Developments in Cookie Regulation: French CNIL Declares Intent to Audit Websites for Cookie Compliance

On April 2, 2021 the French Data Protection Authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its intent to start auditing websites for compliance with cookie regulations. This publication comes following a large number of developments and actions taken by the CNIL to further improve and guide organizations through cookie compliance. The CNIL had issued several recommendations, guidelines and cookie tools to raise awareness on the importance of this topic, with a final set of guidelines published on October 1, 2020 following public consultation rounds (“Cookie Guidelines”). The CNIL had determined that a 6-month grace period would apply following publication of the Cookie Guidelines. This grace period ended on April 1, 2021 and the CNIL now expects companies to be compliant with its recommendations and guidelines. The CNIL has confirmed that it may make use of the totality of its corrective powers to remedy non-compliance with the rules, including issuing (public) sanctions. In light of the increase in scrutiny on cookies in the EU (and the US pursuant to certain state laws), organizations with websites / platforms operating in the EU (and U.S.) may want to reconsider their cookie practices and start carrying out cookie audits.

The use of cookies – i.e. the placement and retrieval of cookies and related technologies – in the EU is regulated by the EU ePrivacy Directive, as implemented into national EU Member State law. As such, the cookie rules across the EU are not harmonized and may differ from one Member State to another. Various EU Data Protection Authorities have taken different views and interpretations of these rules – which is not desirable in an online environment which by default is not bound to jurisdictional boundaries. This fragmentation is meant to be resolved in part by the new EU ePrivacy Regulation, which has been in the making for a number of years and is expected to be adopted later this year. Please refer to our blog post on this topic here. Where cookies collect personal data of internet users (e.g. an IP address) the requirements of the EU General Data Protection Regulation (“GDPR”) may also apply.

The French CNIL has by far been the most active of all EU Data Protection Authorities when it comes to cookie compliance and has clearly shown its particular interest in this topic.  It issued a total fine of €135m against two U.S. tech companies in December 2020 (interestingly during the grace period of its October 2020 guidelines), and has also developed a cookie audit tool (Cookieviz), practical tools, guidelines, Q&As, and recommendations and aimed to raise awareness by organizing webinars for companies. Earlier this year, it also incited companies to start auditing their website for compliance with its cookie recommendations and guidelines. Other EU/UK Data Protection Authorities that take an interest in cookie compliance are the Dutch Autoriteit Persoonsgegevens, the Spanish AEPD and the UK ICO, which have all issued more elaborate guidance on cookies. Non-compliance of a website may be brought to a regulator’s attention through investigative audits by the regulator or simply by complaints filed by individuals.

We summarize the current state of play of the CNIL’s cookie rules below:

1. Scope of Application: The CNIL clarifies and confirms that its investigation relates to the collection and placement of cookies and similar technologies irrespective of whether personal data is being processed through the cookie. A cookie could be used to process anonymized data only, e.g. for website audience measurement / analytics purposes. The CNIL does not clarify the exact scope of application (i.e. its competence) from a territorial perspective, but confirms that it aims to investigate websites and mobile applications which have a large French audience (i.e. a large number of visitors located in France). It does emphasize that other technology, such as digital voice assistants, and connected TV or vehicles, could also be subject to these requirements.

2. Consent for Non-Strictly Necessary Cookies: In line with the above, the CNIL has expressly confirmed that it is required to obtain the user’s consent for the collection and placement of cookies, irrespective of a personal data processing activity, unless the cookie is ‘strictly necessary’. Strictly necessary cookies could, for instance, be cookies used to authenticate a user, to remember cookie preferences, to remember items in a shopping cart, or to remember language or other user preferences. Note that even where consent is not a requirement, users must still be informed of the use of these cookies through means of a cookie banner (see below).

A particular type of cookie that may be exempted from the above consent requirement are web analytics / audience measurement cookies. The CNIL considers that these cookies are strictly necessary for the functioning of the website, and that no consent must be obtained from the user where these analytics cookies are merely used for web analytics purposes of the operator of the website (and not a third party), and do not allow to trace the user’s behaviour across different websites or platforms. Further, the analytics can only produce anonymized statistical results on web traffic, and the data cannot be enriched with other data nor transmitted to third parties.

3. Modalities of Consent: The CNIL recalls that the consent standard for cookies aligns with the consent standard of the GDPR – i.e. consent must be informed, free, specific, unambiguous and given by means of a clear affirmative action signifying consent. Clicking or ticking a button in a banner or consent mechanism is still sufficient to express consent – however pre-ticked boxes do not constitute valid consent. Further, the fact that the user continues browsing the website without any indication of cookie preferences cannot be interpreted as consent. The CNIL recalls that the consent and rejection of cookies must be placed at equal footing meaning there must be a button next to the consent button which allows the user to reject cookies (see below).

Lastly, consent must be specific meaning that users must be able to give consent per non-essential cookie type/purpose – in practice this is often achieved by a separate consent mechanism that can be accessed through clicking on the “edit cookie preferences” or similar buttons in the banner. Similarly, the user must be enabled to accept or reject all non-essential cookies at once (by means of an “Accept All” and “Reject All” button).

4. Cookie Banner and Policy: The CNIL has provided for specific guidance on how it believes cookie banners should be phrased, in particular with respect to the cookies’ purposes (which must be expressly mentioned in the banner itself). For example, if the website uses tracking cookies with a view to delivering targeted ads, the CNIL recommends to include language such as “Personalized Ads: [Website] [and our partners/third parties] use cookies to show you personalized advertisements on the basis of your web browsing and profile” (non-official translation from French). More detailed information such as the identity and contact details of the controller and the types of cookies and personal data collected (if any) can be included in the cookie policy (which must be linked in the banner).

5. Cookie Walls: Cookie walls are settings on a website/platform which prevent a user to access the website’s content if the user does not consent to cookies. Essentially, access to the website is made conditional upon the user’s consent to cookies, which conflicts with the requirement that consent under the GDPR must be ‘freely’ given – i.e. there must be no external pressure or significant disadvantage tied to not consenting.

Mid-2019, the CNIL had issued a first set of cookie guidelines in which it banned the use of cookie walls in a general and absolute manner. Mid-2020,the French Council of State (‘Conseil d’Etat’) overruled this guideline and provided that the CNIL is not competent to impose such a prohibition since it only issues soft law (non-binding guidelines). Therefore, in the CNIL’s current Cookie Guidelines, the CNIL has not maintained its categorical position but instead indicated that the use of cookie walls could affect the validity of consent but this must be assessed on a case-by-case basis.

In the United States, laws and industry practice increasingly incorporate the European principles of cookie transparency and user choice. The California Privacy Rights Act and Virginia’s new Consumer Data Privacy Act, each effective January 1, 2023, will require businesses to make affirmative disclosures about whether they track users’ activities over time and across nonaffiliated websites or online applications, practices that rely on the use of cookies or other tracking technologies. Additionally, both laws give consumers the right to direct businesses to stop using such tracking technologies for the purpose of delivering targeted advertisements. Long before those laws come into effect, however, businesses may wish to migrate towards express cookie consents to mitigate risks from a growing number of lawsuits alleging the use of certain types of tracking technologies constitute illegal “wiretapping,” or otherwise violate other existing privacy laws. New technologies are also facilitating greater consumer consent, as several new consumer products and service offerings (e.g., search engines, browser extensions, and in-app consent mechanisms) block cookies and other ad trackers by default.

The most highly-publicized technology in this regard, Apple’s new AppTracking Transparency framework, will be fully operational on April 26, 2021.  Under this framework, developers will need to obtain opt-in consent from app users before they can track users for advertising purposes or access a device’s advertising identifier.  The framework also requires mobile app developers to disclose information about data collected through an app and whether the app facilitates tracking of consumers for advertising purposes.  Apple uses this data to create the so-called “privacy nutritional labels” visible to consumers before they download or purchase an app on the Apple App Store platform.  Businesses will want to make sure all App Store disclosures are vetted by privacy and/or legal departments to ensure accuracy and consistency with other public-facing privacy notices, including online privacy policies.

Based on the above, the key practical next steps are the following:

1. Perform a cookie audit: This will allow to obtain an overview of the cookies used on the website(s) and/or app(s) and more importantly, their purpose, longevity and impact on users.

2. Determine a strategy for cookie compliance: As discussed above, the CNIL’s guidance and interpretation of the cookie rules does not necessarily align with the views of other EU Data Protection Authorities. The legal framework on cookies remains fragmented and companies have to navigate this for the time being – and presumably until the ePrivacy Regulation is adopted. Some companies, with a presence across the EU, may benefit from adopting the strictest regulatory position in the EU (which is the CNIL’s) and apply this across the board. Companies with websites and/or apps operating both in the EU and U.S. will have to determine a strategy that aligns with the rapidly developing regulatory framework in both regions. Further, other factors that may be relevant for their cookie strategy are commercial reasons – companies will have to balance strict compliance with their website’s user-friendliness and accessibility.

3. Roll-out strategy: Companies must roll out their cookie strategy, continue monitoring their use of cookies and the positions taken with respect to cookie use in the EU and U.S. moving forward, in particular as soon as the e-Privacy Regulation is adopted.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.