Who: The CNIL
When: 23 May 2017
Law stated as at: June 2017
Advertisers have long been on the radar of the French data protection watchdog (the CNIL) when it comes to assessing the legal compliance of placing advertising cookies (and other tracers) on their websites. However, in order to better identify the responsibilities of each of the players involved in the online advertising chain, the CNIL announced on 27 July 2016 that its controls would be extended to third party issuers of advertising cookies.
The CNIL therefore covered thirteen issuers of third-party cookies established in France and in the United States, and it was subsequently able to identify 2 separate scenarios:
Scenario 1) A website editor places cookies on its own website, or allows third party to place cookies on its website, for the purpose of processing personal data solely for its own purpose.
In accordance with Article 3 of the French Loi 78-17 of 6 January 1978 (the French Data Protection Law), the CNIL stated that when a website editor determines the means and the purpose of the data collected by third party cookies or by its own cookies, that website editor is considered a data controller in this context. It must therefore assume all of the obligations deriving from the French Data Protection Law, in particular its Article 32-II, i.e., it must ensure that prior, express consent from internet users is obtained prior to processing users’ data, as well as providing users with a free way to oppose to the placing of the relevant cookies on their device.
Within this scenario, if the website editor uses third party cookies (and not its own), then in accordance with Article 35 of the French Data Protection Law, the third party could be considered as data processor, as it processes “personal data for and in accordance with the website editor’s instructions“. In this case, a data controller-processor agreement between the website editor and the third party cookies’ issuer must clearly prohibit such third party from processing (whether it is for its own purpose or for the purpose of another party) any data collected through those cookies placed on the website.
The CNIL further specified that this scenario would, in particular, be relevant to the following actors within the advertising chain:
- E – commerce websites on which advertising intermediaries (“Régies”) or agencies place advertising cookies for re-targeting purposes (that is, sending a targeted advertisement to users having visited the advertiser’s website at least once);
- Website publishers using audience measurement and / or analysis tools (powered by cookies), whether these are developed internally or by third parties; and
- Website publishers using cookies to measure the profitability of the advertising space that they make available (thereby maximizing these locations, ensuring billing, and so on).
Scenario 2: Personal Data collected by third-party cookies are processed by the party placing the cookies on the website and not by the website editor itself.
Unlike the first scenario , the website editor here does not control how and for which purposes the data collected on its website through the cookies shall be processed. However, the website editor deals with “direct” third parties who will later place cookies on devices of users having visited its website. These “direct” third parties will then be able to deal with other third parties with whom the website editor has no direct link.
The third-party cookie issuer here controls the purpose of the processing of the collected data, whether the data is used for its own account or to sell analysis or profiling services to customers and partners.
In practice, this situation targets third-party cookies issuers which place cookies on various websites, not only for each relevant website owned by website editors, but for the end purpose of growing a database which it will later uses, especially with navigation data.
This may include:
- An advertising “Régie” tracking Internet users on various websites in order to establish their online profile or for the purpose of “grouping” them in specific market segments which can later be used / sold to other third parties;
- A real-time auction platform selling to advertisers the right to post an advertisement on a web page;
- Third parties acting on behalf of advertisers (such as those managing Demand Side Platforms) bidding on advertising space and using the information associated with these spaces to fine-tune their targeting. Indeed, according to the CNIL, while doing this, some of these actors retrieve navigation information related to the cookie on which they bid, but without returning this information to the advertiser on whose behalf they acted.
The CNIL therefore considered that in accordance with Article 32-II of the French Data Protection Law, third-party cookie issuers must be considered as data controllers and as such, they must comply with all obligations imposed by the Law.
By contrast, website editors which authorise the placing of cookies shall be considered as data processors acting on behalf and on the instructions of the third-party cookie issuer. The relationship between such data processors and the cookie issuer must also be contractually framed; particularly in order to ensure that prior, specific and clear consent from users visiting the relevant website has been obtained, and that users have a free and easy way to oppose to the placing of such cookies.
Why this matters:
For the vast majority of websites, the two scenarios given above apply simultaneously. Therefore, the CNIL indicated that whether one party will be considered data controller or data processor will be assessed on a case-by-case basis, and depending on the type and origin of cookies. In the event that the same cookie is used by two different data controllers to process the data (i.e. the website editor and the third party issuer), liability for compliance with data protection legislation shall be attributed to each controller who must inform and obtain the appropriate users’ consents to collect the data with respect of which they are data controllers.
The CNIL considers that in all cases, when an internet user visits a website which triggers cookies, then the editor of such website shall be the sole party capable of providing information with respect to the cookies placed on users’ devices. In practice, whether website editors are acting as data controllers (scenario 1) or data processors (scenario 2), they shall be responsible for ensuring that they have brought to the users’ attention appropriate information with respect to the types of cookies placed and information about how users can oppose to the placing of such cookies. However, in scenario 2, provided that the website editor has brought to the user’s attention that third party cookies are placed on its website, then such third party shall be solely liable if this information is incomplete or erroneous.
This may however be reconsidered by the European Commission in the light of the publication of the draft European regulation on privacy in electronic communications (replacing the current Directive 2002/58 / EC of 12 July 2002 on “privacy and electronic communications” which currently deals with cookies and tracers) by the European Parliament on 10 January 2017.