The French data protection authority, the CNIL, has undertaken a long-term campaign to ensure the effectiveness of such its cookie rules under the moto: “refusing cookies should be as easy as accepting them”.
Its investigation and enforcement program started in October 2020, first based on the old 2013 version of the cookies rules and, since April 1, 2021 on the new guidelines and recommendation on cookies revamped to meet GDPR standards, published on October 1, 2020 and effective since end of March 2021 (after a 6 month grace period).
This program was established in the context of the CNIL’s groundbreaking fines (€100 million and €35 million) on two big tech companies, for their cookie practices, in December 2020.
The CNIL’s cookies investigation program has been implemented by way of successive campaigns. Following each of these campaigns, the CNIL has issued formal notices to the organizations suspected of having breached its cookies rules. A formal notice is an injunction from the President of the CNIL addressed to a controller or a processor to cease breaches of the data protection regulation within a set period (generally one month). It is not a sanction, but if not complied with, it can be followed by a sanction procedure.
Following the first investigation campaign in May 2020, the CNIL served formal notices on some 20 organizations, “mainly large companies in the digital economy.” Following the second campaign in June 2021, the CNIL served notices on 40 other organizations that included four major digital platforms; six hardware and software manufacturers; six B2C ecommerce sites; two online tourism businesses; three car rental companies; three major players in the banking sector; two local authorities; two online public services; and an energy company. Most of the organizations notified corrected their practices shortly after.
The CNIL noted that in 60 % of the cases the organizations had a parent company outside of France.
As announced in a press release on December 14, 2021, following the most recent (third)campaign, the CNIL issued formal orders on 30 organizations that included public institutions, higher education providers and companies in the clothing, transport, retail, and distance sales industries.
The press release identifies the following wrongful practices, which publishers should be sure to address to avoid scrutiny by the CNIL:
- Cookies subject to consent are automatically set on the user’s terminal before acceptance by the user, upon arrival on the site, thus without consent;
- Information banners are still not compliant because they do not allow refusing the setting of cookies as easily as accepting them;
- Information banners seem to offer the user a means of refusing cookies as easily as accepting them, but the actual proposed mechanism is not effective, because cookies subject to consent are still set even after the refusal expressed by the user.
In that statement, the CNIL also reminds stakeholders that fines can reach of up to 2% of annual worldwide turnover. However, other than the two above-mentioned sanctions in December 2020, which dealt with large and high profile enterprises, it is difficult to assess what level of fines are likely for publishers. There is, however, at least one other case where the sanction related only to cookie practices, which is a fine of €500,000 on a newspaper in July 2021. What is, however, clear is that the CNIL is making compliance with its cookie rules an enforcement priority and publishers should evaluate their cookie practices and bring them into compliance or face the potential for material repercussions.
Contact the author for more information.