The French Commission nationale de l’informatique et des libertés (CNIL) recently published some advice on how to implement the new requirement that web site users consent to the placement of cookies on their devices by sites they visit. According to the Directive, neither a warning in the site’s Terms of Service (ToS) or acceptance through browser settings are adequate compliance. So what does the CNIL recommend?
- a banner at the top of a webpage (such as implemented on the website of the UK data protection commissioner: www.ico.gov.uk as well as the CNIL : www.cnil.fr);
- a consent request zone constructed as an html overlay on the page;
- a set of tick boxes presented during subscription to a online service.
In this lawyer’s opinion, the steps above will likely be too onerous for entities without a very clear EU-emphasis to implement and will grossly affect the usability of many sites. Moreover, are applications that use web APIs and never go through a browser are somehow exempt from the requirements? Personally, I’m chagrined by Internet technology-specific legislation that is so poorly thought through that it is outdated by the time its implementation begins. What’s a poor “data administrator” to do?