Last year, the French Data Protection Authority (CNIL) issued a formal notice against four companies in the adtech sector, namely Fidzup, Singlespot, Teemo and Vectaury, ordering them to comply with the GDPR (see our previous blog post for further detail on this). The CNIL eventually dropped its investigation against these companies after concluding that they had made sufficient efforts to comply with the GDPR. This was just the premise of what is to come…
On 28 June 2018, the CNIL issued a statement on its website which says in bold letters that online advertising is a "top priority" for 2019. This leaves little room for doubt. The CNIL is not done with the ad tech business and, on the contrary, is just warming up.
So what exactly should the ad tech sector expect in 2019?
When are the CNIL's new guidelines coming into force?
In the meantime, the CNIL will continue to instruct data subject complaints and to carry out investigations, including to verify whether consent has been obtained and other requirements under the GDPR have been complied with (such as information of the data subjects, withdrawal of consent and data security measures).
What about the upcoming ePrivacy Regulation (you may ask)? Well sure, the CNIL has not forgotten this important revision to the ePrivacy Directive but nonetheless takes note of the fact that the ePrivacy Regulation (ePR) is currently still being discussed in Brussels and is not expected to come into force in the short term. This is a diplomatic way to say that the ePR is stuck in the EU legislative procedure and (amidst the EU elections and the political game that is currently taking place in Brussels to choose the new heads of the EU institutions) the ePR is unlikely to be adopted before 2020, let alone when it will come into force.
Continued consultation with representatives of the ad tech sector
The CNIL's 2019/2020 action plan also entails further meetings and consultations in 2019 with the different stakeholders in the ad tech sector with a view to adopting a new recommendation on the operational modalities for obtaining valid consent under the GDPR. It is still unclear what the exact form and content of this recommendation will be, but it is expected to help companies to operationalize their cookie consent strategies in line with the GDPR. One can only hope that this recommendation will indeed provide practical guidance and examples to companies on how to implement valid cookie consent functionalities. The CNIL hopes to adopt this recommendation and to open it for public consultation at the end of 2019, or no later than beginning of 2020. The CNIL will then start enforcing this recommendation 6 months after its definitive adoption.