July.26.2021
The French data protection authority, La Commission nationale de l’informatique et des libertés ("CNIL"), one of Europe's ("EU") most active data protection regulators, has continued to focus on the lawfulness of the use of cookies to collect and process personal data. The CNIL has made clear that cookie compliance is one of its enforcement priorities, as well as the security of websites and the security of health data.
According to a press statement by the CNIL, it has sent 40 formal notices to organizations including tech platforms, software and hardware companies and those delivering services online regarding cookie compliance. These notices demand that the recipient organizations make changes to their data protection practices surrounding cookies by September 6, 2021, or they may face fines of up to 2% of global turnover.
The CNIL's notices focused on allegations that these organizations failed to allow individuals to easily withdraw consent for use of cookies (and similar tracking technologies). Although the primary governing legislation for cookies is the e-privacy directive 2002/58/EC, the General Data Protection Regulation (GDPR) UK GDPR set the standards for obtaining and withdrawing consent as a lawful basis for the processing of personal data. Notably, Article 7(3) GDPR/ UK GDPR states: "It shall be as easy to withdraw as to give consent". The CNIL alleges that these organizations' cookie collection practices do not comply with this provision of the GDPR and, instead, have created an asymmetric system which means consent is easy to achieve from the data subject but withdrawal of consent by the data subject is not easy to achieve.
This is not the first time the CNIL has taken enforcement action regarding the use of cookies. This batch of 40 notices follows hot on the heels of the 25 similar letters sent by the CNIL in May. The decision to issue formal notices is likely to be more than "sabre rattling", and organizations should be particularly concerned about the risk of enforcement action by the CNIL. The CNIL has repeatedly demonstrated a willingness to act unilaterally – despite the GDPR's "one stop shop" system - and enforce against organizations headquartered in other EU countries. Notably, the CNIL has already fined both Amazon (EUR €35million) and Google (EUR €100million) for their cookie collection practises. In addition to the fine, the CNIL demanded that Amazon make changes to its user facing disclosures regarding cookie collection within 100 days of the fine being issued or face an additional daily fine of EUR €100,000 for every day of non-compliance. On July 21, 2021, Amazon announced that it made the changes demanded by CNIL but has not yet publicly responded to the latest formal notice. Organisations in receipt of these formal notices from the CNIL are wise to respond cautiously given the real risk of regulatory action.
This latest focus on cookies and tracking technologies from the CNIL is part of a wider trend, and this area of data processing is under siege from a variety of national data protection regulators. The UK's ICO has recommenced its investigation into the Adtech industry, focusing heavily on transparency, risk assessments and data sharing practises – and has begun to exercise its broad powers of "audit" to assess compliance with data protection laws in this space. In addition, the consumer rights group, Brave, has filed complaints with both the ICO and the Irish DPC and a standards body for the digital advertising industry facing civil action in Germany in relation to behavioural advertising and real time bidding related to user tracking and profiling.
Many organizations have been waiting for the new "E-privacy Regulation" to be finalised prior to reviewing their cookie compliance, however, the new regulation continues to move at a glacial pace through the European legislative machine. In the meantime, national data protection authorities are acting under existing legal frameworks. As this is high on the regulatory agenda, organizations who collect AdTech related cookies via their sites and apps are facing an increased risk of enforcement action in this area. Following these compliance notices, organizations should at a bare minimum look at the language and processes used for both consent collection and consent withdrawals and consider whether any changes would reduce their regulatory risk.