The French Council of State affirmed the EUR 25,000 fine imposed by the CNIL on Editions Croque Futur (challenges.fr) for non-compliance with French data protection law, and in particular cookie requirements.

The facts go back to 2014-2015 when the French data protection authority (the CNIL) found out that French company Editions, Croque Futur, publisher of the website challenges.fr, was infringing several provisions of the data protection law. Three months after an unsuccessful formal notice, the president of the CNIL initiated a sanction procedure in front of the restricted committee (formation restreinte), which imposed a EUR 25,000 administrative fine on the infringer on May 18, 2017 (prior to the GDPR’s entry into application). The sanction has not been made public.

Editions Croque Futur challenged this sanction in front of the French Council of State (Conseil d’Etat), the highest administrative court in France, which issued its ruling last June 6.

The Judges of the Council of State dismissed the appeal, affirming the CNIL’s all four grounds for sanction . This decision is particularly interesting as most of these infringements are often seen on the websites:

  1. Violation of the information obligation

French law requires to place a short-form information notice on personal data collection form (e.g., registration form) specifying the identity of the data controller, the purposes of the processing, whether it is mandatory or not to provide the data, and the data subjects’ rights. In this case, the short-form information notice used by Editions Croque Futur was incomplete in that it only detailed the data subjects’ rights.

  1. Violation of the information and consent obligations with respect to cookies

The website challenges.fr used different types of cookies including advertising cookies, which the company considered to be “necessary for the economic viability of the website” and therefore exempted from the consent requirement.

Indeed, under French law, cookies can be lawfully deployed only if the subscriber/user has expressly consented after having been informed of the purposes of the cookies and the means of refusing them. However, such requirements do not apply:

  • to cookies the sole purpose of which is to allow or facilitate electronic communication by a user, or
  • if the cookie is strictly necessary to provide on line communication services specifically requested by the user.

However, the Council of State rejected this argument, considering that the fact that such cookies were necessary for the economic viability of the website does not mean they were “strictly necessary for the provision of the service”, which is the true test to benefit from the exemption.

Then, judges considered that there was a lack of transparency on the information provided to the users of the website which did not allow them to either clearly distinguish the different categories of cookies used on the website, nor object only to those cookies subject to their prior consent, nor even know the consequences on their browsing experience if they object to such cookies.

The Council of State, thus affirmed the CNIL’s decision that Internet browser settings were not a valid means of controlling cookies in this case.

This decision is in line with the CNIL’s doctrine, which has always considered that browser settings may express the user’s consent only if:

  • The user has been able to modify his/her browser settings to accept of refuse cookies; and
  • He/she has been informed, prior to the installation of the cookies, of their purposes and the means of refusing them.

However, as underlined by the CNIL, currently, browser settings are not sophisticate enough to manage tracking technologies other than HTTP cookies. Therefore, such browser settings are not a valid means of consent when the website uses other technologies such as invisible pixels, flash cookies or fingerprinting technologies.

  1. Violation of the obligation to set a limited retention period

The website challenges.fr used both first-party cookies (i.e., cookies set by the website visited, here challenges.fr) and third-party cookies (i.e., cookies set by a domain other than that of the website being visited by the user). The issue was that third-party cookies were installed for unlimited period of times, whereas the CNIL recommends that the period of validity of the users’ consent to the setting of cookies on their device be limited to 13 months (this delay is based on the necessity according to the CNIL to make sure that users did not change their mind over time in case they forgot they have consented to the setting of cookies).

If by definition, third-party cookies are controlled by third-parties, which mean that they remain the “data controllers” of such cookies, the CNIL also considers that the publisher of a website authorizing third-parties to set cookies on its website must also be considered as a “data controller” in respect of these third-party cookies. Therefore, even if the publisher would not be subject to all the traditional obligations imposed on data controllers (as the actual control of the cookies would be held by the third-parties), it would still be responsible for ensuring that third-parties do not set on its website cookies that do not comply with the French cookie requirements.

In this case, Editions Croque Futur did not provide any evidence that it took any measures against its partners to make sure they comply with the law, which is why the CNIL found it was in violation of the law.

This requirement may have a substantial impact on website publishers, which generally do not take any measures to check third parties’ compliance with their obligations when they implement cookies on their website.

  1. Violation to the obligation to cooperate with the CNIL

Editions Croque Future has never responded to the CNIL’s formal notice (despite a reminder letter), which characterizes a violation of the obligation to cooperate with the CNIL requiring to communicate to the authority all the information necessary to demonstrate they have remediated to the situation.

On this basis, the Council of State affirmed the CNIL’s decision, considering that the sanction was proportionate in view of the nature, severity and persistence of the violations.

* * *

This decision is particularly interesting in that it clarifies that browser settings are not always a valid means of consent to cookies, while many cookies policies out there still refer to such browser settings as the only way to control cookies.

With the entry into application of the GDPR last month, the criteria for valid consent have been reinforced and we can notice that businesses implement more developed cookie management tools on their websites.

Indeed, several websites have been updated to revise the traditional language saying that “by continuing browsing our website, you consent to the use of cookies”, as this probably does not satisfy the condition that consent must be “unambiguous” to be valid and replace it by a more straightforward and clear language such as “I accept“.

The Article 29 Working Party (WP29) has taken this position in its recent guidelines on consent, which provide that “Controllers should design consent mechanisms in ways that are clear to data subjects. Controllers must avoid ambiguity and must ensure that the action by which consent is given can be distinguished from other actions. Therefore, merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation”. And the WP29 continues with an instructive example: “Scrolling down or swiping through a website will not satisfy the requirement of a clear and affirmative action. This is because the alert that continuing to scroll will constitute consent may be difficult to distinguish and/or may be missed when a data subject is quickly scrolling through large amounts of text and such an action is not sufficiently unambiguous”.

So if continuing browsing was considered as acceptable in the past (see for example the WP29’s 2013 guidelines on obtaining cookie consent), things are evolving… and will certainly evolve further in the near future with the upcoming EU’s ePrivacy Regulation, due towards the end of 2018 or early 2019 and which will replace the outdated ePrivacy Directive from 2002.