Starting in October 2014, the French Data Protection Authority (the “CNIL”), will monitor compliance with its Recommendation on the use of cookies and tracking technologies

The CNIL’s inspections will follow the “cookies sweep day” which is due to take place from September 15, to September 19, 2014 and during which Data Protection Authorities across the European Union will review how Internet users are notified of the use of cookies, and how their consent to such use is obtained.

The CNIL recently announced that, as from October 2014, it will verify compliance with its Recommendation on cookies and tracking technologies issued on December 5, 2013. Compliance checks will be conducted through on-site and online inspections.

The CNIL may review:

  • The types of cookies used by internet websites (e.g.: HTTP cookies, local shared object, finger printing techniques, etc.);
  • The purpose of the cookies: (i) whether website operators are aware of the purpose of all the cookies that are set or read from their websites (including first-party and third-party cookies), and (ii) whether cookies are set that have no purpose (e.g.: obsolete cookies).

Furthermore, in cases where the cookies’ purpose requires obtaining users’ prior consent, the CNIL will review:

  • How users’ consent is obtained;
  • The visibility, quality and simplicity of the information pertaining to the use of cookies;
  • The consequences of users’ refusal to consent to the use of cookies;
  • The possibility for users to withdraw their consent at any time;
  • Cookies’ lifespan and consent period (the CNIL recommends a maximum validity of 13 months).

The other statutory provisions pertaining to the use of cookies (e.g.: data security, sensitive data, etc.) may be subject to compliance checks as well. Depending on the inspections’ outcome, the CNIL may issue cease and desist letters and sanctions.