BLOG | CNIL | July 29, 2021

CNIL Enforces Cookie Compliance with Issuance of Second Series Formal Notices

CNIL, The French Data Protection Authority, has been implementing its global strategy to ensure compliance of companies that use cookies. On...

Post Featured Image

CNIL, The French Data Protection Authority, has been implementing its global strategy to ensure compliance of companies that use cookies. On Monday, July 19th, the Commission published a press release announcing a second series of formal notices targeted at approximately 40 companies whose websites and cookie banners still do not comply with the recommendations and guidelines that came into force on April 1, 2021. The second series of notices came after the first series was released in May 2021, which was issued to at least 20 companies. The CNIL intends to continue its controls and will adopt, if necessary, new corrective measures against companies that do not comply with its latest recommendations and guidelines.

Regardless of the first set of warnings in May, some organizations are still not compliant with the regulatory requirements on cookie consent management. “This situation is not acceptable” the CNIL announced. This has resulted in the CNIL’s president issuing new formal notices to 40 companies that have from July 19th until September 6th, 2021, to comply.

Without explicitly calling out the names of the companies and organizations concerned, the CNIL listed the following types of companies that received notices:

  • 4 major platforms in the digital economy
  • 6 major manufacturers of computer hardware and software
  • 6 companies selling consumer goods online
  • 2 major players in online tourism
  • 3 car rental companies
  • 3 major players in the banking sector
  • 2 major local authorities
  • 2 online public services
  • An energy company

Companies will face fines up to 2% of their revenues

The Commission has insisted that these measures are complementary to the ongoing procedures before its restricted formation (body in charge of imposing sanctions). As a result, they could lead to heavy fines of up to 2% of the company’s revenue.

Since the CNIL controls are permanent, companies must comply to avoid heavy repercussions. In the fall, other verification and corrective measures will be carried out to ensure the respect of French internet users’ privacy. The CNIL has carried out extensive work for the past two years, which culminated on October 1, 2020, with the adoption of Guidelines and a Recommendation. Companies then had six months to comply with them as the deadline was April 1, 2021.

The CNIL’s recommendations published on October 1, 2020, provides more context on how the CNIL expects companies to handle cookies and other electronic communication data in France.

The CNIL has put forward the following guidelines and recommendations:

  • ‘Soft opt-in’, browsing the website, no longer constitutes the expression of valid consent, and the deposit of cookies other than those strictly necessary for the functioning of the service are conditioned to a clear positive act from the user,
  • A ‘Refuse All’ button is recommended, from the first layer of information,
  • The purpose must be clearly presented from the first layer of information,
  • Visitors should be provided with a mechanism to update their preferences and withdraw their consent at any time, for example by using a static button to access the cookie settings,
  • Visitors should have access to an up-to-date and structured list of actors using the trackers,
  • Organizations, including their third-party actors, must be able to demonstrate at all times the validity of the consents collected to use the trackers,
  • Some trackers, such as authentication cookies, traffic statistics cookies or cookies that limit the presentation of free content, are not subject to consent.

Do the CNIL guidelines concern your website?

Any website or mobile application that targets French users (e.g., offering content in French, or shipping or buying in France) is subject to French cookie requirements. Consequently, if your international website or mobile application targets (among others) the French market or users, you must ensure that you comply with the requirements set forth by French law and CNIL guidelines and recommendations.

Let CookiePro Help

Despite where you are in your cookie compliance journey, CookiePro is here to help. Our CNIL Cookie Consent Toolkit provides resources to understand the CNIL recommendations and helps you implement compliant cookie banners. Download your toolkit today to fast-track your compliance program with a comprehensive set of tools and resources, including tips and checklists, pre-configured templates, and your first domain free.

Resources include:

  • eBook: CNIL Cookie Compliance: What Has Changed?
  • Whitepaper: CNIL Recommendations: Practical & Legal Guide
  • Checklist: Cookies & CNIL: Guidelines and Setup Checklist
  • Step-by-Step implementation guides
  • 24/7 support with both implementation and ongoing maintenance

Watch our webinar to learn more.

You Might Also Like

White Paper

Italian Garante Cookie Guidelines: What You Need...

View Resource

Italian Garante: Guidelines & Setup Checklist

View Resource

Types of Cookies and Other Tracking Technologies

View Resource
Webinar | 45 minutes

Going Mobile (App): How to Enhance Privacy...

View Resource
Onetrust All Rights Reserved