The CNIL Countdown: Enforcement of French Cookie Guidelines

On October 1st, the French Data Protection Authority (CNIL) published a final version of its practical Recommendations on using cookies and other trackers in compliance with the ePrivacy Directive and the General Data Protection Regulation (GDPR). The purpose is to allow online advertisers and consumers more insight and control over cookies and other tracking technologies. The recommendations lay out realistic guidance and examples to help companies comply with the French requirements.  

The guidelines explicitly state companies have until this coming March 31st, 2021 to comply with these revised guidelines. Read this blog to learn more about the CNIL enforcement of cookies and tracking technologies, requirements your organization needs to meet and how CookiePro can help! 

Enforceable Guidelines and Recommendations 

The countdown of CNIL enforcement and applicable cookie guidelines is approaching soon. Essentially, the previous recommendations from October 2020 highlight the obligations of data controllers when using cookies and other tracking technologies. Most importantly, disclosing the way a user’s consent should be collected and the information that must be provided to them. Review the updates in our blog post here. 

As a reminder, the scope of the CNIL enforcement relates to cookies that have been placed on the computer of users residing in France. Actions can be taken against companies that have dropped cookies in the context of their activities and have an establishment in the French territory. 

During the CNIL countdown, it’s important to note sanctions can still be imposed on companies found to have breached applicable regulations – even if that company has since taken corrective measures. However, this is only likely if the alleged breach is material in scope during a sufficient time period since the guidelines have been in force.  

Interestingly, the CNIL enforcement is very clear on where the power of their actions come from. Any sanction decisions are not just from the application of the GDPR, or even the recent CNIL guidelines – but on the basis of the e-Privacy Directive. Because the French guidelines are inspired by the e-Privacy regulation, they do not have wait for its application to start regulating the use of cookies and other tracking technologies. This approach is shared and observed by other regulators in Europe as well. 

Enforcement Actions 

Over the past few months, the CNIL has announced considerable penalties against major organizations. In fact, these decisions are the largest that have been imposed by the CNIL since its entry into the General Data Protection Regulation (GDPR). The message is clear – their enforcement knows no boundaries and applies to all companies regardless of nationality or industry. The President of CNIL has expressed several times that the regulation would not hesitate to fine international companies, despite website hosting location. 

Criteria of Penalties 

The basis and explanation of CNIL penalties relies on three main criteria: 

1. Scope of Alleged Breach. Requirements relating to the use of cookies, the user’s information and consent. 

2. Scale of Impact. Regarding the reach of the websites and large-scale effect in France (in some cases, up to 50 million people). 

3. Benefits of Alleged Breach. When the benefits from the alleged breaches derive profits that resulted from the use of advertising cookies. 

Additionally, the CNIL investigates the range of the concerned entities, particularly the audience and share of French online market. A previous sanction decision involved a French market share over 90%. 

Prior Consent is at the Core 

Cookie compliance and consent is fundamental to CNIL’s three decisions, similar to the GDPR approach.  

As stated in the previous guidelines, the CNIL clearly states cookies that are not necessary for the performance of services, like advertising cookies, must not be dropped on a user without prior consent. Websites are required to obtain a prior positive action by the user which demonstrates that the user’s consent was validly given. Similarly, the CNIL rejects placing cookies simultaneously upon entering the website as valid consent.  

In general, the 6-month CNIL enforcement countdown gives websites the opportunity to comply and ensure they receive active and informed consent prior to the use of cookies and other tracking technologies that store and/or access information on a user’s device. 

Information is Key 

In addition to consent, the CNIL states that as a result of users being previously and clearly informed of cookies being dropped on their devices, there must be a means available to them to refuse those cookies. It’s important to be thoroughly descriptive about the purposes of cookies being dropped as well as the information and means available regarding the user’s right to refuse the cookies. 

While some guidelines can be subjective, such as the level of sufficient information, it’s advised that the most cautious approach involves reviewing the CNIL guidelines and then build upon it. Even better, a cookie consent tool like CookiePro comes with pre-built templates for compliance and support from experts. 

How CookiePro Helps 

Cookie compliance is a matter of urgency for any organization that covers the French market. It must be taken seriously when considering the possible cross border penalties involved. Companies must be fully aware of the CNIL requirements when applying advertising cookies and other trackers on users with regards to consent and data collection.  

This is why CookiePro has introduced the CNIL Cookie Banner Fast Track Program. Get ahead of the March 31st, 2021 enforcement deadline with same-day support and resources to help implement cookie banners in line with CNIL’s guidance. Avoid facing the increased enforcement actions! 

CookiePro’s CNIL Cookie Banner Fast Track Program includes: 

• Step-by-step implementation guides with a range of resources detailing CNIL best practices 
• Pre-configured cookie banner and preference center templates 
• CookiePro Autoblocking and third-party tag manager systems integrations 
• 24/7 support with both implementation and ongoing maintenance to keep your compliance on the fast track. 

Best of all – get started today with your first month FREE with the enterprise edition using code: CNILCOOKIES.