France Update: Cookies according to the CNIL

Since the entry into force of the General Data Protection Regulation in 2018, the CNIL seemed rather lenient in pronouncing sanctions against companies that do not respect the law on the protection of personal data. But in recent months, this approach seems clearly abandoned: there has been a clear increase in fines, as illustrated by those imposed on GAFA for non-compliance with the provisions relating to user trackers generally called “cookies”.

Thus Microsoft was ordered to pay 60 million euros because of “the lack of implementation of a mechanism that allows cookies to be refused as easily as to accept them”. Apple was fined 8 million euros because the consent of French iPhone users had not been collected before transcribing their identifiers used for advertising purposes on the group’s terminals. Tiktok was fined €5 million because “users of the site could not refuse cookies as easily as accepting them and they were not informed in a sufficiently precise way of the purposes of the different cookies”. Finally, Voodoo was recently fined €3 million for “tracing” users without their prior consent. Indeed, the publisher of mobile video games used the technical identifier of iPhone users to track their activity and send them personalized advertisements, whereas they had clearly indicated that they did not wish to be followed by the use of these trackers.

The CNIL now ensures that the user is able to understand the use made of tracers and that it is, in all cases, subject to prior consent. According to the recommendations of the CNIL, information and consent relating to the use of cookies must be collected as follows:

• Before being able to freely consent, the user must be informed by a brief title, of the purposes and consequences related to an acceptance or refusal of cookies. He must also be informed of the identity of the actors using these tracers;
• The user must be able to consent to cookies by a clear positive act: for example clicking on “I accept” » ;
• Each purpose must be indicated by a short title with a brief description;
• The user must be able to make a choice by purpose, for example if all the purposes are explained beforehand, it is possible to provide a choice between “accept all” or “refuse all”;
• The exhaustive and up-to-date list of data controllers must be made available to the user at the time of obtaining consent: (e.g. hyperlink, drop-down banner accessible from the consent interface);
• The user must be able to withdraw consent easily and at any time;
• The user must be able to refuse cookies as easily as to accept them;
• Organisations operating tracers must be able to provide, at any time, evidence of the valid collection of the free, informed, specific and unambiguous consent of the user.

The CNIL has also given details concerning the shelf life of these tracers. This is in principle 6 months for cookies subject to consent, except for statistical cookies exempt from consent for which a maximum retention period of 13 months is possible. Regarding the retention of personal data collected via these cookies, the recommended maximum duration is 24 months for data collected via statistical cookies but no details are given for other cookies. The retention period will be determined according to the purposes of the latter.

In addition, the CNIL recommends to:

• Provide that the consent collection interface includes not only an “accept all” button but also a “refuse all” button;
• Provide that not only consents but also refusals are kept so as not to question users again during their subsequent visits;
• Collect consent on each of the sites concerned, when cookies allow tracking on sites other than the site visited, so that the user is aware of the scope of his consent.

While many sites have already carried out compliance work concerning the processing of personal data and the management of cookies, recalcitrant sites must quickly comply with the requirements in this area under penalty of consequent sanctions.

By Ginestié Magellan Paley-Vincent, France, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact france@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.