Cookies have recently become a hot topic again, following a press release by the French Data Protection Authority (CNIL) on July 11th, 2014, announcing a EU "cookies sweep day" and enforcement actions in France. Here's an update on what has happened and what to expect.
1. EU Cookies Sweep Day: 15 - 19 September
When did the EU "cookies sweep data" take place?
From 15 to 19 September, the Article 29 Working Party ("WP29") conducted a coordinated online audit of the main websites operating in Europe to verify compliance with the EU cookie requirements. The CNIL and other Data Protection Authorities ("DPAs") spent a couple of days assessing the level of compliance on some of the most visited websites.
Did the "cookies sweep day" concern all websites?
Where did the "cookies sweep day" take place?
The EU "cookies sweep day" was an initiative of the WP29, and any DPA could take part in it. Therefore, potentially any website available in the European Union may have been audited.
How many websites were audited?
The WP29 did not release any official number of websites that were audited. However, the CNIL announced that it had audited 100 websites.
What did the DPAs verify?
What is the outcome of the "cookies sweep day"?
The DPAs will share the results of their respective audits with a view to comparing these results among Member States and possibly harmonising their positions with regard to cookies compliance in Europe. Furthermore, it is likely the WP29 will release a public statement about the results of the "cookies sweep day" in the near future.
Is there a risk that non compliant companies may be sanctioned?
The purpose of the EU "cookies sweep day" was not to conduct enforcement actions. However, the results of the audits may be used by each DPA to enforce compliance with the cookie provisions under national law. Some data protection authorities have already begun enforcing cookie rules in their respective jurisdictions (see our previous blog).
For more information about the EU Cookies Sweep Day, click here.
2. Cookie audits in France: October 2014
In its July 2014 press release, the CNIL also announced that it would audit websites in France to verify compliance with French cookie provisions. Last year, the CNIL issued guidance on how to comply with cookie requirements in France (published in December 2013) and the CNIL now expects companies to be compliant. This enforcement program will enable the CNIL to test its new on-line investigatory powers that came into force following a revision of the French Data Protection Act in March 2014 (see our previous blog). This is in line with the CNIL's inspections plan published earlier this year, which announced at least 200 online inspections.
What will the CNIL verify?
The CNIL will focus its investigation on:
- The types of cookies and other tracking technologies that are used (e.g., HTTP, local shared objects (flash cookies), finger printing, etc.)
- The purposes of the cookies used and whether the owner of the website knows and understands the purposes of all the cookies (including third party cookies) used on his website.
Furthermore, where prior consent is required, the CNIL will verify:
- The method used to obtain consent from the user
- The quality, accessibility and clarity of the information provided to users
- The possibility to withdraw user consent at any time
- The duration of cookies.
What are the risks for companies?
In France, the CNIL has the power to conduct on-site and on-line inspections that can be followed by administrative sanctions. In particular, the CNIL can issue a public warning or an enforcement notice asking the company to comply within a given period of time. If the company fails to comply with the terms of this notice, the CNIL may then initiate administrative proceedings which ultimately can lead to a fine or an obligation to cease the processing.
What should companies do in advance of this enforcement action?
Cookie compliance is still very much a hot topic in Europe, with different countries amending their laws and DPAs issuing guidance or conducting enforcement actions. Therefore, companies should not wait until they are being investigated to put their house in order. Some basic steps can be taken to make sure you comply with the cookie requirements:
- Audit your websites to find out what types of cookies (or other tracking devices) you use
- Analyse the purposes of the cookies
- Assess the level of intrusiveness of cookies and verify which cookies require prior consent
- Implement an adequate cookie consent mechanism