Why is the CNIL so active on cookie compliance?
In October 2020, the CNIL adopted guidelines and a recommendation on cookies. All stakeholders were invited to comply with these new rules by the end of March 2021. The CNIL then announced that compliance with such guidelines would be one of its enforcement priorities for 2021. And the CNIL kept its promise.
Two months after the March 2021 deadline, the CNIL launched a first wave of investigations resulting in about 20 formal notices. This was followed by a second wave in July 2021 with 40 formal notices added to the pile.
With the CNIL’s announcement that it has opened a new series of investigations with 30 formal notices sent to noncompliant organizations, up to 90 organizations have been served with a formal notice to comply with the CNIL’s cookies guidance.
Which organizations received notices to comply?
The CNIL is focusing on different industry sectors, including private companies and public authorities. Organizations that received an order to comply include:
- Digital economy platforms
- Information technology hardware and software manufacturers
- Online consumer goods companies
- Players in online tourism
- Car rental companies
- Players in the banking sector
- Local authorities and public services
- Energy industry participants
These enforcement actions demonstrate the CNIL’s firm commitment to obtain compliance with cookies rules. This strategy is very likely to be conducted again in 2022, given that the CNIL announced that its “investigation is a long-term one.” Therefore, more organizations should expect to receive a formal notice in the coming weeks or months.
What’s the risk?
To avoid fines of up to 2% of their global annual turnover, the organizations concerned must comply with formal notice within one month.
Does the CNIL sanction organizations that are not compliant with the cookie rules? Yes. Sanctions ranging from €50,000 to up to €60 million have been reported. Oftentimes, the CNIL started digging into other General Data Protection Regulation (GDPR) compliance issues after being alerted on cookie noncompliance.
How can organizations avoid being on the CNIL’s radar?
We’ve listed below a few tips based on the recommendations of the French data protection authority.
- Assume that merely browsing a website is not a valid expression of the user’s consent: The user’s consent must result from a clear positive act, such as clicking on the “Accept all” button. (The CNIL also recommends including a “Reject all” button.)
- Keep a record of the choice made the user: Whether the user clicks on “Accept all” or “Reject all,” you need to have proof of the user’s choice.
- Remember that some cookies (“strictly necessary cookies”) are not subject to consent: Examples include cookies that are used for authentication with a service, to keep track of the contents of a shopping cart on a merchant site or to allow paying sites to limit free access to a sample of content requested by users, as well as certain cookies used to generate traffic statistics.