According to a press statement by the CNIL, it has sent 40 formal notices to organizations including tech platforms, software and hardware companies and those delivering services online regarding cookie compliance. These notices demand that the recipient organizations make changes to their data protection practices surrounding cookies by September 6, 2021, or they may face fines of up to 2% of global turnover.
This latest focus on cookies and tracking technologies from the CNIL is part of a wider trend, and this area of data processing is under siege from a variety of national data protection regulators. The UK's ICO has recommenced its investigation into the Adtech industry, focusing heavily on transparency, risk assessments and data sharing practises – and has begun to exercise its broad powers of "audit" to assess compliance with data protection laws in this space. In addition, the consumer rights group, Brave, has filed complaints with both the ICO and the Irish DPC and a standards body for the digital advertising industry facing civil action in Germany in relation to behavioural advertising and real time bidding related to user tracking and profiling.
Many organizations have been waiting for the new "E-privacy Regulation" to be finalised prior to reviewing their cookie compliance, however, the new regulation continues to move at a glacial pace through the European legislative machine. In the meantime, national data protection authorities are acting under existing legal frameworks. As this is high on the regulatory agenda, organizations who collect AdTech related cookies via their sites and apps are facing an increased risk of enforcement action in this area. Following these compliance notices, organizations should at a bare minimum look at the language and processes used for both consent collection and consent withdrawals and consider whether any changes would reduce their regulatory risk.