The E-privacy Directive (2002/58/EC) has been implemented into the French legal framework by Ordinance 2011-1012 of 24 August 2011. Under the new legislation, electronic communication service providers (ECSPs) are under an obligation to notify data security breaches. This provision applies to all companies that process personal data as part of electronic communication services provided through a public network. ISPs and Telecom Operators are, for example, specifically targeted.

ECSPs are under an obligation to inform the Data Protection Authority (Commission Nationale de l’Informatique et des Libertés – (CNIL)) immediately of any breaches of data security. Noncompliance with these provisions is punishable by up to five years of imprisonment and a €300,000 fine.

Other obligations include the need to obtain express consent for the use of cookies. According to the CNIL, in order to comply with relevant legal requirements, users’ consent should be specific and have defined purposes.

The CNIL’s position is that browser settings accepting any cookie without distinction as to their purposes shall not be regarded as express consent.