On June 11th, 2014 the French Data Protection Authority (CNIL) announced an upcoming “cookies sweep day”, which aims to verify compliance with the cookies legal requirements. Last year, the CNIL issued guidance on how to comply with cookie requirements in France (published in December 2013) and the CNIL now expects companies to be compliant. This enforcement action will also enable the CNIL to test its new on-line investigatory powers that came into force following a revision of the French Data Protection Act in March 2014 (see our previous blog).
In Europe, other data protection authorities have already begun enforcing cookie rules, as recently illustrated by the fines pronounced by the Spanish DPA earlier this year (see our previous blog).
When will the “cookies sweep data” take place?
The “cookies sweep day” is scheduled to take place between 15 and 19 September 2014.
Who is targeted by the “cookies sweep day”?
Where will the “cookies sweep day” take place?
The CNIL will take part in a “cookies sweep day” at a European level aimed at verifying compliance with the notice and consent requirements. Eeach data protection authority in Europe will carry out its own compliance program under national law and may potentially conduct enforcement actions on its territory.
What will the CNIL verify?
The CNIL will focus its investigation on:
- The types of cookies and other tracking technologies that are used (e.g., HTTP, local shared objects (flash cookies), finger printing, etc.)
- The purposes of the cookies used and whether the owner of the website knows and understands the purposes of all the cookies (including third party cookies) used on his website.
Furthermore, where prior consent is required, the CNIL will verify:
- The method used to obtain consent from the user
- The quality, accessibility and clarity of the information provided to users
- The possibility to withdraw user consent at any time
- The duration of cookies.
What are the risks for companies?
The risks of not complying with cookie requirements vary from one EU country to another depending on the enforcement/sanction powers of each data protection authority under national law. In France, the CNIL has the power to conduct on-site and on-line inspections that can be followed by administrative sanctions. In particular, the CNIL can issue a public warning or an enforcement notice asking the company to comply within a given period of time. If the company fails to comply with the terms of this notice, the CNIL may then initiate administrative proceedings which ultimately can lead to a fine or an obligation to cease the processing.
What should companies do in advance of this enforcement action?
As explained in our previous blog, cookie compliance is still very much a hot topic in Europe, with different countries amending their laws and DPAs issuing guidance or conducting enforcement actions. Therefore, companies should not wait until they are being investigated to put their house in order. Some basic steps can be taken to make sure you comply with the cookie requirements:
- Audit your websites to find out what types of cookies (or other tracking devices) you use
- Analyse the purposes of the cookies
- Assess the level of intrusiveness of cookies and verify which cookies require prior consent
- Implement an adequate cookie consent mechanism
For more information on the “cookies sweep day”, the CNIL’s press release is available (in French) here.