Privacy & Cybersecurity Law Blog

On June 30, 2015, the French Data Protection Authority (the “CNIL”) summarized the results of the cookie inspections it conducted at the end of 2014.

One year after the publication of its cookie law recommendation (the “Recommendation”) in December 2013, the CNIL conducted 24 on-site inspections, 27 remote inspections and 2 hearings to assess website compliance with the Recommendations. The inspections revealed that, in general, websites do not sufficiently inform web users of the use of cookies and do not obtain their consent before placing cookies on their devices. In addition, all of the websites inspected by the CNIL that have implemented cookie banners to inform users of the websites’ cookie use, placed cookies before the users consented to the use of cookies (e.g., by continuing to browse the website). The CNIL also observed that websites often invite users to adjust their browser settings to refuse cookies. According to the CNIL, however, browser settings constitute a compliant opt-out mechanism only in very limited circumstances.

The CNIL, therefore, served a formal notice on approximately 20 web publishers to comply with French cookie requirements within a prescribed period of time. The formal notices are not a sanction under French law. The CNIL will impose a sanction (i.e., a fine) only if the relevant web publishers do not comply with the formal notice within the prescribed period of time. The CNIL stated that the notices do not relate to the use of analytics cookies, which may be exempt from the consent requirement in certain circumstances under French law.