French data protection authority CNIL looking for cookies – data protection
United States: French data protection authority CNIL looking for cookies
To print this article, all you need to do is register or log in to Mondaq.com.
Why is the CNIL so active in compliance with cookies?
In October 2020, the CNIL adopted guidelines and a recommendation on cookies. All stakeholders were asked to comply with these new rules by the end of March 2021. The CNIL then announced that compliance with such guidelines would be one of its enforcement priorities for 2021. And the CNIL kept its promise.
Two months after the deadline in March 2021, the CNIL initiated a first wave of investigations, which led to around 20 formal notifications. This was followed by a second wave with 40 further reminders in July 2021.
Which organizations have received notices of compliance?
The CNIL focuses on various industrial sectors, including private companies and public authorities. Organizations that have received an order to comply include:
- Platforms of the digital economy
- Manufacturer of IT hardware and software
- Online consumer goods company
- Actors in online tourism
- Car rental companies
- Actors in the banking sector
- Local authorities and public services
- Participants in the energy industry
These enforcement measures show the CNIL’s firm commitment to achieving compliance with the cookie rules. This strategy is very likely to be carried out again in 2022, as the CNIL has announced that its investigation is “long-term”. As such, more organizations should expect a formal notification in the coming weeks or months.
What is the risk?
In order to avoid fines of up to 2% of their worldwide annual turnover, the organizations concerned must comply with a reminder within one month.
Does the CNIL punish organizations for not complying with the cookie rules? Yes. Sanctions between â¬ 50,000 and up to â¬ 60 million have been reported. Often times, the CNIL began addressing other compliance issues of the General Data Protection Regulation (GDPR) after being notified of non-compliance with cookies.
How can organizations avoid being on the CNIL’s radar?
We have listed some tips below based on the recommendations of the French Data Protection Agency.
- For example, suppose simply browsing a website does not constitute valid user consent: the user’s consent must result from a clearly positive act, such as clicking the “Accept All” button. (The CNIL also recommends adding a “Reject all” button.)
- Record the choice the user made: Whether the user clicks Accept All or Reject All, you must provide evidence of the user’s choice.
- Remember that some cookies (“Strictly Necessary Cookies”) do not require consent: Examples of these are cookies that are used to authenticate with a service, to track the contents of a shopping cart on a merchant site, or to allow payment sites to restrict more freely Access to a selection of content requested by users, as well as certain cookies that are used to compile traffic statistics.
If you want to know more about France’s cookie rules, you can download the CNIL’s guidelines and recommendations (only available in French) or contact us.
The content of this article is intended to provide general guidance on the subject. Expert advice should be sought regarding your specific circumstances.