The French Data Protection Authority (CNIL) recently announced it would begin inspections in the fall of 2014 of on-site and remote locations to confirm the compliance of cookies with the European Union's (EU) data protection directives. The announcement is the result of a CNIL recommendation made on December 5, 2013, concerning cookies and other types of "traceurs" used by websites to collect and store personal user information.
CNIL was created in 1978 as an independent oversight authority in response to public controversy surrounding the use of new technology to create a centralized database of personal information of French citizens. The organization is responsible for insuring information technology remains in the service of citizens, and does not jeopardize human rights, privacy, or individual or public liberties. These inspections are aligned with one of CNIL's five missions: to verify the compliance of networks operating in France and its territories in accordance with French and EU data protection laws.
CNIL is not alone in its endeavors, it is part of a system of 28 other EU data protection authorities known as the "Working Party (WP) 29". The legislation followed by these authorities, known as the ePrivacy Directive, stems from Directive 2009/136/EC, and defines the parameters for which cookies require user consent before used on a website, and which ones are exempt.
Companies doing business in France, and the EU in general, are subject to applicable directives, and thus subject to related sanctions for violations. For example, CNIL levied a €150,000 sanction against Google in January 2014 for violations of the French Data Protection Act, which was upheld by the French High Administrative Court in February. More recently, approximately 11,000 European citizens filed a class-action lawsuit against Facebook for violations of the EU data use and privacy policies.
The announcement of impending audits is noteworthy because it is part of an EU-wide initiative occurring September 15-19, 2014, known as "cookie-sweep day," where other data protection authorities will also inspect and monitor cookie compliance with EU directives.
Exempt cookies tend to be those that are used only to carry out the transmission of the website, or are necessary in order to provide a service to the user, such as authentication cookies for log-in.
Other exempt cookies may use information for limited durations, such as the duration of the session on that particular page.
Those cookies that require consent are usually related to transactions that target or measure audiences, or collect personal data through sharing functions, for instance, those employed by social networking sites.
User consent must be obtained in an informed, specific, and freely-given manner, and a user must be able to accept or reject the cookies as he or she prefers.