In less than a month, the French data protection authority (CNIL) rendered three major decisions1 impacting worldwide online service providers following online controls and investigations performed on the companies' websites. In a nutshell, the decisions highlight the obligations of data controllers when using cookies and other trackers, notably regarding the way the user's consent shall be collected, and the level of information that has to be provided to users. Companies have an interest to closely watch and adapt their cookie compliance through the monitoring of the specific French requirements. The CNIL has recently announced it would grant a period of 6 months to implement the new CNIL guidelines i.e., data controllers are required to comply with these new guidelines by the beginning of April 2021. That time period should be actively used.
Cookie compliance is therefore a matter of urgency for any online business actors covering the French market and must be taken seriously considering the cross border penalties involved. Companies applying advertising cookies and other trackers should be fully aware of these practical recommendations when implementing their consent mechanisms and drafting the information wording aimed at users, ensuring to keep evidence of consent collection etc.
The penalties attached to these decisions are the largest ever imposed by the CNIL since the entry into force of the General Data Protection Regulation (GDPR). With these decisions, the CNIL is displaying its enforcement capabilities to companies all over the world, whatever their nationality and sector of activity.
A shift in the CNIL's approach, from prevention towards enforcement
The three decisions are consistent with the new doctrine developed by the CNIL since 2019. The CNIL showed its willingness to use its fining power to sanction practices related to the collection and use of personal data for advertising purposes,2 it considers in breach of applicable regulation. The shift operated by the CNIL is that it now may decide to move on to a sanctions procedure - even if the targeted companies have previously taken some corrective measures, if the alleged deviation/breach is regarded to be material in view of the sufficient period of time since which the relevant requirements have been in force.
Cookie compliance has undeniably grown one of the CNIL's main concerns in that regard.
The decisions also reflect a strengthening of the CNIL's position regarding the enforcement of the data protection requirements that pre-existed to the entry into force of the GDPR, and for which the French regulator had already announced on several occasions its willingness to exercise its power control and sanction. It is important to note that these decisions, which mainly concern the use of cookies and other trackers by online platforms, are not rendered strictly speaking on the basis of the GDPR, nor on the basis of the recent CNIL guidelines, but on the basis of the 'ePrivacy' Directive, as transposed in Article 82 of the French data protection law3.
This implies also that the decisions do not make application of the e-Privacy Regulation that is not completed as of today, and has continuously been postponed since 2018. However, all these pieces of regulation have inspired the CNIL's stringent approach.
In other words, these decisions have to be interpreted as the willingness of the CNIL not to wait for the entry into force of the e-privacy Regulation to start regulating the use of cookies in France. As the CNIL had previously announced, it is now prepared to sanction any alleged failure to comply with existing requirements that it considers already enforceable, including, of course, the strict consent requirements relating to the use of cookies and other trackers. That approach is also monitored by other regulators in Europe.
Jurisdiction of the CNIL
As a reminder of the applicable rules of jurisdiction, the CNIL outlined its territorial and material competence to rule over alleged breaches relating to cookies placed on the computer of users residing in France. Here, the companies in question have deposited cookies in the context of their activities and have an establishment on the French territory. This explains the jurisdiction of the CNIL in pronouncing a sanction against such companies. By asserting its territorial jurisdiction, the CNIL reasserts that all website owners may be concerned by control and sanction procedures ordered by the French regulator, if they offer services to French users. This approach is in line with the position recently affirmed by the President of the CNIL, who has indicated in several statements that the CNIL would no longer hesitate to fine international companies acting worldwide, no matter where their website is hosted.
Explanation of the penalties
The CNIL relies on three main criteria in the explanation of the penalties:
(i) the scope of the alleged breach, which in some cases concerned several fundamental requirements related to the use of cookies, i.e., the user's information and consent;
(ii) the wide reach of the websites and the large scale impact in France (up to 50 million people in some cases), as well as
(iii) the benefits derived from the alleged breaches that are based on the profits resulting from the use of advertising cookies.
It should be noted that the CNIL also examined in detail the extent of the concerned platforms, in terms of audience and share of the French online market (in one of the sanction decisions, the French market share was over 90 per cent).
A "'refresher"' on the requirement for prior consent: Advertising cookies are at the heart of the CNIL's attention
Consent is at the core of the three decisions, in line with a GDPR inspired approach.
First, the CNIL firmly insisted on the fact that cookies that are not necessary to the performance of the services, such as cookies for advertising purposes, can in no case be dropped without the prior consent of the user. In other words, such cookies require a prior positive action of the user, i.e. the user's informed consent shall be validly given. On that basis, the CNIL found that placing cookies simultaneously upon entering the website should be incompatible with the concept of prior consent. The CNIL also considers inadequate the storing of one category of cookies for advertising purposes on the user's computer, even if user has previously deactivated the personalization of advertisements through a positive action mechanism made available to the user.
As a result, the concept of active consent should be understood as a positive and clear action, i.e. by clicking on a button, which excludes silence or inaction. In that respect, the CNIL puts an end to the uncertainties that may have existed previously for French data controllers on the question of the user's silence. The position held by the CNIL in these decisions is also in line with the recent consent standards set forth by the CNIL, which also follow the guidelines of the UK and the German data protection authorities: active and informed consent is required prior to the use of cookies or any technology storing or accessing information on the user's device. This approach can also be found in the new CNIL guidelines, whilst the CNIL has given the actors a period of 6 months to comply.
A thorough analysis of the information to be provided to data subjects
In addition to focusing on consent, the CNIL performed a case-by-case analysis of the information provided to the users regarding cookies and of the opt-out mechanisms implemented.
The CNIL observed that French users should be previously and clearly informed as to the deposit of cookies on their computer and, consequently, as to the purposes of such cookies and the means made available for refusing them.
As a consequence, the CNIL considers that an information banner displayed at the foot of the webpage, offering a reminder of the rules of confidentiality, but not providing any information relating to the cookies that had already been dropped on the computer, was not valid. The CNIL also has paid particular attention to the level of description of the purposes of the cookies placed, and to the information related the user's right to refuse the cookies, as well as of the mechanism made available to them for this purpose.
Finally, it should be noted that the information must be reiterated in the event of a link directing the user to another website: therefore, the cookie choices implemented on the first website cannot be transferred on the second website, without any information delivered to the users.
As a result, in practise, and although the decisions do not expressly refer to these guidelines, given the casuistic analysis carried out by the CNIL in order to determine whether the level of information provided is sufficient, the most cautious approach would be to carefully review the most recent CNIL guidelines, and to build on that basis.
Next steps: What should companies expect next?
A major take-away of these decisions is that, pending the entry into force of the e-Privacy Regulation, the French data protection authority appears to be precursory in that matter. There should be more to come in the coming months on this topic, due to the public consultation implemented in February 2020 and the forthcoming publication of the CNIL recommendations. More than ever, the timer is on for data controllers to adjust their compliance path, and prepare for the CNIL deadline set for next April.
Footnotes
1. CNIL Deliberation N° SAN 2020-013 of 7 December 2020 regarding Amazon Europe Core; CNIL Deliberation N° SAN 2020-012 of 7 December 2020 regarding Google LLC and Google Ireland Limited; CNIL Deliberations N° SAN 2020-0008 regarding Carrefour France and N° SAN 2020-0009 of 18 November 2020 regarding Carrefour Banque
2. CNIL Deliberation N° SAN-2019-001 of 21 January 2019
3. « Loi Informatique et Libertés » N° 78-17, as amended.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
