French data protection authority CNIL looking for cookies – data protection

United States: French data protection authority CNIL looking for cookies

To print this article, all you need to do is register or log in to

The French Data Protection Agency (CNIL) reaffirmed its determination to continue its enforcement strategy by issuing around 30 new requests to comply with its new cookie policy on December 14, 2021. Previously, around 60 organizations were sent non-compliance notices allowing website visitors to refuse cookies as easily as accepting them. The CNIL claims that “rejecting cookies should be as easy as accepting them”.

Why is the CNIL so active in compliance with cookies?

In October 2020, the CNIL adopted guidelines and a recommendation on cookies. All stakeholders were asked to comply with these new rules by the end of March 2021. The CNIL then announced that compliance with such guidelines would be one of its enforcement priorities for 2021. And the CNIL kept its promise.

Two months after the deadline in March 2021, the CNIL initiated a first wave of investigations, which led to around 20 formal notifications. This was followed by a second wave with 40 further reminders in July 2021.

With the CNIL’s announcement that it has launched a new series of investigations with 30 formal notifications to non-compliant organizations, a formal notice of compliance with the CNIL’s cookie policy has been sent to up to 90 organizations.

Which organizations have received notices of compliance?

The CNIL focuses on various industrial sectors, including private companies and public authorities. Organizations that have received an order to comply include:

  • Platforms of the digital economy
  • Manufacturer of IT hardware and software
  • Online consumer goods company
  • Actors in online tourism
  • Car rental companies
  • Actors in the banking sector
  • Local authorities and public services
  • Participants in the energy industry

These enforcement measures show the CNIL’s firm commitment to achieving compliance with the cookie rules. This strategy is very likely to be carried out again in 2022, as the CNIL has announced that its investigation is “long-term”. As such, more organizations should expect a formal notification in the coming weeks or months.

What is the risk?

In order to avoid fines of up to 2% of their worldwide annual turnover, the organizations concerned must comply with a reminder within one month.

Does the CNIL punish organizations for not complying with the cookie rules? Yes. Sanctions between € 50,000 and up to € 60 million have been reported. Often times, the CNIL began addressing other compliance issues of the General Data Protection Regulation (GDPR) after being notified of non-compliance with cookies.

How can organizations avoid being on the CNIL’s radar?

We have listed some tips below based on the recommendations of the French Data Protection Agency.

  • For example, suppose simply browsing a website does not constitute valid user consent: the user’s consent must result from a clearly positive act, such as clicking the “Accept All” button. (The CNIL also recommends adding a “Reject all” button.)
  • Record the choice the user made: Whether the user clicks Accept All or Reject All, you must provide evidence of the user’s choice.
  • Remember that some cookies (“Strictly Necessary Cookies”) do not require consent: Examples of these are cookies that are used to authenticate with a service, to track the contents of a shopping cart on a merchant site, or to allow payment sites to restrict more freely Access to a selection of content requested by users, as well as certain cookies that are used to compile traffic statistics.
  • Let the user know about your website’s use of cookies: in particular, you should provide clear information about the purposes of your trackers, the consequences of accepting or rejecting the trackers, and the identity of all parties using tracking devices that require consent.

If you want to know more about France’s cookie rules, you can download the CNIL’s guidelines and recommendations (only available in French) or contact us.

The content of this article is intended to provide general guidance on the subject. Expert advice should be sought regarding your specific circumstances.

POPULAR ARTICLES ON: Privacy Policy from the United States

Comments are closed.