CNPD publishes new guidelines on cookies

The Luxembourg Data Protection Authority (the ‘Commission Nationale pour la Protection des Données’, or ‘CNPD’) has published updated guidelines on cookies and other trackers, including “fingerprinting", "web beacons" or "shared objects".

What is a cookie? 

A cookie is a small text file in alphanumeric format that is deposited on the user's terminal (web browser, computer, mobile device, etc.) by the server of the visited website or by a third party (video platforms, social plugins, advertising agencies, etc.) in the context of services used by the website. 

Cookies can be used for different purposes, i.e. to recognize a user's language choice or the products that the user had placed in his/her basket during a previous shopping session. However, cookies can also be used for more privacy intrusive purposes, such as tracking and profiling internet users to provide them with targeted advertising.

The CNPD’s guidelines

In its guidelines, the CNPD clearly distinguishes between essential and non-essential cookies:

  • Essential cookies:

Although for essential cookies, the ePrivacy Directive, as transposed into Luxembourg law, does not require to obtain the user's prior consent, the CNPD recommends informing users that essential cookies are being used, for example via a cookie banner. The CNPD also emphasises that it is good practice to add a link to provide users with an explanation as to what a cookie is and the purposes of the used cookies. This message can be displayed by other means than a banner, the important thing being that it is readable by the user when he/she first connects to the site or application and that the information remains accessible.

If the use of cookies involves the processing of personal data, the user must be informed thereof, for example via a “cookie policy” or a “privacy policy”.

  • Non-Essential cookies:

When non-essential cookies are being used, it is important to note that the user must give his/her prior consent. 

To validly give his/her consent, the user must be correctly informed, ideally via a cookie banner including certain fundamental information listed by the CNPD as well as a link to the "cookie policy" (or a dedicated section on cookies in the data protection policy) providing more detailed information. 

 As consent must be free, the user must have a real choice to accept or refuse cookies. This will not be the case when a website conditions access to its content on acceptance of cookies. Misleading interfaces in the cookie banners, so-called “dark patterns” (which use e.g. large "I accept" buttons and much smaller "I refuse" buttons), must be avoided. 

Consent must be unambiguous, meaning that it must be manifested by a clear, positive act of the user. Thus, consent to the use of cookies is not validly given by a box checked by default, which the user must uncheck to express his/her refusal, nor by inviting the user to change his/her browser settings.

The user must be able to withdraw his/her consent at any time and as easily as he/she gave it. This implies that if consent can be given with one click, it must also be possible to withdraw it with just one click. 

Finally, the CNPD recommends that the period of validity of the user’s consent should not exceed a maximum of 12 months.