Reed Smith In-depth

In less than a month, the French data protection authority (CNIL) rendered three major decisions1 impacting worldwide online service providers following online controls and investigations performed on the companies’ websites. In a nutshell, the decisions highlight the obligations of data controllers when using cookies and other trackers, notably regarding the way the user’s consent shall be collected, and the level of information that has to be provided to users. Companies have an interest to closely watch and adapt their cookie compliance through the monitoring of the specific French requirements. The CNIL has recently announced it would grant a period of 6 months to implement the new CNIL guidelines i.e., data controllers are required to comply with these new guidelines by the beginning of April 2021. That time period should be actively used.

Cookie compliance is therefore a matter of urgency for any online business actors covering the French market and must be taken seriously considering the cross border penalties involved. Companies applying advertising cookies and other trackers should be fully aware of these practical recommendations when implementing their consent mechanisms and drafting the information wording aimed at users, ensuring to keep evidence of consent collection etc.

The penalties attached to these decisions are the largest ever imposed by the CNIL since the entry into force of the General Data Protection Regulation (GDPR). With these decisions, the CNIL is displaying its enforcement capabilities to companies all over the world, whatever their nationality and sector of activity.