cannot drop cookies before consent is obtained, as many of the cookie banners from 2012 did. Consent as an option must be presented fairly as a choice with other reasonable options. Be very careful about ‘marketing’ your consent option over the ‘decline’ option and make sure that the decline option is labeled as such. Avoid providing two options, where one is ‘yes’ and the other is ‘choices’ or ‘preferences.’ The CNIL wants an easy ‘no’ to be presented with any ‘yes.’
- Avoid pre-checked boxes. The CNIL clearly doesn’t like them, even in secondary layers on a consent UI. In some UIs, check-boxes, even if pre-checked, seem to extend choice and granularity for the user. Unfortunately, they have become toxic in the regulatory community and they are best avoided altogether. For consent interfaces with a second layer presenting individual companies, this means avoiding pre-checked boxes with the company list. You can use a ‘select all’ tool, but avoid a presentation that implies that the full list has already been selected by the user.
- Implied consent under scrutiny. Implied consent interfaces are ones that you don’t have to interact with directly in order to signify consent. Many of these UIs begin with banners that say, ‘by continuing to browse this site, you indicate your consent.’ While the CNIL notice does address implied consent directly, the elevated requirements for what must be included in the initial interface, along with consent not being the default, mean that implied consent interfaces are becoming harder and harder to justify. Further, if your consent ‘rate’ is over 95%, expect questions about whether or not consumers are making truly informed decisions or if you are helping them to ignore the decision at hand and surrender to ‘defaults.’
Taken together, the CNIL notice suggests new requirements that will force changes in the marketplace. If additional DPAs begin to echo these criteria and as actual enforcement decisions begin to come down in 2019, these requirements will begin to have the direct effect of law.
We don’t see any of this being fundamentally unmanageable for companies, but we do see the CNIL’s notice as challenging the current state of the market and forcing companies to iterate and innovate around consent.
If you found this piece valuable, please give us a few hearty claps and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!
The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at firstname.lastname@example.org or visit us on the web or Twitter.