Out-Law News | 17 Jul 2014 | 9:52 am | 3 min. read
CNIL said that it will analyse what kind of cookies websites are using and for what purpose, as well as whether any cookies are "obsolete" and whether website operators are sufficiently aware of the purpose of the documents published on their site about cookies.
CNIL also said that it would assess the consequences for consumers if they refuse their consent to cookies being used to track their behaviour online, such as whether or not the refusal means consumers cannot make transactions on e-commerce sites. Businesses will also be assessed to determine whether consumers are given the possibility to withdraw consent to cookies at any time, and their compliance with data security obligations and protection of sensitive data stored in cookies will also be monitored, it said.
Businesses may be issued with sanctions if they are found to be in breach of the law, CNIL warned.
"CNIL is giving businesses every chance to comply with the 'cookie law' requirements," Paris-based data privacy expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said. "By its own admission CNIL has not been all that forceful with companies regarding their compliance with the EU's Privacy and Electronic Communications (e-Privacy) Directive since those rules were implemented in France, and indeed is waiting nearly a year since it issued guidelines to help business comply before following up with a concerted compliance monitoring scheme."
"In addition, CNIL has provided website operators with a number of tools available on its website to help them comply with the rules on cookies, from software that allows website operators to test their own sites to determine exactly what cookies are being applied by third parties, such as advertising networks, and the data that is being collected as a result. Other tools provided explain how the rules apply to different types of cookies and allow website operators to make use of template coding for their own sites," Richard said.
"With this new warning about the forthcoming compliance monitoring scheme, businesses are being given a last chance to get compliant. Although it is possible that CNIL could seek to impose sanctions on larger companies that are in breach of the e-Privacy rules, it is more likely that it will look to first engage with non-compliant businesses to encourage moves towards compliance before issuing fines or other penalties," she said.
EU rules require individuals to consent to the placing of cookies on their device by the website operators and advertisers in most circumstances.
The e-Privacy Directive permits the storing and accessing of information on users' computers "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user.
The meaning of 'consent' under the e-Privacy Directive is taken from how the term is defined under the EU's Data Protection Directive. Consent to personal data processing must therefore be "freely given, specific and informed". There is no requirement that individuals' consent is explicitly given, other than where the data being processed is categorised as being sensitive.
Last year the Article 29 Working Party, a body representing data protection authorities from across the EU, published guidelines that explain what businesses operating in the trading bloc need to do to comply with the cookie consent requirements in every EU country.