ORIEL would like to share with you information concerning the cookies regulation issued by the CNIL (the French data protection authority), as part of its action plan on online advertising targeting. All companies that communicate via a website are concerned, so don’t hesitate to take a few minutes to read this very relevant article!
The legal framework results from the e-Privacy Directive of 2002, amended in 2009. This text has been transposed into Article 82 of the French Data Protection Act and establishes the principle of prior consent from the user before storing information on his or her terminal or accessing information already stored on it.
The provisions of Article 82 of the Data Protection Act apply to all types of terminal used: computers, smartphones, digital tablets and video game consoles connected to the Internet as well as any other terminal equipment connected to a telecommunications network open to the public.
If you have a website for your company, you are de facto concerned by the obligation of compliance. This is a real and significant issue, as failure to comply with this regulation can result in very significant fines. For example, non-compliant digital giants such as Google and Amazon have been fined 100 and 35 million euros respectively. But such sanctions are no longer limited to large companies. On 14 June 2021, the company BRICO PRIVE, which is specialized in DIY and gardening, was fined €500,000 by the CNIL’s review panel. In fact, any company with a website or mobile application that collects cookies may now be subject to a CNIL control and possibly a fine, which may represent 2% of your turnover. It is therefore urgent to comply, especially since the adaptation period granted by the CNIL expired on 31 March 2021. Here we are more than a year after, and we can already see that a number of websites have updated their cookie banners! Your company is not in that club ? Don’t worry! We have prepared this practical sheet on the essential aspects of cookies compliance.
Regarding “cookie walls”, conditioning the user’s access to the website to his/her consent to the collection of cookies, the French Administrative Supreme Court (“Conseil d’Etat”) stated it cannot be forbidden in general, and that the assessment of free consent must be made on a case-by-case basis (decision of the 19th of June, 2020). As this court decision raises questions about “free consent”, the CNIL published recommendations. There must be a “real and fair alternative” that allows the user to access the website without having to consent to cookies. The alternative of paying a sum of money is not prohibited, but the price must be reasonable.
The European Data Protection Board published guidelines concerning “Dark patterns” on social networks in March 2022. Some elements apply to any website, in particular regarding cookies. On that subject, the Board considers that humour in the cookie information and consent banner may misinform the Internet user and overshadow the content related to personal data. The example cited concerned a pun with cookies in baking. Information provided to users must be clear, visible, and distinct from other types of content. It is likely that the CNIL will use this analysis as a reference.
In addition, if the data you collect through cookies is intended for a third party, such as a data controller, be sure to inform the user of this.
Afterwards, remember to inform the user of their right to withdraw their consent easily and at any time!
Finally, think about using clear and simple terms that allow a good understanding for a user without technical or legal knowledge.
The consent requirement does not apply to all cookies. Certain types of cookies are exempted from these obligations, in particular those which :
have the sole purpose of enabling or facilitating communication by electronic means or,
are strictly necessary for the provision of an online communication service expressly requested by the user.
It is recommended to provide information about the use of these cookies. Among these uses, the CNIL cites :
Beware: the processing of this personal data remains subject to the GDPR. Therefore, we advise you to check with the developer of your tool that he/she is contractually committed not to re-use the data that has been collected.
You should also be aware of any data transfers outside of the European Union that may be made by your solution-provider. Not all countries outside the European Union have an adequacy decision demonstrating a protection equivalent to that provided by the GDPR. A transfer of personal data must be supervised to guarantee protection of that data.
Finally, make sure that these cookies are only used to produce anonymous statistical data, and that the personal data collected cannot be cross-linked with other processing or transmitted to third parties, as these operations are not necessary for the functioning of the service.