French privacy watchdog to increase scrutiny of 'cookie law' compliance

Out-Law News | 17 Jul 2014 | 9:52 am | 3 min. read

The way in which businesses operating in France obtain consumers' consent to place 'cookies' on their computers to monitor those individuals' behaviour online is to be subject to increased scrutiny.

The Commission nationale de l'informatique et des libertés (CNIL), the data protection authority in France, has announced that, from October, it will conduct both on-site audits and remote assessments of organisations' compliance with guidelines it set out last year on the use of cookies and other online "tracers". CNIL gained new powers to conduct privacy audits remotely earlier this year.

CNIL said that it will analyse what kind of cookies websites are using and for what purpose, as well as whether any cookies are "obsolete" and whether website operators are sufficiently aware of the purpose of the documents published on their site about cookies.

In addition, the watchdog said that it would check that internet users are able to express their agreement to the use of cookies where their consent to their use is required, as well as the methods used by websites to obtain that consent. In particular, it said it would review whether cookie consent mechanisms being relied upon by businesses are user-friendly and if the information being displayed about cookies is sufficiently visible, simple and of good quality.

CNIL also said that it would assess the consequences for consumers if they refuse their consent to cookies being used to track their behaviour online, such as whether or not the refusal means consumers cannot make transactions on e-commerce sites. Businesses will also be assessed to determine whether consumers are given the possibility to withdraw consent to cookies at any time, and their compliance with data security obligations and protection of sensitive data stored in cookies will also be monitored, it said.

Businesses may be issued with sanctions if they are found to be in breach of the law, CNIL warned.

"CNIL is giving businesses every chance to comply with the 'cookie law' requirements," Paris-based data privacy expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said. "By its own admission CNIL has not been all that forceful with companies regarding their compliance with the EU's Privacy and Electronic Communications (e-Privacy) Directive since those rules were implemented in France, and indeed is waiting nearly a year since it issued guidelines to help business comply before following up with a concerted compliance monitoring scheme."

"In addition, CNIL has provided website operators with a number of tools available on its website to help them comply with the rules on cookies, from software that allows website operators to test their own sites to determine exactly what cookies are being applied by third parties, such as advertising networks, and the data that is being collected as a result. Other tools provided explain how the rules apply to different types of cookies and allow website operators to make use of template coding for their own sites," Richard said.

"With this new warning about the forthcoming compliance monitoring scheme, businesses are being given a last chance to get compliant. Although it is possible that CNIL could seek to impose sanctions on larger companies that are in breach of the e-Privacy rules, it is more likely that it will look to first engage with non-compliant businesses to encourage moves towards compliance before issuing fines or other penalties," she said.

Cookies are small text files that store details of internet users' online activity. Website operators often use cookies to record user behaviour for the purpose of analytics or to deliver personalised content to those individuals, whilst advertisers also use cookies to deliver targeted ads based on users' prior interactions online.

EU rules require individuals to consent to the placing of cookies on their device by the website operators and advertisers in most circumstances.

The e-Privacy Directive permits the storing and accessing of information on users' computers "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user.

The meaning of 'consent' under the e-Privacy Directive is taken from how the term is defined under the EU's Data Protection Directive. Consent to personal data processing must therefore be "freely given, specific and informed". There is no requirement that individuals' consent is explicitly given, other than where the data being processed is categorised as being sensitive.

Last year the Article 29 Working Party, a body representing data protection authorities from across the EU, published guidelines that explain what businesses operating in the trading bloc need to do to comply with the cookie consent requirements in every EU country.