On July 11, the French data protection authority, CNIL, announced that, following a mid-September “cookie sweep,” it will begin conducting audits in October to assess compliance with European Union and French rules requiring websites to obtain consent before installing or reading cookies. These rules include the 2009 EU e-Privacy Directive, France’s Law on Data Processing, Data Files and Individual Liberties, and several guidelines on cookies issued by the CNIL. Any company (European or otherwise) that collects personal information about European citizens through cookies or other tracking mechanisms may be targeted by the audit.
CNIL will examine the type and purpose of cookies and determine whether website operators understand the purpose of all cookies, whether they are third-party cookies or internal to the website. For cookies that require prior user consent, CNIL will also examine how websites obtain consent, the visibility, quality, and simplicity of the information provided to users about the cookies, the ability to retract consent to cookies, and the duration of cookies. CNIL will also examine the consequences of not consenting to a website’s cookie.
According to CNIL’s announcement, noncompliance with the laws could result in a warning or fine.