The EU "cookies sweep day" and national cookie audits
Cookies have recently become a hot topic again, following a press release by the French Data Protection Authority (CNIL) on July 11th, 2014, announcing a EU "cookies sweep day" and enforcement actions in France. Here's an update on what has happened and what to expect.
1. EU Cookies Sweep Day: 15 - 19 September
When did the EU "cookies sweep data" take place?
From 15 to 19 September, the Article 29 Working Party ("WP29") conducted a coordinated online audit of the main websites operating in Europe to verify compliance with the EU cookie requirements. The CNIL and other Data Protection Authorities ("DPAs") spent a couple of days assessing the level of compliance on some of the most visited websites.
Did the "cookies sweep day" concern all websites?
No, the EU "cookies sweep day" only concerned websites that are targeting European consumers. Potentially any website (operated either within or outside the EU) that uses cookies or other tracking technologies to collect personal data from users in Europe may have been audited. Websites that do not provide services to European consumers, or that do not collect personal data via cookies from Europeans users, were normally not concerned. According to the CNIL, the main sectors to have been audited were e-commerce platforms and media websites.
Where did the "cookies sweep day" take place?
The EU "cookies sweep day" was an initiative of the WP29, and any DPA could take part in it. Therefore, potentially any website available in the European Union may have been audited.
How many websites were audited?
The WP29 did not release any official number of websites that were audited. However, the CNIL announced that it had audited 100 websites.
What did the DPAs verify?
The EU "cookies sweep day" offered an opportunity for all DPAs to verify together whether websites comply with the EU cookie requirements (namely the notice and consent rules) and to produce a comparative review of their practices with regard to cookies. In particular, the DPAs verified the number and types of cookies use, the manner in which users are informed about the use of cookies, and the process for obtaining consent.
What is the outcome of the "cookies sweep day"?
The DPAs will share the results of their respective audits with a view to comparing these results among Member States and possibly harmonising their positions with regard to cookies compliance in Europe. Furthermore, it is likely the WP29 will release a public statement about the results of the "cookies sweep day" in the near future.
Is there a risk that non compliant companies may be sanctioned?
The purpose of the EU "cookies sweep day" was not to conduct enforcement actions. However, the results of the audits may be used by each DPA to enforce compliance with the cookie provisions under national law. Some data protection authorities have already begun enforcing cookie rules in their respective jurisdictions (see our previous blog).
2. Cookie audits in France: October 2014
In its July 2014 press release, the CNIL also announced that it would audit websites in France to verify compliance with French cookie provisions. Last year, the CNIL issued guidance on how to comply with cookie requirements in France (published in December 2013) and the CNIL now expects companies to be compliant. This enforcement program will enable the CNIL to test its new on-line investigatory powers that came into force following a revision of the French Data Protection Act in March 2014 (see our previous blog). This is in line with the CNIL's inspections plan published earlier this year, which announced at least 200 online inspections.
What will the CNIL verify?
The CNIL will focus its investigation on:
-
- The types of cookies and other tracking technologies that are used (e.g., HTTP, local shared objects (flash cookies), finger printing, etc.)
-
- The purposes of the cookies used and whether the owner of the website knows and understands the purposes of all the cookies (including third party cookies) used on his website.
Furthermore, where prior consent is required, the CNIL will verify:
-
- The method used to obtain consent from the user
-
- The quality, accessibility and clarity of the information provided to users
-
- The consequences of a refusal from the user to use cookies. As an example, the CNIL refers to users of a e-commerce website whose only option is to refuse all cookies via the cookie settings of their web browser. As a result, such users may not be able to use the website at all.
-
- The possibility to withdraw user consent at any time
-
- The duration of cookies.
What are the risks for companies?
In France, the CNIL has the power to conduct on-site and on-line inspections that can be followed by administrative sanctions. In particular, the CNIL can issue a public warning or an enforcement notice asking the company to comply within a given period of time. If the company fails to comply with the terms of this notice, the CNIL may then initiate administrative proceedings which ultimately can lead to a fine or an obligation to cease the processing.
What should companies do in advance of this enforcement action?
Cookie compliance is still very much a hot topic in Europe, with different countries amending their laws and DPAs issuing guidance or conducting enforcement actions. Therefore, companies should not wait until they are being investigated to put their house in order. Some basic steps can be taken to make sure you comply with the cookie requirements:
-
- Audit your websites to find out what types of cookies (or other tracking devices) you use
-
- Analyse the purposes of the cookies
-
- Assess the level of intrusiveness of cookies and verify which cookies require prior consent
-
- Publish a clear, understandable and accessible cookie policy on your website
-
- Implement an adequate cookie consent mechanism
For more information about cookie consent requirements in Europe, click here.