CNPD publishes new guidelines on cookies
The Luxembourg Data Protection Authority (the ‘Commission Nationale pour la Protection des Données’, or ‘CNPD’) has published updated guidelines on cookies and other trackers, including “fingerprinting", "web beacons" or "shared objects".
What is a cookie?
A cookie is a small text file in alphanumeric format that is deposited on the user's terminal (web browser, computer, mobile device, etc.) by the server of the visited website or by a third party (video platforms, social plugins, advertising agencies, etc.) in the context of services used by the website.
Cookies can be used for different purposes, i.e. to recognize a user's language choice or the products that the user had placed in his/her basket during a previous shopping session. However, cookies can also be used for more privacy intrusive purposes, such as tracking and profiling internet users to provide them with targeted advertising.
The CNPD’s guidelines
In its guidelines, the CNPD clearly distinguishes between essential and non-essential cookies:
- Essential cookies:
Although for essential cookies, the ePrivacy Directive, as transposed into Luxembourg law, does not require to obtain the user's prior consent, the CNPD recommends informing users that essential cookies are being used, for example via a cookie banner. The CNPD also emphasises that it is good practice to add a link to provide users with an explanation as to what a cookie is and the purposes of the used cookies. This message can be displayed by other means than a banner, the important thing being that it is readable by the user when he/she first connects to the site or application and that the information remains accessible.
- Non-Essential cookies:
When non-essential cookies are being used, it is important to note that the user must give his/her prior consent.
The user must be able to withdraw his/her consent at any time and as easily as he/she gave it. This implies that if consent can be given with one click, it must also be possible to withdraw it with just one click.
Finally, the CNPD recommends that the period of validity of the user’s consent should not exceed a maximum of 12 months.