Half of all audits resulted in the issuance of cease-and-desists.

In the fall of 2014, the French Data Protection Authority (“CNIL”) started auditing compliance with its 2013 cookies recommendations (available here http://www.cnil.fr/documentation/deliberations/deliberation/delib/300/ ). The CNIL conducted 24 on-site audits and 27 online audits, as well as two hearings of website operators. Twenty-some cease-and-desists were subsequently issued by the CNIL.

According to the so-called “Cookies Directive” (2009/136/EC, transposed via Article 32-II of the French Data Protection Law of 1978), any subscriber or user of electronic communications services must be fully and clearly informed by the data controller or its representative of the purpose of any cookie and his/her means to refuse such cookie. The user’s consent must be collected before any cookies are set.

In 2013 the CNIL consulted industry, culminating in the December 2013 recommendation advising notably that home page banners be used to provide information about cookies, and that consent could be inferred if users clicked on another link or visited another page of the website.

According to the CNIL, the recent audits have showed that:

  • Not all websites provide a home page banner;
  • Among sites that provide a banner on their front page, not one waits for user consent before setting cookies;
  • Websites often ask users to modify browser settings in order to refuse cookies, which usually is insufficient, in the CNIL’s view, as a means of refusing cookies.

The CNIL has stressed that if websites timely comply with the CNIL’s cease-and-desists they should not be subject to any penalties.

Finally, the CNIL has reminded actors in the ecosystem that they are all — and not only website operators — responsible for ensuring compliance with the law.