In less than a month, the French data protection authority (CNIL) rendered three major decisions1 impacting worldwide internet service providers following online controls and investigations performed on the companies' websites. In a nutshell, the decisions highlight the data controllers' obligations when using cookies and other trackers, notably regarding the way the user's consent is collected, and the level of information that must be provided to users. Companies have an interest to closely watch and adapt their cookie compliance through the monitoring of the specific French requirements. The CNIL recently announced it would grant a period of six months to implement the new CNIL guidelines; i.e., data controllers are required to comply with the new guidelines by the beginning of April 2021. The time left until then should be actively used.
Cookie compliance is therefore a matter of urgency for any online businesses covering the French market and must be taken seriously considering the cross-border penalties involved. Companies applying advertising cookies and other trackers should be fully aware of these practical recommendations when implementing their consent mechanisms and drafting the wording used to inform users, ensuring to keep evidence of consent collection etc.
The penalties attached to these decisions are the largest ever imposed by the CNIL since the entry into force of the General Data Protection Regulation (GDPR). With these decisions, the CNIL is displaying its enforcement capabilities to companies all over the world, regardless of their location or sector of activity.
A shift in the CNIL's approach from prevention towards enforcement
The three decisions are consistent with the new doctrine developed by the CNIL since 2019. The CNIL showed its willingness to use its fining power to sanction practices related to the collection and use of personal data for advertising purposes,2 if it considers this in breach of applicable regulations. The shift in approach by the CNIL means that, if the alleged breach is considered material (bearing in mind that there has been a sufficient period of time to ensure compliance since the applicable requirements entered into force), it may now decide to move straight to sanctions even if the targeted companies have already begun to implement corrective measures.
Cookie compliance has undeniably grown to become one of the CNIL's main concerns with respect to data privacy.
This also implies that the decisions do not have the effect of applying the ePrivacy Regulation, the adoption of which has been repeatedly postponed since 2018. That said, the different regulations have influenced the CNIL's stringent approach.
Jurisdiction of the CNIL
As a reminder of the applicable rules on jurisdiction, the CNIL outlined its territorial and material competence to rule on alleged breaches relating to cookies placed on the computers of users residing in France. Here, the companies in question have deposited cookies in the context of their activities and have an establishment in the French territory. This explains the jurisdiction of the CNIL in pronouncing a sanction against such companies. By asserting its territorial jurisdiction, the CNIL reasserts that all website owners may be concerned by control and sanction procedures ordered by the French regulator, if they offer services to French users. This approach is in line with the position recently adopted by the president of the CNIL, who indicated in several statements that the CNIL would no longer hesitate to fine multinational companies, no matter where their websites are hosted.
Explanation of the penalties
The CNIL relies on three main criteria in the explanation of the penalties:
(ii) the wide reach of the websites and the large scale impact in France (up to 50 million people in some cases); and
(iii) the benefits derived from the alleged breaches that are based on the profits resulting from the use of advertising cookies.
It should be noted that the CNIL also examined in detail the extent of the concerned platforms, in terms of audience and share of the French online market (in one of the sanction decisions, the French market share was over 90 per cent).
A 'refresher' on the requirement for prior consent: advertising cookies are at the heart of the CNIL's attention
Consent is at the core of the three decisions, in line with a GDPR inspired approach.
First, the CNIL firmly insisted on the fact that cookies that are not necessary to the performance of the services, such as cookies for advertising purposes, can in no case be dropped without the prior consent of the user. In other words, such cookies require a prior positive action of the user; i.e., the user's informed consent shall be validly given. On that basis, the CNIL found that placing cookies simultaneously upon entering the website should be incompatible with the concept of prior consent. The CNIL also considers it impermissible to continue to store a specific category of cookies for advertising purposes on the user's computer, even if user has previously deactivated the personalisation of advertisements through a positive action mechanism made available to the user.
A thorough analysis of the information to be provided to data subjects
In addition to focusing on consent, the CNIL performed a case-by-case analysis of the information provided to users regarding cookies and available opt-out mechanisms.
The CNIL observed that French users should be previously and clearly informed as to the deposit of cookies on their computers and, consequently, as to the purposes of such cookies and the means made available for refusing them.
As a consequence, the CNIL considers that an information banner displayed at the foot of the webpage, offering a reminder of the rules of confidentiality but not providing any information relating to the cookies that had already been dropped on their computers, was not valid. The CNIL also has paid particular attention to the level of description of the purposes of the cookies placed, and the information related to the user's right to refuse the cookies, as well as of the mechanism made available to them for this purpose.
Finally, it should be noted that the information must be reiterated in the event of a link directing the user to another website: therefore, the cookie choices implemented on the first website cannot be transferred on the second website, without any information delivered to the users.
As a result, in practice, and although the decisions do not expressly refer to these guidelines, given the reasoned analysis carried out by the CNIL in order to determine whether the level of information provided is sufficient, the most cautious approach would be to carefully review the most recent CNIL guidelines and to build on that basis.
Next steps: what might companies expect next?
A major take-away of these decisions is that, pending the entry into force of the ePrivacy Regulation, the French data protection authority appears to be precursory in that matter. There should be more to come in the coming months on this topic, due to the public consultation implemented in February 2020 and the forthcoming publication of the CNIL's recommendations. More than ever, the timer is on for data controllers to adjust their compliance path, and prepare for the CNIL's April 2021 deadline.
1 CNIL Decision No. SAN 2020-013 of 7 December 2020 regarding Amazon Europe Core; CNIL Decision No. SAN 2020-012 of 7 December 2020 regarding Google LLC and Google Ireland Limited; CNIL Decisions No. SAN 2020-0008 of 18 November 2020 regarding Carrefour France and No. SAN 2020-0009 of 18 November 2020 regarding Carrefour Banque.
2 CNIL Decision No. SAN-2019-001 of 21 January 2019.
3 Loi Informatique et Libertés (Law No. 78-17), as amended.
Originally Published by Reed Smith, December 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.