The last day for entities to bring their websites and mobile applications into compliance with the French Data Protection Authority’s (Commission Nationale de l’Informatique et des Libertés, or CNIL) new rules on cookies and other trackers is 31 March 2021. Following the publication of its guidelines and recommendations on 1 October 2020, the CNIL granted entities a six-month window of opportunity to implement these requirements.
CNIL has indicated that formal control activities will be carried out beginning in April 2021 and that it will impose sanctions in cases of noncompliance. CNIL’s seriousness on this issue was demonstrated in December 2020, when it fined Amazon and Google 35 million euros and 100 million euros, respectively, for failure to comply with these obligations.
With this in mind, any businesses that have not yet come into compliance are strongly urged to conduct an audit of cookies and trackers used on their websites and other platforms and to take immediate steps to meet the requirements of the legislation.
Certain cookies — such as functional cookies and some audience-measurement cookies, as described in CNIL’s guidance (including that published on 8 March 2021) — are exempt from user-consent requirements. Cookies that do require consent, such as those used for targeted marketing, must adhere to a specific set of principles establishing what does and does not constitute consent, how consent is indicated, whether and how consent is refused, and disclosure of third-party trackers, among others.
Entities are also reminded that data controllers are also required to comply with the obligations set forth in the EU’s General Data Protection Regulation, particularly with respect to notifications in the event of a data breach.
To learn more about the CNIL’s cookie requirements and GDPR data-breach notification requirements, click here to read the full alert by Corinne Thiérache and Alice Marie of Ally Law member firm Alerion Avocats.