Following on from its guidelines on the rules to be applied to cookies, the French data protection authority (CNIL) drew up on Tuesday (14 September) the results of its second campaign of formal notices sent to companies for non-compliance with the legislation on cookies.
Eighty percent of the companies to which the CNIL sent a formal notice on 29 June have since complied, the data protection watchdog announced.
“To date, 30 organisations have complied, four have requested a delay due to technical or operational constraints and four have not yet responded,” the CNIL said in a statement on Tuesday.
The CNIL had granted a delay to the site publishers involved, which ended on 6 September. The organisations that have not yet taken the appropriate measures to comply risk financial penalties of up to 2% of their turnover.
This is the second wave of checks – and formal notices – carried out by the CNIL. In May, its president already warned some twenty organisations, including some “international players in the digital economy and several public bodies”. All of them have since complied, the CNIL announced a month later.
Last April, the CNIL had announced the end of the compliance period with the new cookie policies for web actors.
These new rules are based on the principle that “the simple continuation of navigation on a site can no longer be considered as a valid expression of the Internet user’s consent” which must be collected by a “clear positive act” – such as the famous “I accept” button that has been appearing for several months now on a banner when you are surfing the web.
The new framework initiated by the CNIL in October 2020 also states that users must be able to be clearly informed of the purposes of the cookies collected before consenting to them. “It must be as easy to withdraw consent as it is to give it,” the deliberation on the adoption of these guidelines last September also states.
These clarifications are an extension of the EU’s General Data Protection Regulation (GDPR), which considers that “consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her”.
Between 2020 and 2021, the supervisory authority adopted almost 70 corrective measures – formal notices or sanctions – for non-compliance with the legislation on cookies. “In 60% of cases, these were organisations whose parent company is located outside France,” it points out on its website.
Furthermore, the CNIL warned that new control campaigns will soon be launched and that they “will continue to target national and international private actors, but also public organisations whose websites generate a lot of traffic”. Particular attention shall also be paid to political party websites, the authority says, in view of the upcoming presidential elections.
[Edited by Luca Bertuzzi/Zoran Radosavljevic]