One of the best New Year's resolutions that a website publisher could take -and hold- for 2021 is, without a doubt, to comply with the latest cookies' recommendations of the French Data Protection Supervisory Authority (the “CNIL”).
Indeed, on December 7, 2020, the CNIL fined Google 100 million euros and Amazon 35 million euros for having placed advertising cookies on users' computers, without obtaining prior consent and providing adequate information.
These sanctions, which followed several investigations from December 2019 to May 2020, are not surprising as “cookie compliance” was already among the 3 propriety themes announced by the CNIL in 2020.
This event, widely covered by the media, has the merit of reminding all digital players of the importance the CNIL attaches to advertising cookie compliance.
What lessons can we draw from this?
Lesson 1: The CNIL is working even under lockdown
Since 2014, the French Data Protection Authority can carry out online non-adversarial controls. CNIL agents remotely check the website of the data controller or processor from their premises.
In this context, the main points of attention are website security, lawfulness of data processing, compliance with data subjects' information and, of course, cookies.
At the end of this control, agents send a formal report to the data controller or processor who may afterwards submit observations.
Lesson 2: Website publishers can no longer afford to ignore cookie rules
Section 82 of the French Data Protection Act (“Loi informatique et libertés”) transposes into French law Article 5.3 of the European Directive 2002/58/EC on privacy and electronic communications.
This section provides in particular for the obligation, with some exceptions, to collect prior consent of internet users before any read and write operation of cookies and other tracers.
The CNIL has gradually adapted its doctrine, in particular through a 2013 recommendation and two post-GDPR decisions dated September 17, 2020.
We will not address regulations applicable to cookies that facilitate browsing, which are exempt from consent, to focus on advertising “tracking” cookies.
- These cookies are subject to a prior information obligation, via a cookie banner and a cookie policy. Their processing purposes must be clearly indicated in the banner, and any vague working is prohibited by the CNIL.
This is precisely what was held against Amazon. According to the CNIL, the information banner displayed on the Amazon.fr website was general and approximate as to the purposes of the cookies and did not explain to the user that he or she could refuse such cookies and how to do it: “By using this website, you accept our use of cookies allowing to offer and improve our services. Read More.”
The banner is the first level of information for the user, which should enable him or her to understand the issues involved in placing cookies and the means of accepting or refusing them.
This banner must be completed by a second level of information in the cookie policy.
- Also, the website publisher must collect unambiguous and express consent of the user, via a clear positive action of the user (as “OK” or “Settings”). Moreover, silence is not consent: further browsing means the user refuses to be targeted by ads. Thus, Google and Amazon were punished for automatically placing cookies, in disregard of the user's agreement.
Therefore, it is up to the data controller to demonstrate the consent of the internet user, who must also be able to withdraw it at any time (“opposition mechanism”).
Thus, in the Google case, when a user used the available mechanism, one of the advertising cookies was still stored and active on his or her computer.
Lesson 3: The CNIL can sanction companies located outside of France
The CNIL can investigate and sanction foreign companies when they target French user residents.
Also, Section 3 of the French Data Protection Act provides that
“I. - Without prejudice, with regard to processing falling within the scope of Regulation (EU) 2016/679 of 27 April 2016, of the criteria provided for in Article 3 of this Regulation, all provisions of this Act apply to the processing of personal data carried out in the context of the activities of an establishment of a data controller or a processor on French territory, whether or not the processing takes place in France.
II- The national rules adopted on the basis of the provisions of the same regulation referring to national law to adapt or supplement the rights and obligations provided for by this regulation apply whenever the data subject resides in France, including when the data controller is not established in France".
Here, the CNIL justifies its jurisdiction by emphasizing that the use of cookies is carried out “as part of the activities” of Amazon France and Google France - the “establishments” located in France of Amazon Europe Core and Google LLC/Google Ireland Ltd.
The solution could be different if the “one-stop-shop mechanism” of the Articles 56 and 60 of the GDPR was applied. In this case, this mechanism did not apply insofar as the operations fell within the scope of the “ePrivacy” Directive transposed in Section 82 of the French Data Protection.
By imposing particularly high fines to the GAFAM, the CNIL is sending a strong signal to all digital players when it has just finalized its recommendations on cookies and other tracers.
As a reminder, the GDPR provides for a financial penalty of up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.