The CNIL gives notice to several organizations to comply with the legislation on cookies


The deadline for bringing websites and mobile applications into compliance with the rules on trackers ended on March 31, 2021!

Repealing the first recommendation on cookies & digital tracers of July 4, 2019, the CNIL had given companies time to comply through its deliberation of September 17, 2020 adopting a recommendation proposing practical ways to comply when using “cookies and other tracers”.

The six-month compliance period obtained through the deliberations of September 17, 2020 having expired, the CNIL has taken action.

From now on, in the event that a website plans to record cookies on the user’s terminal, it is mandatory to inform the latter beforehand, and that he/she gives his/her consent according to the following terms and conditions resulting from the deliberation of September 17, 2020 adopting a recommendation proposing practical terms and conditions of compliance in the event of recourse to “cookies and other tracers”:

– The Internet user must, upon his or her first connection to the site, be informed of the existence of tracers through a banner and be able to easily express his or her choice to accept and/or refuse the Cookies integrated on the site through a dedicated tab and/or section;

– If Cookies are used for different purposes, each purpose must be explained one after the other, in a clear and legible manner and must be the subject of a consent by the Internet user, which may be expressed by a checkbox or a switch to be activated;

-The user must be clearly informed of the consequences of his refusal to accept the tracking data integrated into the site;

-The user must be informed of the list of third party companies using cookies on the site;

The user must be able to easily change his choices through a dedicated and quickly accessible tab;

The section relating to cookies, if it includes a box “Accept all” must imperatively have a box “Refuse all” at the same level.

The CNIL had announced it, it has done it: the first campaign of online checks of compliance with the legislation on cookies has taken place. This campaign is part of its deliberations of September 17, 2020, which make up its new global strategy.

As a reminder, this strategy has several components that focus on user consent.

For example, continuing to browse a site should no longer be considered a valid expression of consent. Also, the fact of accepting, refusing or even withdrawing consent must be facilitated.

In this respect, the CNIL recommended, for example, that the interface should offer both an “accept all” and a “refuse all” button, or that the user’s refusal should be kept for a certain period of time so that they are not asked again at each new visit.

In addition to these guidelines and recommendations, the actors concerned had to ensure the good compliance of their practices with the RGPD and the ePrivacy Directive.

It is in this context that the CNIL had given a six-month deadline, i.e. until the end of March 2021, for organizations to consolidate their cookie policy.

On May 25, 2021, the CNIL announced that it had issued a formal notice to some twenty organizations whose cookie settings do not allow Internet users to refuse them as easily as to accept them.

Among the notified organizations are international players in the digital economy and several public organizations, which will have one month to comply. After this period, financial penalties could be as high as 2% of their turnover.

The CNIL has already announced that future verification campaigns, followed if necessary by corrective measures, will take place in the coming months. 

UGGC Avocats and its team specialized in personal data are at your disposal for any questions you may have on this subject.

By the IP/IT team of UGGC Avocats