Skip to main content
Insight

CNIL puts more pressure on the adtech sector

Locations

United Kingdom

On 28 June 2018, the CNIL issued a statement on its website which says in bold letters that online advertising is a "top priority" for 2019. This leaves little room for doubt. The CNIL is not done with the ad tech business and, on the contrary, is just warming up.

Last year, the French Data Protection Authority (CNIL) issued a formal notice against four companies in the adtech sector, namely Fidzup, Singlespot, Teemo and Vectaury, ordering them to comply with the GDPR (see our previous blog post for further detail on this). The CNIL eventually dropped its investigation against these companies after concluding that they had made sufficient efforts to comply with the GDPR. This was just the premise of what is to come…

On 28 June 2018, the CNIL issued a statement on its website which says in bold letters that online advertising is a "top priority" for 2019. This leaves little room for doubt. The CNIL is not done with the ad tech business and, on the contrary, is just warming up.

So what exactly should the ad tech sector expect in 2019?

ePrivacy reloaded

Last April, the CNIL reported that 21% of the complaints since the GDPR entered into force concerned marketing activities in the broad sense. Step 1 of the CNIL's action plan for 2019/2020 will be to revisit its guidelines of 2013 on the use of cookies (and other tracking technology) and to adopt a new set of guidelines that are aligned with the definition of consent under the GDPR (as a reminder, under the GDPR valid consent must now be informed, specific, freely given and unambiguous) and with the European Data Protection Board's guidelines on the concept of consent which exclude implied consent as a valid means for obtaining consent. Based on the GDPR, consent cannot be inferred by the user's silence, inactivity and on the contrary must now constitute a clear, affirmative action of the user (e.g. by ticking a box). The CNIL recognises that its 2013 guidelines are now outdated and that its position under these guidelines is no longer in line with the GDPR and the guidelines adopted by the EDPB. As a result, consent can no longer be implied from the user's continued use of a website or mobile app, such as scrolling down, swiping or browsing through a website or application.

When are the CNIL's new guidelines coming into force?

According to the CNIL, these new guidelines will be adopted in the month of July 2019. Once adopted, the former guidelines of 2013 will be repealed and will no longer apply. Implied consent for use of cookies will no longer be considered as valid consent. However, the CNIL says it will grant ad tech companies a 12 month grace period during which implied consent will continue to be valid, leaving them time to amend their practices in line with these new guidelines.

In the meantime, the CNIL will continue to instruct data subject complaints and to carry out investigations, including to verify whether consent has been obtained and other requirements under the GDPR have been complied with (such as information of the data subjects, withdrawal of consent and data security measures).

What about the upcoming ePrivacy Regulation (you may ask)? Well sure, the CNIL has not forgotten this important revision to the ePrivacy Directive but nonetheless takes note of the fact that the ePrivacy Regulation (ePR) is currently still being discussed in Brussels and is not expected to come into force in the short term. This is a diplomatic way to say that the ePR is stuck in the EU legislative procedure and (amidst the EU elections and the political game that is currently taking place in Brussels to choose the new heads of the EU institutions) the ePR is unlikely to be adopted before 2020, let alone when it will come into force.

Continued consultation with representatives of the ad tech sector

The CNIL's 2019/2020 action plan also entails further meetings and consultations in 2019 with the different stakeholders in the ad tech sector with a view to adopting a new recommendation on the operational modalities for obtaining valid consent under the GDPR. It is still unclear what the exact form and content of this recommendation will be, but it is expected to help companies to operationalize their cookie consent strategies in line with the GDPR. One can only hope that this recommendation will indeed provide practical guidance and examples to companies on how to implement valid cookie consent functionalities. The CNIL hopes to adopt this recommendation and to open it for public consultation at the end of 2019, or no later than beginning of 2020. The CNIL will then start enforcing this recommendation 6 months after its definitive adoption.

Sign up to our email digest

Click to subscribe or manage your email preferences.

SUBSCRIBE

Related Work Areas

Technology