1. What is the context?

As described in more details in our previous post, the French supervisory authority (“CNIL”) has published on October 2020 a revised version of its guidelines (“Revised Guidelines”) and the final version of its recommendations on the practical procedures for collecting consent concerning cookies and other trackers (“Recommendations”). As a reminder, the Revised Guidelines provide the CNIL’s guidance on how to read the relevant provisions of the French Data Protection Act, which governs the use of cookies and other trackers in France, and the Recommendations provide practical guidance and examples to help professionals navigate the rules applicable to cookies and other trackers and comply with the requirements of Article 82 of the French Data Protection Act.

In order to enable stakeholders to implement the necessary measures to comply with the Revised Guidelines, the CNIL announced in October 2020 a transition period during which the authority stated that it will not enforce the new obligations regarding cookies and other trackers resulting from the Revised Guidelines (i.e., additional data subject information, end of implicit consent, obligation to enable users to refuse cookies “as easily” as it is to consent – i.e., the “refuse all” button, obligation to retain evidence of users’ choices) and Recommendations.

This transition period will end on March 31, 2021.

  1. Why should organizations fear an enforcement campaign by the CNIL ?

Since October 2020 and during all the transition period, the CNIL has been relentlessly promoting its Revised Guidelines to the public as well as among sectoral organizations and professional associations.

The CNIL has also specifically stated during that transition period that it would begin enforcing the Revised Guidelines from April 1st, 2021.

The CNIL has most notably :

  • been actively enforcing the pre-existing rules regarding the use of cookies and trackers in France and has issued three multi-million sanctions against GAFAM companies for failure to comply with rules pertaining to prior information and consent. When publishing these sanctions, the CNIL has reminded the public that it would begin enforcing the Revised Guidelines on April 1st, 2021 ;
  • carried-out a public “fair warning” campaign with warning notices to public and private organizations which it found to be in breach of the rules applicable to the use of cookies and trackers in France (see here) ;
  • announced that compliance of websites with the rules applicable to cookies and other trackers is part of its three main focuses in the context of its investigations program for 2021, along with websites cybersecurity and health data (see here). As the CNIL has used for years the possibility to carry out investigations online, there is a high risk that an organization website be investigated by the CNIL, in particular if the site targets consumers ; and
  • published several communications on its website (cnil.fr) in order to guide organizations in their path to compliance with the Revised Guidelines. Most notably, the authority has specified the criteria it deems necessary to benefit from the consent exemption applicable to audience measurement trackers under Article 82 of the French Data Protection Act and launched a program enabling audience measurement solutions providers to assess whether their solutions could benefit from the exemption (see here).

In light of the above, it has become urgent for organizations that have not yet started measures to comply with the Revised Guidelines or which have not finalized their compliance measures, to take all the measures necessary to comply with the Revised Guidelines, as it makes no doubt that the CNIL will launch a massive control campaign regarding the Revised Guidelines and will show little leniency for non-compliances.