France: CNIL announces a new wave of cookie compliance inspections targeting publishers’ partners such as ad-tech, social media and analytic companies

28 September 2016

Gabriel Voisin, Rossana Fol

Since the adoption of the revised e-Privacy Directive in 2009, subscribers such as internet or mobile app users must be informed and give their prior consent before the storage or reading of cookies or similar tracking technologies (e.g. browser fingerprinting, pixel tags, SDK tracking modules) on their terminal (e.g. desktops, mobile devices) can actually take place.

Background on the requirements under French law

Article 32-II of the French Data Protection Act incorporates the above e-Privacy Directive rule into national law. Furthermore, the CNIL has issued specific guidance on cookies in its deliberation of 5th December 2013, where it provided answers to the following questions:

  • Which cookies or similar technologies require prior consent? The cookies/similar technologies which require prior consent from internet users include cookies linked to targeted advertising operations, some audience measurement cookies (unless an exemption applies) and social network cookies generated by a “share on social networks button”. Cookies or similar technologies (i) installed or read for the sole purpose of facilitating electronic communications, or (ii)  necessary for the provision of services expressly required by the internet user, are not subject to this prior consent requirement.
  • Is implied consent valid under French law? Yes - the French Data Protection Authority (the “CNIL”) recommends the following two-step approach to implied consent: 
    • whenever a user visits an environment using cookies or similar technologies (subject to consent requirements), the user should be presented with: a cookie consent overlay, providing information on the purpose of the cookies/technologies; the user’s right to object; and the fact that continued browsing of the environment will amount to implied consent; and
    • the user should be provided with further information about the use of cookies and similar technologies together with  means to allow them to object and details of how they can do this (e.g. via a privacy or cookie notice).
  • For how long is the consent valid? The consent given to the use of cookies/similar technologies needs to be renewed every 13 months.
  • Who is responsible for gathering user consent? As emphasised by the CNIL, publishers and their partners (e.g. ad-tech, social networks and audience measurement providers), are jointly responsible for complying with the requirements. Indeed, in many situations (but not always), the CNIL takes the view that such partners act as data controllers and as a result of this also have the onus for data protection and cookie compliance.
First wave of cookie enforcement actions against publishers

In order to ensure compliance with the above rules, the CNIL launched a first wave of online inspections targeting publishers in 2014. As a result of this push, the French Data Protection Authority participated in “Cookie Sweep Day” in September 2014, an international coordinated action of online audits propelled by multiple stakeholders such as the Article 29 Working Party. 

The CNIL has also been very active in conducting audits on its own initiative, especially since 2015. For instance, in June 2015 it issued formal notices against eight dating websites requiring them to remedy identified cookie related breaches within a period of three months and made these notices public. Since then, further notices and sanctions have been issued against e-commerce websites, content editors and others (e.g. Google Inc. and Microsoft Corporation, but smaller companies have also fallen under the French authority’s scrutiny).

New wave of cookie enforcement actions against publishers’ partners such as ad-tech, social media and analytic companies

On 27 July 2016, the CNIL announced a second wave of enforcement actions, targeting, in particular publishers’ partners (i.e. advertising businesses, social networks and audience measurement providers - article available in French here). As noted by the CNIL, “the complexity and the evolutions of the online advertising ecosystem” is something the French Data Protection Authority wants to keeps an eye on. The CNIL therefore intends to ensure that relevant actors within the advertising chain comply with their respective cookie-related obligations.

In this vein, the CNIL emphasises that publishers cannot bear full responsibility for data protection and cookie compliance when the means and purposes of the processing are determined by their partners. In addition, the CNIL recommends providing a regularly updated list of partners, as well as a hyperlink for each partner, redirecting to a page containing accurate information on (i) the nature of the data collected and the purposes of the processing, (ii) how data subjects can exercise their rights, in particular the right to object and (iii) a list of the data recipient companies, where applicable. 

Note that CNIL inspections are likely to take place on-site, but increasingly are also being conducted online (i.e. "distant inspection" investigations situation where partners will be audited remotely by the CNIL and informed post-inspection by way of a written communication). 

As a publisher’s partner using cookies/similar technologies (subject to consent requirements), what should I do?

Publishers’ partners should use the coming weeks to (i) assess their current cookie compliance strategy, (ii) update their publisher terms (where required) and (iii) equip publishers with actionable toolkits containing for instance FAQs, template end-user wording and means to object.

Certain publishers’ partners may also want to take the opportunity of this exercise to anticipate certain requirements provided by the General Data Protection Regulation (the “GDPR”) due to come into effect on 28 May 2018. Under the GDPR, publishers’ partners will be subject to more stringent obligations, for example further information will have to be provided to end-users regarding the source of collected data, retention periods applied, profiling activities, etc., (see our Guide to the GDPR available here for more details).

For more information on the above, please contact our French Data Protection team.