CNIL Calls Organizations to Audit their Sites and Apps for Cookie Compliance
On February 4, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it sent letters and emails to approximately 300 organizations, both private and public, to remind them of the new cookie law rules and the need to audit sites and apps to comply with those rules by March 31, 2021.
On October 1, 2020, the CNIL published a revised version of its guidelines on cookies and similar technologies (the “Guidelines”), its final recommendations on the practical modalities for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”) and a set of questions and answers regarding the Recommendations. The CNIL decided to allow for a transition period of six months to comply with the Guidelines (i.e., until March 31, 2021), and announced that it will carry out inspections to enforce the Guidelines after that transition period.
Poor Cookie Practices in the Public Sector
The CNIL observed that the vast majority of websites of the public sector still do not fully comply with the cookie rules as set out in the Guidelines. The CNIL therefore sent letters and emails to 200 public organizations, reminding them of the need to remedy this situation without delay. In particular, the CNIL drew their attention to the following:
Cookies Set by Businesses without Users’ Prior Consent
The CNIL periodically analyzes the cookie practices of the most popular 1,000 sites in France. Based on the results of its analysis so far, the CNIL decided to send letters to approximately 100 operators of the most popular websites in France that set cookies, coming from more than six third-party domains, without obtaining users’ prior consent. The CNIL reminded businesses of the need to amend their cookie consent interfaces for the use of tracking technologies on their sites or apps, e.g., when adding content from external sources such as social media plug-ins.
The CNIL further reminded public and private organizations that analytics cookies can be exempt from consent if the cookies only are used to produce anonymous statistics that are strictly necessary to the proper functioning of the service and are exclusively for the operator of the site or app in question. In the coming weeks, the CNIL will publish further information on the analytics solutions that are exempt from consent.