Privacy & Information Security Law Blog

On February 4, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it sent letters and emails to approximately 300 organizations, both private and public, to remind them of the new cookie law rules and the need to audit sites and apps to comply with those rules by March 31, 2021.

Background

On October 1, 2020, the CNIL published a revised version of its guidelines on cookies and similar technologies (the “Guidelines”), its final recommendations on the practical modalities for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”) and a set of questions and answers regarding the Recommendations. The CNIL decided to allow for a transition period of six months to comply with the Guidelines (i.e., until March 31, 2021), and announced that it will carry out inspections to enforce the Guidelines after that transition period.

Poor Cookie Practices in the Public Sector

The CNIL observed that the vast majority of websites of the public sector still do not fully comply with the cookie rules as set out in the Guidelines. The CNIL therefore sent letters and emails to 200 public organizations, reminding them of the need to remedy this situation without delay. In particular, the CNIL drew their attention to the following:

• The cookie banner must detail the purposes for which cookies are set on the users’ devices. General information such as “this site uses cookies” or “cookies are used to improve the efficiency of the services we offer to you” is not sufficient.
• Users must be able to accept or refuse cookies with the same ease. If the cookie banner includes an “Accept All” button, web operators must add a “Reject All” button on the same level and in the same format as the “Accept All” button. Alternatively, web operators may provide users with the ability to refuse cookies by closing the cookie banner, but this must be made clear to users, e.g., by including a link “Continue without accepting” in the cookie banner. The CNIL reminded organizations that the mere presence of “Accept All” and “Cookie Settings” buttons are not sufficient.

Cookies Set by Businesses without Users’ Prior Consent

The CNIL periodically analyzes the cookie practices of the most popular 1,000 sites in France. Based on the results of its analysis so far, the CNIL decided to send letters to approximately 100 operators of the most popular websites in France that set cookies, coming from more than six third-party domains, without obtaining users’ prior consent. The CNIL reminded businesses of the need to amend their cookie consent interfaces for the use of tracking technologies on their sites or apps, e.g., when adding content from external sources such as social media plug-ins.

Analytics Cookies

The CNIL further reminded public and private organizations that analytics cookies can be exempt from consent if the cookies only are used to produce anonymous statistics that are strictly necessary to the proper functioning of the service and are exclusively for the operator of the site or app in question. In the coming weeks, the CNIL will publish further information on the analytics solutions that are exempt from consent.