Who: The French Commission Nationale de l’Informatique et des Libertés (CNIL)
Where: Paris, France
When: 5 December 2016
Law stated as at: 26 January 2017
What happened: Back in December 2013, the CNIL published a recommendation regardingcookies and other tracing tools, the use of which are subject to end users’ prior information and consent, in accordance with Article 32 of the French Data Protection Act (the DPA, i.e. the French law known as “Loi Informatique et Libertés”).
In this recommendation, the CNIL, amongst other things, specified in particular the categories of cookies which require such prior information and consent, such as cookies linked to targeted advertising operations, certain audience measurement cookies or social networking tracers (i.e. cookies generated by the “share buttons”). The CNIL also indicated the means of obtaining such consent (e.g. most frequently, the user’s consent is obtained by his/her browsing of the website after the appearance of a cookies “pop-up” or a banner).
Further to its recommendation, in autumn 2014 the CNIL began a series of online checks of various websites (including dating, e-commerce, content publishing and classified ads websites), in order to check whether website owners were indeed complying with the provisions of the DPA – and as it soon found out, many of them were not. This led the CNIL, during a meeting held on 9 December 2016, to (1) clarify the liability regime for website owners and other parties in the advertising sector; and (2) grant some extra compliance time to those who committed breaches of the rules regarding advertising cookies and prior consent collection.
“Distributive” responsibility between website editors and other actors of the advertising sector
As the CNIL stated on 9 December 2016, all actors involved in the deposit and reading of cookies, such as website editors, their partners (e.g. social networks) but also other actors of the advertising sector such as advertisers and players in Ad Exchange platforms such as the Supply Side Platform (SSP) or the Demand Side Platform (DMP) are required to comply with the rules regarding advertising cookies.
According to GESTE (a French organisation representing website editors and online platforms), the CNIL acknowledged that website editors could not be held solely responsible for the cookies deposited on its site and that it was in favour of a system of “distributive responsibility” between the different parties involved in cookies, which would mean that “only one party would be liable [on a case-by-case basis] for the cookie “.
However, the obligation to inform the user and to obtain its prior consent to the use of advertising cookies would be the sole responsibility of the website owner, who is the only one directly in contact with the user, and the CNIL published details on how website owners could best comply with the prior information and consent rules.
Additional compliance delay
The CNIL announced an additional 9 months for website owners and other parties within the adverting sector concerned to comply with the above rules. Therefore, up until September 2017, those who have breached or are currently in breach of the rules with respect to prior information and consent of advertising cookies will not be subject to controls or penalties, but such sanctions will be bestowed again from September 2017.
Why this matters:
This may be good news for website owners, as some have complained that obtaining users’ prior consent for advertising cookies: 1) would prevent them from showing certain advertisements leading to a significant loss of revenue; and 2) was not always practicable, since cookies may not be served from their own servers, instead being linked to the activities of third-party partners which are outside of their control.
The CNIL is expected to make a detailed public analysis on these subjects in January 2017. We will be closely monitoring developments in this area.