The CNIL (the French data protection authority) was the first EU Supervisory Authority to address cookie compliance with data privacy law.
In 2020, the CNIL published several sets of guidelines and recommendations to give precise guidance on the requirements of the GDPR and French Data Protection Act (“Loi Informatique et Libertés”) implementing the ePrivacy Directive, in the context of the use of cookies and other tracking technologies, with a compliance deadline of April 2021.
To the extent cookies have an advertising purpose, key requirements are:
- Freely given, informed, specific and unambiguous consent is required from users before cookies are dropped. More specifically, users must be clearly informed of (i) the purposes of the cookies, (ii) the consequences of accepting or refusing them and (iii) the identity of all stakeholders processing data deriving from the cookies. In addition, consent must be given by users through a clear positive act, such as clicking "Accept all cookies” on the cookie banner.
- Refusing cookies should be as easy as accepting them. The CNIL recommends "Accept all cookies” and “Refuse all cookies" buttons at the first level of information in the same format in the cookie banner.
- Users should be able to withdraw their consent easily and at any time.
- User choice is to be stored for a limited period of time, a 6-month period being considered by the CNIL as good practice. During that period, both consent and refusal must be stored, so as to avoid asking users for fresh consent each time they visit.
- Stakeholders operating tracking systems must be able to provide proof of consent at any time.
Does the digital advertising industry in France still need to worry about the CNIL?
Applied to the digital advertising (adtech) sector, these obligations result in a chain of liability, from advertisers to publishers dropping third-party cookies (i.e. cookies created by domains other than the one the user is visiting). User consent has to be obtained for the purpose of depositing advertising cookies and for data processing in relation to marketing activities, including display of targeted advertising or data sharing with third parties.
The Transparency and Consent Framework (TCF) developed by IAB Europe was set up to offer an industry-led solution to consent issues in digital advertising. It provides a 'TC String' which allows a record to be kept of user preferences for targeted advertising that can be passed on to other players in the Real Time Bidding (RTB) ecosystem. However, the difficulties resulting from the strict implementation of the CNIL guidelines coupled with ongoing issues around whether or not the TCF is GDPR-compliant (discussed in more detail here), are now pushing some stakeholders to consider cookieless tracking solutions.
An alternative favoured by some publishers is using a cookie wall, which they argue means they do not require consent. The lawfulness of this approach in France has been recognised by the CNIL provided that:
- cookie walls are limited to purposes for which fair consideration for the service is expected. Should fair consideration for the service derive from agreement to targeted advertising, consent only needs to be collected for that specific purpose in order to allow access the service
- users are offered a fair alternative to access the service if they choose to refuse cookies, including in exchange for consideration
- if financial consideration is proposed, it must be reasonable
- no cookies are deposited on user devices once users have refused the cookies and accepted the proposed alternative, except for cookies which do not legally require consent, or with valid consent which is required to access content hosted on a third-party site.
It is worth noting that the CNIL is currently conducting a consultation on the mobile app ecosystem in relation to other types of trackers such as SDKs. Further CNIL guidelines are expected, particularly as the CNIL has identified the use of tracking technologies in mobile apps as one of its top enforcement priorities in 2023.
The noose therefore seems to be tightening around digital advertising stakeholders in France. Since 2021, the CNIL has carried out numerous compliance checks on publishers in relation to GDPR and ePrivacy requirements applicable to the use of cookies, and has fined several publishers for breaching such requirements, including those attached to the use of advertising cookies and trackers (e.g. €60 million for Microsoft and €8 million for Apple among the most recent decisions to date). Several players in the digital advertising ecosystem are now under direct threat.
A complaint was filed in November 2018 by Privacy International against, among others, three adtech companies (Criteo, Quantcast and Tapad) for alleged breaches of data protection principles (transparency, fairness, lawfulness, purpose limitation, data minimisation and accuracy), and lack of legal basis, including for processing sensitive data.
The investigation opened in 2020 by the CNIL against Criteo is ongoing. While the decision is expected in the coming months, Criteo stated in an August 2022 press release that, despite the various GDPR violations highlighted in the report of the CNIL’s investigator, it found “the merits of this report to be fundamentally flawed, and the proposed sanctions [including a €60 million fine] to be incommensurate with the alleged non-compliant actions”.
The CNIL is seen as particularly focused on the issue of cookies used by the digital advertising sector compared with other EU regulators, and as taking a stricter line than some. As technical and industry solutions develop, however, the digital advertising industry in France will have a wider range of solutions.