CNIL Enforces Cookies Rules in France
On 30th June 2015, the CNIL issued a press release stating that, following its online cookies audits conducted last October (see our previous blog article), it has sent out a formal letter of enforcement ("lettre de mise en demeure") to approximately 20 companies requesting them to comply with the cookie rules in France. Under French law, letters of enforcement do not constitute a sanction, although the delivery of such letter is a required first step before the CNIL can pronounce an administrative sanction against a company (unless the CNIL chooses to pronounce a simple warning).
Enforcement letters are delivered by the CNIL after inspecting a company's data processing activities, for example, by conducting on-site inspections or online audits (click here for more information about the CNIL's enforcement powers). The Chairwoman of the CNIL may decide to make public the formal notice to comply that is served against the data controller. In the past, the CNIL has used this measure as a means to name and shame companies that either committed serious violations to the Data Protection Act and/or acted in bad faith.
The formal notice to comply must state: 1) the provisions of the Data Protection Act that the data controller has failed to comply with and 2) the period of time within which the data controller must cease such failure(s). This period may not be less than ten (10) days (except in urgent cases) and must not exceed three (3) months. If the company complies within the given period of time, the case is closed by decision of the Chairwoman of the CNIL. On the contrary, if the data controller does not comply with the notice served, the CNIL may pronounce, after due hearing of the parties, either a fine up to EUR 150,000 (or EUR 300,000 in the event of a second breach within five years or 5% of the company's gross revenue for legal entities) or an injunction to cease the processing.
In the given context, the CNIL carried out 24 on-site inspections, 27 online inspections and 2 auditions specifically targeting how companies comply with the cookie requirements in France. The outcome of these inspections indicates that, in general, web sites do not inform their users sufficiently about the use of cookies (or other tracking technologies) and do not obtain their prior consent before setting cookies. While many companies have posted a cookie banner on their websites to inform users about the use of cookies, all the websites that were inspected by the CNIL seem to install their cookies on the user's computer or device before obtaining the user's consent. In France, implied consent is recognised as a valid form of consent. However, what this means in practise is that the user must actively continue to navigate the website (e.g., by clicking on a web link, an image or a search button) once having been served the cookie banner. If the user closes the web page without navigating the website, cookies cannot be served.
Furthermore, the CNIL noticed that many websites invite their users to opt-out from cookies by changing their web browser settings. However, the CNIL considers that browser settings are not a valid means for obtaining opt-out because, in their current form, they only apply to HTTP cookies and do not enable users to activate/deactivate other types of cookies such as pixels, flash cookies or fingerprinting.
Since the entrance into force of the CNIL's new online audit powers, the CNIL has been more active in enforcing cookie rules in France. Cookie compliance continues to be a high priority on the CNIL's enforcement agenda and companies should therefore make sure that they comply with cookie requirements in France and the rest of Europe.
For more information regarding cookie compliance requirements in Europe, you may download Fieldfisher's Cookie Consent Table from our website, as well as the Whitepaper on "EU cookie audits: are you compliant?", which was co-authored by Fieldfisher and TRUSTe.
By Olivier Proust, Of Counsel (olivier.proust@fieldfisher.com)