The French Supervisory Authority has set 31 March 2021 as the end of the “reasonable period” to bring websites and mobile applications into compliance.

Following the adoption and publication of its updated guidelines along with practical recommendations on the use of cookies on 1 October 2020 (see our alert on the subject here), the French Supervisory Authority (CNIL) reaffirmed on 4 February 2021 the need for private and public players to comply with the new obligations regarding cookies and other tracers (together, Cookies – See the CNIL press release of 4 February 2021 (in French)).

To make its action plan on online advertising effective and in view targeting of the deficiencies witnessed in both the public and private sectors, the CNIL set a specific deadline for the implementation of its recommendation: 31 March 2021.

The CNIL first addressed more than 200 public stakeholders through awareness-raising letters, notably by email, to remind them of the rules applicable regarding Cookies and to encourage them to comply with these rules prior to the start date.

This reminder to public bodies is also intended to guide all private companies, particularly on the mechanism implemented for collecting users’ information through placement of Cookies on their devices prior explicit consent. Whether it is a dedicated window or a banner, this mechanism must detail each distinct purpose for which these Cookies are expected to be used, and it cannot consist of mere general information on the existence of these Cookies. Furthermore, according to the CNIL, each user must be able to easily set his or her preferences in terms of Cookies, and the consent mechanism must not tend to favor the indiscriminate acceptance of all Cookies, in particular via systems offering users either to click on a “setting” tab or to accept all Cookies (see our previous alert on the rules applicable to Cookies).

In order to increase the effectiveness of this awareness campaign, the CNIL has set up an observatory to periodically analyze the Cookie-dropping practices of the top 1,000 websites in France. This analysis focuses more specially on the Cookies used on the users’ landing pages.

Based on the results of this analysis, the CNIL notified several French websites with large audiences that were using more than six third-party Cookies on their websites without prior consent.

The K&L Gates data protection team remains available to assist you during every step of the way in achieving compliance with the rules applicable to the use of Cookies prior to this 31 March 2021 deadline.

First published on K&L Gates Hub with Clara Schmit & Alexia Montagnon

On 4 July 2019, the French Data Protection (CNIL) published its Guidelines on Cookies and Other Tracking Technologies (the Guidelines, available in French here). The Guidelines further detailed the nature of the interplay between the General Data Protection Regulation (GDPR) which reinforced expectations towards obtaining consent to data processing operations when such consent is required), and the ePrivacy Directive which more specifically addresses the privacy requirements on cookies and other tracking technologies. Indeed, while the ePrivacy Directive was expected to be updated through an ePrivacy Regulation (latest draft proposal available here), on or before GDPR entered into force, it remains under discussion at the European level to this day, and subject to intense lobbying by all stakeholders.

Further to the publication of the Guidelines, several French professional associations in the online marketing, distance selling and online media activities initiated legal action against the CNIL, before the French Administrative Supreme Court (the Conseil d’État), on the grounds that the CNIL acted above and beyond its authority in adopting the Guidelines, notably by (i) generally prohibiting “cookie walls”, (ii) recognizing a right of data subjects to refuse cookies, (iii) requiring the identification of the data controller for the cookies, (iv) mandating an exhaustive and up-to-date information of the data subjects on the cookies, regardless of their involvement in data processing operations, (v) requiring that the users’ agreement must be expressed by a separate action for each of the distinct purposes brought to their knowledge with a view to the storage of information or access to information already stored in their terminal equipment, and (vi) imposing maximum data retention periods for cookies.