March 31, 2021: deadline to comply with the new rules on cookies

As a reminder, the reasonable timeframe granted by the French Data Protection Authority (also knows as the "CNIL") to bring your websites and mobile applications into compliance with the new rules on cookies and other trackers contained in its guidelines and recommendation published on October 1, 2020 expires on March 31, 2021 at night.

Considering this timetable, the CNIL has indicated that formal controls will be carried out as of April 2021 and that it will not hesitate to impose sanctions in case of non-compliance.

Economic players are therefore strongly advised to conduct an audit of the cookies and trackers used in order to, if necessary, take the necessary measures to meet with the requirements of the legislation.

For the record, certain cookies are exempt from the requirement of obtaining consent, such as functional cookies and various audience measurement cookies, if they fulfill the conditions recently recalled by the CNIL on March 8, 2021.

For cookies requiring consent, particularly those used for targeted marketing, the following principles must be followed:

  •  Principle 1: the mere continuation of navigation on a website can no longer be considered a valid expression of user consent.
  •  Principle 2: individuals must consent to the deposit of trackers by a clear positive act (such as clicking on "I agree"). If they do not do so, no tracker that is not essential to the operation of the service may be deposited on their device.
  •  Principle 3: users should be able to withdraw their consent easily and at any time.
  •  Principle 4: refusing cookies should be as easy as accepting them.
  •  Principle 5: data subjects must be clearly informed of the purposes of the trackers before consenting, and of the consequences of accepting or refusing trackers.
  •  Principle 6: data subjects should also be informed of the identity of all actors using trackers (including third-party cookies) that are subject to consent.
  •  Principle 7: entities using trackers must be able to provide, at any time, proof of the valid collection of the freely given, informed, specific and unambiguous consent of the user.

These principles must be strictly complied with by the economic players, as the financial penalties for non-compliance can be particularly heavy.

Thus, on December 7, 2020, the CNIL fined Amazon and Google 35 million and 100 million euros respectively for failing to comply with their obligations to obtain consent and provide information prior to the deposit of advertising cookies. Despite an appeal filed by Google before the Council of State, the latter validated the legality of the CNIL's decision on March 4, 2021 hence reinforcing its sanctioning power.

Notification of a personal data breach

The fire at OVH's Strasbourg data center on March 10, 2021 and its potential consequences on personal data (loss, damage) are an opportunity to remind the obligations set by the General Data Protection Regulation (GDPR) in this kind of situation, which requires data controllers, among other obligations, to:

  •  notify without undue delay and, where feasible, not later than 72 hours after having become aware of it, the personal data breach likely to result in a risk to the rights and freedoms of natural persons to the CNIL (Article 33) and, when the risk is high, directly to the data subjects concerned (Article 34),
  •  document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

As for the processor, it shall notify the controller without undue delay after becoming aware of a personal data breach.

The situation will therefore differ according to the role of each party in the processing of personal data (controller, processor or joint controller). For instance, contracts with processors generally contain provisions on incident and personal data management that address this issue in practice.

When breaches of the GDPR or the law are brought to its attention, the CNIL's restricted committee may:

  • issue a reprimand;
  • enforce the processing to comply, including under penalty;
  • temporarily or permanently restrict a processing operation;
  • suspend data flows;
  • issue an order to comply with requests to exercise the rights of individuals, including under penalty;
  • impose an administrative fine.

In case of non-compliance with the obligation to notify, the CNIL's restricted committee may impose administrative fines on the controller and/or processor up to 10 million euros or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Originally Published 22 March 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.