Review of the CNIL guidelines on the application of the GDPR regarding cookies and trackers... And the solutions available with Drupal.
Following the publication of the CNIL's guidelines regarding the application of the GDPR on cookies and trackers, it has become urgent, due to impending inspections, to ensure our Drupal sites are compliant. Inspections are expected to increase starting from the second quarter of 2021.
Changes in guidelines imposed by the GDPR
The regulation’s scope is broader: the obligation applies to “all operations aiming to access, through electronic transmissions, information already stored in the subscriber's or user's device, or to store information in that equipment,” and applies “regardless of the operating system, application software (such as browsers), or devices used.” “Device” refers to tablet, desktop or laptop computer, smartphone, connected vehicle, voice assistant, etc.
The new rules apply not only to the use of HTTP cookies, but also to other techniques:
- Local shared objects (sometimes called "flash cookies")—often used by ads or videos;
- Local storage, implemented and deployed since HTML 5;
- Device fingerprinting identification;
- IDs generated by operating systems (often used in targeted advertising—IDFA Identifier for advertisers for iOS - IDFV Identifier for vendors for iOS, Android ID, etc.);
- Hardware IDs of a machine (MAC address, serial number, or any other device identifier).
Explicit consent
CNIL's guidelines clarify two points regarding the collection of consent:
- Simply continuing to browse a website is no longer valid consent for placing cookies. This means the user must now clearly make a choice by clicking to accept or refuse tracking cookies.
- Operators using trackers must be able to prove that they have collected consent.
Anonymization and consent renewal
To comply with CNIL guidelines under the GDPR, sites must now renew consents at regular intervals and anonymize certain information:
- Site publishers must (re)ask users for their consent to manage cookies every 6 months at the most. This means user data should be cleared every 6 months. This setting can be configured with analytics solutions like Google Analytics or Matomo as well as in the Drupal database via the configuration of the TacJS module, for example.
- User IPs must be anonymized before storage or processing. For instance, the last three digits of the IP address should be removed, making it impossible to identify the user. The Drupal IP anonymize module is designed for this purpose.
Cookies requiring explicit consent
CNIL’s guidelines detail cookies requiring the user's prior consent:
- Cookies related to personalized advertising operations;
- Social media cookies, especially those generated by their share buttons;
- Trackers (such as hotjar, highly intrusive CRMs like Hubspot, retargeting solutions, or ad retargeting).
Trackers exempt from explicit consent
Some trackers, on the other hand, are exempt from prior information and consent. For example:
- Trackers that memorize users’ choices regarding tracker placement;
- Trackers for authentication to a service, for example for security reasons (such as limiting automated or unexpected access attempts);
- Trackers for remembering the contents of a shopping cart on an e-commerce site;
- Trackers for user interface customization (language choice or service display);
- Trackers enabling load balancing for services;
- Trackers allowing paid sites to limit free access to a sample of content requested by users (predefined quantity and/or for a limited period);
Documentation
Each consent does not need to be individually recorded. However, documentation must describe the methods implemented for cookie preference management and customization for users.
The “cookie” banner
Cookie banners must comply with the following points:
- Acceptance must be carried out via a cookie settings manager (for example, tarte aux citrons);
- Grouped consent collection is prohibited;
- Do not use colors that could influence decision-making—they must be neutral;
- Boxes must be easily checkable/uncheckable;
- Navigation must be blocked until the pop-in/banner has been accepted;
- Scroll validation is not allowed;
- Users must be able to access cookie settings at any time (for example, in the website footer).
Drupal modules
The EU cookie compliance module -
This is probably the oldest and one of the most popular modules. Its advantage is being GDPR compatible without loading third-party JS. Its ongoing evolution allows cookie categorization and precise consent management. However, it can be difficult to integrate into your client’s site style guide.
Early May 2021, 96,626 sites used this module in versions 7 and 8.
The Orejime module -
This recent module includes an open source JavaScript library, a fork of the Klaro project which focused on interface accessibility. The module's first release was at the end of February 2020. It seems promising but is still incomplete (e.g., no pre-checked options). But this module is definitely worth keeping an eye on.
Early May 2021, 102 sites used this module in version 8 (it’s unavailable in version 7).
Cookies consent management -
This is also recent, with a stable release since August 2020, and already quite popular. Easier to customize visually, it is based on a React library and seems to align with Drupal's logic in its structure.
Early May 2021, 1,196 sites used this module in versions 8/9 (unavailable in version 7).
TacJS -
The “tarte aux citrons” module meets CNIL requirements in every respect and has proved its worth. However, it cannot be customized without opting for its paid version. Also, there is no version available for sites running version 7.
Early May 2021, 678 sites used this module in version 8.
The choice is yours... If you have a better option: contact@bluedrop.fr.