As mentioned in the introduction to our blog series on ePrivacy Regulation in the EU, the EU Council has reached a compromise agreement on its position on the new ePrivacy Regulation.
However, as we will see below, the French data protection authority (‘the CNIL’) has chosen not to wait for a final version of the ePrivacy Regulation. Instead, this last months, it has intensified its regulatory and enforcement activity by issuing more guidance and clearly taking action against organisations for cookie violations.
CNIL guidance on cookies
Since the 2019 adoption of an action plan on targeted advertising, the CNIL has made the issue of cookies one of its top priorities. After the first version of its guidelines (in French) on cookies and other trackers was partially annulled by the Conseil d’État, the CNIL adjusted the guidelines and issued the updated version (PDF, in French) on 17 September 2019.
That same day, the CNIL also adopted recommendations (PDF, in French) to help organisations comply with the applicable laws when using cookies and other trackers. In particular, the recommendations provide practical ways of obtaining consent and advise on how to properly inform users.
High fines for cookie violations
In parallel, the CNIL started to impose high fines in relation to cookie-rule violations, particularly where there had been a failure to get users’ consent before serving cookies.
This trend will likely continue in light of not only the CNIL’s recent enforcement action but also its February 2021 statement (in French) on compliance with its guidance on cookies and other trackers. The CNIL statement clearly reminded organisations of the applicable rules and urged them to make sure that their websites and apps comply with the new applicable rules by 31 March 2021.
It may still be some time before the ePrivacy Regulation is adopted, as the agreement only allows the Portuguese Presidency to start talks with the European Parliament on the final text, and we do not anticipate that a compromise agreement will be easy or swift.
However, a clear takeaway for organisations in France is that the CNIL is not going to wait for the Regulation before taking enforcement action against non-compliant organisations. If you haven’t started complying with CNIL guidance, you had better start now.
Other post in this series include:
- EU's ePrivacy reforms inch forward (introduction)
- EU’s ePrivacy reforms: a UK perspective
- EU’s ePrivacy reforms: a French perspective
- EU’s ePrivacy reforms: a Belgian perspective
- EU’s ePrivacy reforms: a Russian perspective
- EU’s ePrivacy reforms: a Spanish perspective
- EU’s ePrivacy reforms: an Austrian perspective
- EU’s ePrivacy reforms: a Dutch perspective