On June 30, 2015, the French Data Protection Authority, the Commission Nationale de l’Information et des Libertés (“CNIL”), issued notices to 20 websites asking them to comply with the European Union’s Cookie Rules (“Rules”). These letters follow one year after the CNIL conducted a “cookie sweep” of 24 spot checks, 27 online checks, and 2 hearings on the topic. The enforcement notices requested that companies come into compliance with requirements of the Rules within three months, or the company may face a fine of up to €150,000 for a first offence.

The CNIL’s audit, in general, found that websites may have placed a banner informing website users about the use of cookies, but did not obtain the consent of the user before downloading a cookie onto a browser. Additionally, the CNIL found that the websites in question did not provide a valid mechanism to block or delete cookies. Specifically, the CNIL found that simply informing consumers that they can block cookies is not sufficient to meet the Rule’s requirement to offer an effective and easily used tool to do so.

Finally, the CNIL noted that the Rules apply not only to operators of websites, but to all aspects of the online ecosystem, including advertising agencies. These notices indicate continued attention by European regulators to cookies, and the online advertising industry in general.