French Regulator Cracks Down on Cookies
In June, the CNIL–France’s regulatory body for data privacy and protection–issued notices of noncompliance to approximately 40 companies that had failed to align with the CNIL’s guidelines on cookies, which were adopted October 1, 2020.
In a followup report issued this week, September 14, the CNIL reported that 80 percent of noncompliant companies have since complied, noting that of the eight organizations that are still not in compliance, “four have requested a delay due to technical or operational constraints and four have not yet responded.” The delay period ended on September 6, and organizations who have still failed to comply risk penalties of up to 2 percent of their turnover.
The guidelines were originally issued to clarify how the French regulatory body intends to interpret and enforce the GDPR statute on cookies, specifically as it relates to consent methods. According to the GDPR, consent must be “freely given” without any conditions that would compel a user to give consent. While the CNIL does not prohibit cookie walls entirely, they note that making consent a condition of access is prone to infringing upon the free consent standard and recommend evaluating such practices on a case-by-case basis.
Websites are also required to inform users about the type of cookies and the purpose of each when asking for consent. The information provided must be clear and easily understandable. Consent can only be obtained through “a clear affirmative act” like clicking the ubiquitous “I accept” button. The CNIL recommends each site’s cookie consent banners to all be the same design, so as to not deceive users. In last September’s deliberation on these guidelines, they call for an easily accessible webpage for users to change their choices to make it “as easy to withdraw consent as it is to give it.”
Cookie regulations and guidelines are changing the online ecosystem in major ways. The Association for Data and Cyber Governance will address the growing issue of tracking cookies at its October 6 webinar.