France: CNIL cookie compliance inspections as from October 2014

23 July 2014

Gabriel Voisin, Thomas Simpson

On 11 July 2014, the French Data Protection Authority ("CNIL") announced future enforcement actions in relation to cookies (article available in French here). The CNIL's announcement is interesting as it actually suggests two series of inspection:

  • A European wave as part of the "Cookie sweep day": The CNIL aims to continue the work undertaken in 2013 in relation to international cooperation between data protection authorities, particularly through the second stage of Sweep Day, an operation which required around 20 data protection authorities to analyse the information notices of around 2,000 websites in 2013. This year, one of the areas under scrutiny will be cookies. However, such an operation (due to take place   from 15 – 19 September 2014) looks more like an assessment of the situation rather than an investigation triggering enforcement actions.

  • A national wave from October 2014: On this occasion, the French Data Protection Authority will assess the respect of the law. In doing so the CNIL will analyse notably:
    • The types of cookies or similar technologies used by a website (e.g. HTTP cookie, local share object, browser fingerprinting).
    • The purpose of the cookies:
      • Does the website editor know the purposes of all the cookies placed or read from his website, whether they are first or third party cookies?
      • Are there cookies with no end purpose (e.g. cookies no longer used)?
  • Where the purpose of certain cookies requires the consent of the internet user, the CNIL will inspect:
    • The methods of collecting consent:
        • Are cookies requiring consent read or placed before the internet user can express his consent?
        • How does the internet user express his consent (e.g. click, implied consent)?
        • Is the method of collecting the consent user-friendly?
        • The visibility, quality and simplicity of the information relative to cookies.
        • The consequences of refusing a cookie requiring consent.
        • The possibility of withdrawing consent at any time.
        • The duration of the cookies (i.e. 13 months max).

In its annual programme for 2014, the CNIL has set an overall objective to carry out around 550 inspections (+33%). Of these inspections, around 350 are to be carried out on-site and around 200 will be online inspections (this new power of conducting remote investigations has been introduced following changes made to the French Data Protection Act in March 2014). In light of the dematerialised nature of cookies and this topic, there is no doubt that most of the inspections will be carried out online.

Since December 2013, the CNIL has allowed reliance on implied consent. This approach is similar to other EU countries such as the UK, Spain or Italy. Organisations therefore have business friendly solutions to comply with the new requirements. However, in the case of non-compliance, as reminded by the CNIL, organisations risk being issued an injunction or even a sanction from the authority. Non-compliant websites including prominent public official websites should therefore use the coming weeks to implement adequate cookie compliance solutions and provide the necessary information in their online documentation (e.g. privacy notice).