Privacy & Information Security Law Blog

On June 28, 2019, the French data protection authority (the “CNIL”) published its action plan for 2019-2020 to specify the rules applicable to online targeted advertising and to support businesses in their compliance efforts.

Background

The CNIL decided to make online targeted advertising a priority for 2019 for the following reasons:

• The CNIL has received many complaints from individuals and not-for-profit bodies, organizations and associations (such as La Quadrature du Net, Privacy International, European Center for Digital Rights (“NOYB”)) relating to online marketing practices. In 2018, 21% of complaints were related to these issues.
• At the same time, the CNIL received many questions from industry professionals seeking to better understand their obligations arising from the EU General Data Protection Regulation (“GDPR”). These questions were related to two main issues:
  • Sharing of personal data with partners for direct marketing: The CNIL recalled that it had specified the applicable rules on many occasions, including during meetings with industry representatives and on its website in December 2018. The CNIL explained that it has allowed for a six-month transition period to comply with these rules. This transition period has now expired.
  • Use of cookies and similar technologies: The CNIL recognized that its 2013 cookie guidance is no longer valid in light of the strengthened consent requirements under the GDPR, as specified by the European Data Protection Board’s Guidelines on consent.

Against that background, the CNIL decided to adopt an action plan to update its existing guidance in light of the GDPR consent requirements, and not to wait any longer for the adoption of the ePrivacy Regulation, which is intended to harmonize the EU rules on direct marketing and the use of cookies.

Action Plan

The CNIL’s action plan for 2019-2020 consists of two main steps:

Step 1: Publication of New Cookie Guidelines in July 2019

The CNIL announced that, in July 2019, it will repeal its 2013 recommendations on cookies and will publish new guidelines based on elements that have been interpreted in a uniform manner at the EU level. The CNIL will allow for a transition period of 12 months to comply with the new cookie guidelines. During that transition period, the CNIL will continue to accept that continued browsing of a website may signify consent to the use of cookies on the website. During the transition period, the CNIL will nonetheless require that cookies not be set until consent has been obtained.

Step 2: Consultation with All Relevant Stakeholders to Develop Recommendations by December 2019-Early 2020

The CNIL also announced that working groups comprised of CNIL officials and stakeholders in the adtech ecosystem (i.e., web publishers, advertisers, service providers and intermediaries of the marketing ecosystem and civil society representatives) will meet in the second half of 2019 to determine practical approaches to obtain consent. Based on these discussions, the CNIL will publish its draft recommendations at the end of 2019 or, at the latest, by the beginning of 2020. These draft recommendations will be open for public consultation. The CNIL will enforce the final version of the recommendations after a period of six months.