Impending sweep day to verify compliance with guidelines on cookies
During the week of September 15–19, 2014, France’s privacy regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), is organizing a “cookies sweep day” to examine compliance with its guidelines on cookies and other online trackers.
Starting in October 2014, the CNIL will also be conducting onsite and remote inspections to verify compliance with its guidelines on cookies.
Depending on the findings of the sweep and inspections, the CNIL may issue warnings or financial sanctions to non-compliant websites and applications.
Investigations gaining momentum
France is not the only country stepping up its data privacy efforts. Parallel sweeps to the one conducted by the CNIL in September 2014 will be undertaken simultaneously by data protection authorities across the European Union. The purpose of the coordinated action is to compare practices on the information given by websites to internet users and the methods to obtain their consent for cookies.
Nor is this the first time such a sweep has been organized in France. In May 2013, the CNIL joined 19 counterparts worldwide in an audit of the 2,180 most visited websites and applications. In that operation, known as “Internet Sweep Day”, the CNIL examined the compliance of 250 frequently visited websites and found that 99 percent of websites visited by French internet users collect personal information. Of those that provided information on their data privacy policy, a considerable number did not render it easily accessible, clearly articulated or even written in French.
Compliance made simpler through CNIL guidelines
EU Directive 2002/58 on Privacy and Electronic Communications imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices, an obligation incorporated into French law by Article 32-II of the French Data Protection Act.
Not all cookies require prior consent by internet users. Exempt are cookies used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” and those that are “strictly necessary for the provision of an information service explicitly requested by the subscriber or user.”
For those cookies that require prior consent, the CNIL will verify how consent is obtained. Under the CNIL guidelines, consent may be obtained either through an actual click or by the user’s further navigation within the site notwithstanding a continuing banner informing him or her of the website’s use of cookies.
Website owners can rely on tools made available by the CNIL to ensure their compliance with the cookie requirements. In particular, a set of guidelines released by the CNIL in December 2013 explains how to obtain consent for the use of cookies and other online trackers in compliance with EU and French data protection requirements.
Under the CNIL guidelines, owners of websites may not force internet users to accept cookies. Instead, the users must be able to block advertising cookies and still use the relevant service. Internet users can withdraw their consent at any time, and cookies have a lifespan limited to 13 months after which consent must be sought again.
This blog post was authored with assistance from May El Khoury, a third-year student at Boston College Law School.