< Back

Share |

Using cookies in France

France operates a strict legal regime in relation to the use cookies. This regime was strengthened by the Telecom Package legislation introduced in August 2011, which reinforced the data controller's obligation to inform and obtain the Internet user's consent prior to using cookies.

April 2012

The law extends to cookies which do not comprise of any personal data. Generally, before a cookie is used the data controller must clearly and fully inform (in simple and precise terms) the user about what the cookie is being used for, whether this be in relation to: (i) access to information already stored in the user's device; and/or (ii) insertion of information in the user's device. The data controller must also provide the user with a means to reject the proposed use of cookies. The requirement to provide cookie information does not apply if the user has been previously informed and has provided its consent.

The data controller will only be allowed to use a cookie if the above steps are complied with and the user consents to the proposed use.

Cookies not governed by lawcookies

The provisions above do not apply where the use of cookies is for the sole purpose of enabling or facilitating electronic communication, or is strictly necessary, at the request of the user, to provide an online communication service. Since the introduction of the Telecom Package, the French Data Protection Agency ('CNIL'), the equivalent of the UK's Information Commissioner's Office, has issued helpful guidance as to the cookies not caught by law, the non-exhaustive list includes:

  • cookies used in virtual shopping baskets on an e-commerce website;
  • sessionID cookies enabling actions of the user to be linked where it is necessary to provide the service;
  • cookies where the sole purpose is to secure the service required by the user;
  • cookies enabling registration of the user's language preference or other preferences necessary for the provision of the service;
  • Flash cookies containing elements that are strictly necessary for the use of a media player (audio or video) in relation to the context required by the user.

Although such cookies do not require the data controller to inform the user, the CNIL recommends that it is prudent to provide information on a cookie's use in the data controller's privacy policy

The role of the data controller

The Data ControllerThe data controller is the one who is responsible for informing the user and obtaining their consent in relation to cookies they intend to use. However, the data controller can pass these obligations on to a third party representative, for example, the advertiser in the event of third party advertising or, where the data controller is based outside of France, it may choose to elect a representative in France to discharge its obligations. Despite passing on obligations to a third party, a data controller will be held liable where the third party does not comply with the cookie requirements. It is therefore important that where a data controller subcontracts to a third party or allows a third party to place cookies on its website, a formal agreement should be entered into, which clearly sets out each parties' obligations and, where possible, indemnifies the data controller.

Consent

Consent is considered adequate if it is given freely by the user. Consent must be in relation to a specific cookie with a clear purpose, which the user has been informed of and been given the opportunity to reject.

Below are examples of valid consent processes:

  • a banner on the header of a web page;
  • a 'consent' section superimposed on the website; or
  • a tick box to select before subscribing to an online service.

An example of where a web browser has developed a new mechanism enabling users to express their privacy preferences in relation to cookies can be seen from the Mozilla "do not track" mechanism. A cookie can be used to memorise a user's refusal to receive cookies.

What to avoid

A web browser which accepts any and all cookies without distinguishing between them would not fulfil the data controller's obligations under current law. However, parameterisation of web browsers can be modified in order to allow the user to choose which cookies are accepted and for what purpose. The CNIL has expressed concerns that website parameterisation does not provide the user with clear and complete information about the proposed cookies before consent is given and that the mechanism is hard to implement. Mechanisms like 'pop-ups' should not be used to obtain consent as they are often blocked by web browsers.

Acceptance of a web site's general terms and conditions is not evidence of consent to the use of cookies.

Non-compliance

The CNIL may issue fines of up to €300,000 for failure to comply with the law. In relation to complaints or inspections, the CNIL will take into account the data controller's actions to achieve compliance.

If you have any questions on this article please contact us.

Using cookies in France
Valerie Aumage

Valerie Aumage 


If in the French market, data controllers must be aware of and abide by the more onerous French law concerning the use of cookies.

"The CNIL may issue fines of up to €300,000 for failure to comply with the law. In relation to complaints or inspections, the CNIL will take into account the data controller's actions to achieve compliance."