In less than a month, the French data protection authority (CNIL) rendered three major decisions1 impacting worldwide internet service providers following online controls and investigations performed on the companies' websites. In a nutshell, the decisions highlight the data controllers' obligations when using cookies and other trackers, notably regarding the way the user's consent is collected, and the level of information that must be provided to users. Companies have an interest to closely watch and adapt their cookie compliance through the monitoring of the specific French requirements. The CNIL recently announced it would grant a period of six months to implement the new CNIL guidelines; i.e., data controllers are required to comply with the new guidelines by the beginning of April 2021. The time left until then should be actively used.

Cookie compliance is therefore a matter of urgency for any online businesses covering the French market and must be taken seriously considering the cross-border penalties involved. Companies applying advertising cookies and other trackers should be fully aware of these practical recommendations when implementing their consent mechanisms and drafting the wording used to inform users, ensuring to keep evidence of consent collection etc.

The penalties attached to these decisions are the largest ever imposed by the CNIL since the entry into force of the General Data Protection Regulation (GDPR). With these decisions, the CNIL is displaying its enforcement capabilities to companies all over the world, regardless of their location or sector of activity.

A shift in the CNIL's approach from prevention towards enforcement

The three decisions are consistent with the new doctrine developed by the CNIL since 2019. The CNIL showed its willingness to use its fining power to sanction practices related to the collection and use of personal data for advertising purposes,2 if it considers this in breach of applicable regulations. The shift in approach by the CNIL means that, if the alleged breach is considered material (bearing in mind that there has been a sufficient period of time to ensure compliance since the applicable requirements entered into force), it may now decide to move straight to sanctions even if the targeted companies have already begun to implement corrective measures.

Cookie compliance has undeniably grown to become one of the CNIL's main concerns with respect to data privacy.

The decisions also reflect a strengthening of the CNIL's position regarding the enforcement of the data protection requirements that already existed prior to the entry into force of the GDPR, and for which the French regulator had already announced on several occasions its willingness to exercise its powers to control and sanction. It is important to note that these decisions, which mainly concern the use of cookies and other trackers by online platforms, were not rendered strictly speaking, on the basis of the GDPR or recent CNIL guidelines, but on the basis of the ePrivacy Directive, as transposed under Article 82 of the French Data Protection Act.3

This also implies that the decisions do not have the effect of applying the ePrivacy Regulation, the adoption of which has been repeatedly postponed since 2018. That said, the different regulations have influenced the CNIL's stringent approach.

In other words, these decisions have to be interpreted as the willingness of the CNIL not to wait for the entry into force of the ePrivacy Regulation to start regulating the use of cookies in France. As it previously announced, the CNIL is now prepared to sanction any alleged failure to comply with existing requirements that it considers already enforceable, including, of course, the strict consent requirements relating to the use of cookies and other trackers. It should also be noted that this approach is being monitored by other regulators in Europe.

Jurisdiction of the CNIL

As a reminder of the applicable rules on jurisdiction, the CNIL outlined its territorial and material competence to rule on alleged breaches relating to cookies placed on the computers of users residing in France. Here, the companies in question have deposited cookies in the context of their activities and have an establishment in the French territory. This explains the jurisdiction of the CNIL in pronouncing a sanction against such companies. By asserting its territorial jurisdiction, the CNIL reasserts that all website owners may be concerned by control and sanction procedures ordered by the French regulator, if they offer services to French users. This approach is in line with the position recently adopted by the president of the CNIL, who indicated in several statements that the CNIL would no longer hesitate to fine multinational companies, no matter where their websites are hosted.

Explanation of the penalties

The CNIL relies on three main criteria in the explanation of the penalties:

(i) the scope of the alleged breach, which in some cases concerned several fundamental requirements related to the use of cookies, i.e., the user's information and consent;

(ii) the wide reach of the websites and the large scale impact in France (up to 50 million people in some cases); and

(iii) the benefits derived from the alleged breaches that are based on the profits resulting from the use of advertising cookies.

It should be noted that the CNIL also examined in detail the extent of the concerned platforms, in terms of audience and share of the French online market (in one of the sanction decisions, the French market share was over 90 per cent).

A 'refresher' on the requirement for prior consent: advertising cookies are at the heart of the CNIL's attention

Consent is at the core of the three decisions, in line with a GDPR inspired approach.

First, the CNIL firmly insisted on the fact that cookies that are not necessary to the performance of the services, such as cookies for advertising purposes, can in no case be dropped without the prior consent of the user. In other words, such cookies require a prior positive action of the user; i.e., the user's informed consent shall be validly given. On that basis, the CNIL found that placing cookies simultaneously upon entering the website should be incompatible with the concept of prior consent. The CNIL also considers it impermissible to continue to store a specific category of cookies for advertising purposes on the user's computer, even if user has previously deactivated the personalisation of advertisements through a positive action mechanism made available to the user.

As a result, the concept of active consent should be understood as a positive and clear action, i.e. by clicking on a button, which excludes silence or inaction. In that respect, the CNIL puts an end to the uncertainties that may have existed previously for French data controllers on the question of the user's silence. The position held by the CNIL in these decisions is also in line with the recent consent standards set forth by the CNIL, which also follow the guidelines of the UK and the German data protection authorities: active and informed consent is required prior to the use of cookies or any technology storing or accessing information on the user's device. This approach can also be found in the new CNIL guidelines, whilst the CNIL has given the actors a period of six months to comply.

A thorough analysis of the information to be provided to data subjects

In addition to focusing on consent, the CNIL performed a case-by-case analysis of the information provided to users regarding cookies and available opt-out mechanisms.

The CNIL observed that French users should be previously and clearly informed as to the deposit of cookies on their computers and, consequently, as to the purposes of such cookies and the means made available for refusing them.

As a consequence, the CNIL considers that an information banner displayed at the foot of the webpage, offering a reminder of the rules of confidentiality but not providing any information relating to the cookies that had already been dropped on their computers, was not valid. The CNIL also has paid particular attention to the level of description of the purposes of the cookies placed, and the information related to the user's right to refuse the cookies, as well as of the mechanism made available to them for this purpose.

Finally, it should be noted that the information must be reiterated in the event of a link directing the user to another website: therefore, the cookie choices implemented on the first website cannot be transferred on the second website, without any information delivered to the users.

As a result, in practice, and although the decisions do not expressly refer to these guidelines, given the reasoned analysis carried out by the CNIL in order to determine whether the level of information provided is sufficient, the most cautious approach would be to carefully review the most recent CNIL guidelines and to build on that basis.

Next steps: what might companies expect next?

A major take-away of these decisions is that, pending the entry into force of the ePrivacy Regulation, the French data protection authority appears to be precursory in that matter. There should be more to come in the coming months on this topic, due to the public consultation implemented in February 2020 and the forthcoming publication of the CNIL's recommendations. More than ever, the timer is on for data controllers to adjust their compliance path, and prepare for the CNIL's April 2021 deadline.


1 CNIL Decision No. SAN 2020-013 of 7 December 2020 regarding Amazon Europe Core; CNIL Decision No. SAN 2020-012 of 7 December 2020 regarding Google LLC and Google Ireland Limited; CNIL Decisions No. SAN 2020-0008 of 18 November 2020 regarding Carrefour France and No. SAN 2020-0009 of 18 November 2020 regarding Carrefour Banque.

2 CNIL Decision No. SAN-2019-001 of 21 January 2019.

3 Loi Informatique et Libertés (Law No. 78-17), as amended.

Originally Published by Reed Smith, December 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.