French privacy authority new cookie rules enter into force

Apr 9, 2021 12:00:00 AM | French privacy authority new cookie rules enter into force

France's data protection supervisor, the Commission nationale de l'informatique et des libertés, (CNIL) notified the end of the transition period of it’s amended guidelines & recommendations on cookies and other tracers. If your website is accessible in France, chances are website owners have to bring their cookie consent practices in line with the new rules.

Earlier in 2021, the supervisor urged website developers to examine their cookie and ad-tracking practices in accordance with the amended guidelines and recommendations. 

The CNIL is aware of website’s cookie consent practices and will act on them

Along with the 2020 publication of the guidelines and the recommendation on the use of cookies and other tracers, the CNIL had set up an observation program. This aims to periodically analyze the cookie deposit practices of the 1.000 websites with the highest traffic in France, by analyzing the cookies placed on the first page seen by an Internet user visiting them. The CNIL reached out to 200 public entities and approximately 100 private actors which deposit cookies from more than 6 third-party domains without prior consent to notify them of potential cookie violations. 

Presumably, the CNIL can also do this for less-visited websites, greatly enlarging the risk of such automated audits (and subsequent fines) for website owners. The supervisor clarified that it will carry out investigations, possibly resulting in formal notices and public sanction procedures, into compliance with the new rules.

What should website owners do?

PrivacyPerfect published a step-by-step explanation of how to bring your cookie practices in line with the guidance earlier last year. 

In its most recent publication, the CNIL further reiterated certain key principles of the guidelines and recommendations, such as:

  • the requirement to inform the data subject of the purposes of the collection of their personal data
  • the requirement of a clear and positive action for consenting to cookie placement. 
    • the absence of a response constitutes a rejection of the use of non-essential cookies
  • the recommendation to integrate a 'Refuse All' option, instead of a preference management option on the same information layer as an 'Accept All' option. 
  • cookie walls and data subject consent to them will be assessed on a case-by-case basis, whilst remaining alert to any possible alternatives to the use of cookie walls (such as paying with money instead of ‘paying with your personal data’ for access - a common practice for news websites).

You can still influence if consent is required for audience measurement

In our experience, we’ve seen a lot of companies struggle with the challenge of uniting privacy and audience measurement. To this respect, it might be noteworthy that the French supervisor launched an evaluation program to help determine whether audience measurement solutions are exempt from collecting users' prior consent. The CNIL will assess each solution based solely on the documentation provided, it will not perform an examination of the solution itself. Submissions are accepted  until June 30 2021.