Cookies are one of the French Data Protection Authority’s (CNIL) current priorities.
On 15 May 2023 the CNIL published an analysis on the effects of its general guidance on cookies and other tracking devices in the past few years.
The CNIL then published on 23 May 2023 its long-awaited 2022 annual report, which states (among other things) that, although obligations relating to cookies are now fairly widely respected, the CNIL remains vigilant.
In May and June 2023, the CNIL issued decisions on sanctions for non-compliance with cookies requirements against Doctissimo and KG Com, showing that enforcement is not only focused on big tech companies.
In June 2023, the CNIL heavily sanctioned Criteo, notably for not verifying that its partner websites collected users’ consent for the deposit of a Criteo cookie.
All this shows the importance of compliance with cookies requirements. Below we summarise the key takeaways from CNIL’s recent publications and from recent CNIL’s decisions relating to cookies.
CNIL enforcement of cookies requirements
The CNIL notes in its analysis that investigations carried out so far have focused on the most popular websites among French internet users. That being said, many fines imposed by the CNIL do not target big digital companies, as is apparent from its recent decisions.
Indeed, as explained in the CNIL’s 2022 annual report, investigations may result from complaints of data subjects against any company. In this respect, the CNIL states that ”the year 2022 was marked by an increase in the number of complaints received on the subject of cookies and other tracers: more than 300 complaints received (an increase of 26% compared to 2021)”.
The CNIL’s interest in ‘new’ cookies practices
As its 2022 annual report outlines, the CNIL currently pays particular attention to the following “new” practices:
- the development by digital players of alternatives to third-party cookies for targeting advertising to circumvent limitations on the deposit of cookies (ie ‘fingerprinting’, ‘Single Sign-On’ and ‘targeting by cohort’);
- the evolution of the cookie banners design (notably the ‘Dark Patterns’) as well as the effects of this evolution on the rate of user consent – results of the CNIL workstreams on this were due to be published in the first half of 2023
- the development of ‘tracer walls’ (or ‘cookie walls’), which consist of conditioning access to a service to the acceptance by the data subject of the deposit of cookies on a terminal (computer, smartphone etc) – as a reminder, in response to such practices, the CNIL published in May 2022 a list of initial criteria for assessing the lawfulness of this practice.
Key take aways from recent CNIL decisions
In 2023, four sanctions have been announced so far by the CNIL in relation to cookies:
- a €100,000 fine against Doctissimo (a French website dedicated to health and wellbeing);
- a €30,000 fine against KG COM (a company operating several websites to offer customers clairvoyance readings by chat or phone).
- a €5,000 fine against a computer systems and software consulting company, which also sanctions GDPR violations (the decision is not public).
- a €40m fine against Criteo (a company specialising in online advertising), a sanction which also includes other GDPR failures not related to cookies requirements.
In a nutshell, in the above-mentioned decisions, the following ‘cookies’ practices have been sanctioned by the CNIL:
- the deposit of non-essential cookies (eg advertising cookies, cookies aiming at fighting against advertising fraud) or identifiers (eg technical identifiers or identifiers used for advertising purposes) on users’ terminals without their consent (cf. decisions of sanctions against Doctissimo, KG Com cases);
- the deposit of non-essential cookies after the user clicked on a ‘refuse all’ button (cf. decision of sanction against Doctissimo);
- the absence of a cookie banner (cf. decision of sanction against KG Com);
- the set-up of an information banner which does not allow the users to refuse the deposit of non-essential cookies as easily as to accept them (cf. decision of sanctions against KG Com); and
- the absence of sufficient information on the purposes of the different non-essential cookies.
It is also interesting to note that, across the above-mentioned decisions, the CNIL provided similar analysis on the following points:
- in the decisions against Doctissimo, KG Com and Criteo, the CNIL considered that although the companies subsequently demonstrated during the procedure that (at least part of) the concerned failures were remediated, the compliance measures carried out could not exonerate them from past liability;
- in the decision against KG Com, the CNIL pointed out that the deposit of multi-purpose cookies, used for essential and non-essential purposes in order to avoid using several cookies each for one purpose, does not exempt companies from requesting the consent of users when such cookies are used for non-essential purposes; and
- in other decisions, the CNIL recalls that, if the refusal of the user can be deduced from his silence, it is on the condition that the user is fully informed of it.
Focus on the Criteo case
Following complaints lodged by the organisations Privacy International and None of Your Business (NOYB), the CNIL carried out several investigations into Criteo in 2020.
During these investigations, it noticed several non-compliances with cookies requirements relating to the consent from partner websites of Criteo using the Criteo cookie, a non-essential cookie, the deposit of which requires the prior consent of the users: Criteo cookies deposited on users’ terminals as soon as they arrived on the website without their consent; no opportunity for the user to refuse the Criteo cookies other than by browser settings; the deposit of the Criteo cookies after an express refusal; and no mechanism for obtaining consent to the deposit of the Criteo cookies.
The CNIL considered that, although the collection of the consent is the responsibility of the company’s partners (who are in direct contact with Internet users), as Criteo is joint-data controller with its partners of the operations of depositing the Criteo cookie and of the subsequent collection of data from users, Criteo still has an obligation to verify and be able to demonstrate that internet users gave their consent, based on Article 7, Paragraph 1 of the GDPR, according to which: “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”.
The CNIL also noticed that, at the time of the investigations:
(i) Criteo had not put in place any measure to ensure that its partners were validly collecting the consent of internet users;
(ii) contracts concluded with partners did not contain any clause obliging them to provide to Criteo proof of internet users’ consent; and
(iii) Criteo had not undertaken any audit campaign of its partners.
Criteo, therefore, subsequently remediated these failures after the investigations (notably by conducting audits and inserting clauses obliging partners to provide to Criteo proof of users’ consent when requested by Criteo) and became, according to the CNIL, compliant with Article 7, Paragraph 1 of the GDPR. However, the CNIL still sanctioned Criteo for these failures as “this compliance, which occurred late, has no effect on the fact that the company has processed the personal data of internet users without being able to demonstrate that they have validly consented to the processing for the purpose of displaying a personalised advertising”.
This confirms the CNIL’s severity with regard to cookies violations and reminds companies of the importance of compliance with applicable cookies requirements.