Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

French CNIL Enforces Cookie Consent

CNIL LogoOn June 30, 2015, the French data protection authority, the CNIL, announced that it gave notice to 20 websites to comply with the consent requirements applicable to cookies.

After patiently waiting for almost a year to give websites the opportunity to comply with the cookie notice and consent rules explained in its official guidance from December 2013, the CNIL launched a series of audits (27 online audits, 24 on-site audits and 2 hearings) in October 2014.

The main finding of these audits was that for the most part, companies do not comply with the law in this area, the two main pitfalls being (i) the lack of comprehensive information and (ii) the fact that cookies are deployed on the user’s equipment before his/her consent has been collected.

In its press release, the CNIL pointed out that even where websites provide a cookie banner, they all automatically deploy cookies on users’ equipment anyhow, without waiting for the user consent.

The CNIL requires that websites:

  • Provide information to users about the intended use of cookies.This information must be sufficiently comprehensive. For example, if a cookie is used to create user profiles in order to carry out targeted advertising, the information should include this and not just indicate “advertising”.
  • Obtain the consent of the user before placing a cookie on their device.In its press release, the CNIL reminds website publishers of what amounts to valid consent in accordance with the French Data Protection Act and the CNIL’s interpretation. The user must be allowed to freely give his/her specific and informed consent by active conduct (e.g. by navigating from the first page to another page of the website or by clicking on a video or any button) after having had access to the relevant information.
  • Permit the user to object at any time to the use of an installed cookie and provide him/her with information on how to object.

The CNIL also regretted that the websites often rely on an invitation to users to set their browser to block cookies. Indeed, the CNIL considers that browser settings cannot be deemed as proper consent because they only apply to HTTP cookies and do not permit users to activate/deactivate other technologies such as pixels, flash cookies or fingerprinting.

At this stage, the CNIL has only sent a formal notice to 20 websites demanding that they comply with the law within a specified period. No further action will be taken if the site achieves compliance within the deadline provided by the CNIL.

Finally, the CNIL reminded us in its press release that there are many other stakeholders being targeted, such as on-line advertising agencies, and that investigations concerning their practices are currently underway.