The French data protection authority has announced that following the “cookie sweep day” due to take place the week commencing 15 September 2014, it will launch a program of website audits in October to verify compliance with the CNIL’s 5 December 2013 cookie recommendations. The audit will be conducted either through on-site inspections, or through remote electronic inspections. Not all cookies require prior consent by the Internet user under the CNIL’s December recommendations. However, for those cookies that require prior consent (e.g., cookies set by third party advertising networks), the CNIL will verify how consent is obtained. Under the CNIL’s December 2013 recommendation, consent can be obtained either through an explicit click, or through the Internet user’s decision to navigate further within the site notwithstanding the persistent banner informing the user that cookies may be placed on the site.
The CNIL’s 3 January 2014 €150,000 fine against Google was levied in part because the relevant cookies were set at the same time as the banner was presented to the Internet user. To be in compliance with the CNIL’s recommendations, the cookies can only be set after consent has been obtained, either by an explicit acceptance click or by the user’s decision to navigate further on the same site notwithstanding the banner.
Functional cookies and web analytics cookies are not covered by the prior consent rule. However, even for these cookies, users must be given clear and user-friendly information, including information on how to opt-out of those cookies.
One important aspect of the CNIL recommendation that web publishers cannot force Internet users into an all-or-nothing consent choice. Under the CNIL’s approach, Internet users must have the ability to block advertising cookies and still be able to use the relevant service. Even a free web service cannot make acceptance of advertising cookies a condition to using the service. For some free services, this requirement could disrupt the economic deal between publishers and users, i.e., that services are available free precisely because publishers can sell targeted advertising via cookies.
The CNIL will verify that users can withdraw their consent at any time, and that cookies and consents have a duration limited to 13 month maximum. For the CNIL, both web publishers and third party advertising networks are jointly liable for insuring that the cookie rules are complied with. The CNIL has published an application that users can download in order to verify web cookies are set on a user’s terminal.
The CNIL’s recommendations are in line with the expectations of all of the other EU data protection authorities, so in practice the September deadline to get cookie compliance in order applies across all European websites.