Cross-device consent: What the French DPA (CNIL) recommends

The French Data Protection Authority (CNIL) has recently published updates to its recommendations on the practical steps for achieving compliance when using “cookies and other trackers.”

‍

These new recommendations focus mainly on managing user consent across multiple devices (cross-device).

‍

In this article, we define the key terms and explain what cross-device consent is, before outlining the main points of the CNIL’s recommendations and how to implement them in practice to remain compliant.

‍

What is cross-device (multi-device) consent?

In the introduction to its new recommendations, the CNIL provides context for the reasons behind this update: a major shift in consumer and internet user habits, with people now using the same services across multiple devices:

‍

Users interact with websites or mobile apps through a range of devices: computer, phone, tablet, or television, sometimes while logged into a user account. With the growing number of connected devices, requests for consent to the use of cookies and trackers have become more frequent.

In this context, some digital players are looking to collect a single consent choice that applies across all of a given user’s devices.

- CNIL (Source: Cookies and other trackers: the CNIL publishes its final recommendations on cross-device consent, CNIL)

‍

We see this increase in the number of devices in our consent collection benchmark, where we provide figures on consent rates across different devices. The benchmark also highlights the real diversity of devices used to interact with our banners.

‍

As a result, the issue of consent fatigue (a phenomenon caused by repeated exposure to consent banners) arises. How can we avoid asking users for consent for the same service every time they use a new device?

‍

This is where cross-device comes in: With this feature, organizations can synchronize a given user’s consent across multiple devices (or endpoints) so they don’t have to ask for it again. This is a capability we have offered at Didomi for several years.

‍

In light of changing online browsing habits and the technological solutions developed to adapt to them, the CNIL therefore considered it necessary to issue new recommendations to ensure that these practices remain compliant.

‍

What are the requirements for a compliant implementation of cross-device consent, according to the CNIL?

As a starting point defining the nature of cross-device consent, the CNIL sets out two conditions:

‍

1. Cross-device consent applies only in a logged (authenticated) environment.
2. It allows a user’s choices to be applied automatically across all devices connected to the same account.

‍

To implement compliant cross-device consent collection, organizations should keep the following requirements in mind:

‍

• The purposes and data controllers must be the same across all devices.
• Accepting and refusing must be equally easy.
• The user must be clearly informed that their choices will apply across all their devices.

‍

In addition, the CNIL highlights a number of specific points to pay attention to during implementation:

‍

• Particular care must be taken to manage conflicts between the browser choice and the account choice, through two possible scenarios.
• Choices made in the logged-in environment do not affect the non-logged-in environment.
• It is recommended to share substitute technical identifiers with service providers rather than personal identifiers.
• For cross-device functionality, it is considered good practice to allow distinct choices per device.
• A new consent will be required when moving from a single-device system to a multi-device system.

‍

Our Data Protection Officer, Sébastien Gantou, shares his interpretation of the importance of these new CNIL recommendations:

‍

The CNIL, as part of its effort to combat consent fatigue, has looked into cross-device because this mechanism makes it possible to share consent across multiple devices, so users do not have to provide it again on each device.

In the same spirit, it is also looking into cross-domain consent, which pursues a similar objective: enabling smoother consent management by allowing it to be shared across multiple related websites.

‍- Sebastien Gantou, Data Protection Officer at Didomi

‍

Cross-device consent management with Didomi: How does it work?

Our cross-device feature is compliant with the CNIL’s recommendations and can help you implement an effective multi-device strategy so you don’t have to display your banner on every new device your users use (and cause fatigue that could lead to a drop in your consent rate)

For a concrete example, take a look at our case study with Orange, France’s leading telecommunications operator, which trusts us to collect user consent across all of its digital channels.

‍

Jean-Baptiste Viet, Web Analytics Project Manager, and Nicolas Watrigant, Data/AI Ethics and ePrivacy France, discuss the rollout of our solution and the results observed (a +10% consent rate):

‍

‍

If you are a Didomi customer, contact your account manager and visit our support article and technical documentation to learn how to enable and implement the cross-device feature in your Console.

‍

If you are not yet a Didomi customer, or if you would like to learn more about how we could help with your cross-device consent collection projects, book a demo with one of our experts or learn more about cross-device consent management:

‍
{{cross-device-domain}}