Since the adoption of the revised e-Privacy Directive in 2009, subscribers such as internet or mobile app users must be informed and give their prior consent before the storage or reading of cookies or similar tracking technologies (e.g. browser fingerprinting, pixel tags, SDK tracking modules) on their terminal (e.g. desktops, mobile devices) can actually take place.
Article 32-II of the French Data Protection Act incorporates the above e-Privacy Directive rule into national law. Furthermore, the CNIL has issued specific guidance on cookies in its deliberation of 5th December 2013, where it provided answers to the following questions:
In order to ensure compliance with the above rules, the CNIL launched a first wave of online inspections targeting publishers in 2014. As a result of this push, the French Data Protection Authority participated in “Cookie Sweep Day” in September 2014, an international coordinated action of online audits propelled by multiple stakeholders such as the Article 29 Working Party.
The CNIL has also been very active in conducting audits on its own initiative, especially since 2015. For instance, in June 2015 it issued formal notices against eight dating websites requiring them to remedy identified cookie related breaches within a period of three months and made these notices public. Since then, further notices and sanctions have been issued against e-commerce websites, content editors and others (e.g. Google Inc. and Microsoft Corporation, but smaller companies have also fallen under the French authority’s scrutiny).
On 27 July 2016, the CNIL announced a second wave of enforcement actions, targeting, in particular publishers’ partners (i.e. advertising businesses, social networks and audience measurement providers - article available in French here). As noted by the CNIL, “the complexity and the evolutions of the online advertising ecosystem” is something the French Data Protection Authority wants to keeps an eye on. The CNIL therefore intends to ensure that relevant actors within the advertising chain comply with their respective cookie-related obligations.
In this vein, the CNIL emphasises that publishers cannot bear full responsibility for data protection and cookie compliance when the means and purposes of the processing are determined by their partners. In addition, the CNIL recommends providing a regularly updated list of partners, as well as a hyperlink for each partner, redirecting to a page containing accurate information on (i) the nature of the data collected and the purposes of the processing, (ii) how data subjects can exercise their rights, in particular the right to object and (iii) a list of the data recipient companies, where applicable.
Note that CNIL inspections are likely to take place on-site, but increasingly are also being conducted online (i.e. "distant inspection" investigations situation where partners will be audited remotely by the CNIL and informed post-inspection by way of a written communication).
Publishers’ partners should use the coming weeks to (i) assess their current cookie compliance strategy, (ii) update their publisher terms (where required) and (iii) equip publishers with actionable toolkits containing for instance FAQs, template end-user wording and means to object.
Certain publishers’ partners may also want to take the opportunity of this exercise to anticipate certain requirements provided by the General Data Protection Regulation (the “GDPR”) due to come into effect on 28 May 2018. Under the GDPR, publishers’ partners will be subject to more stringent obligations, for example further information will have to be provided to end-users regarding the source of collected data, retention periods applied, profiling activities, etc., (see our Guide to the GDPR available here for more details).
For more information on the above, please contact our French Data Protection team.