A stricter regime for profiling07 June 2016
CNIL: Cookie Sweep in September and Audits in October
The CNIL's 3 January 2014 €150,000 fine against Google was levied in part because the relevant cookies were set at the same time as the banner was presented to the Internet user. To be in compliance with the CNIL's recommendations, the cookies can only be set after consent has been obtained, either by an explicit acceptance click or by the user's decision to navigate further on the same site notwithstanding the banner.
Functional cookies and web analytics cookies are not covered by the prior consent rule. However, even for these cookies, users must be given clear and user-friendly information, including information on how to opt-out of those cookies.
One important aspect of the CNIL recommendation that web publishers cannot force Internet users into an all-or-nothing consent choice. Under the CNIL's approach, Internet users must have the ability to block advertising cookies and still be able to use the relevant service. Even a free web service cannot make acceptance of advertising cookies a condition to using the service. For some free services, this requirement could disrupt the economic deal between publishers and users, i.e., that services are available free precisely because publishers can sell targeted advertising via cookies.
The CNIL will verify that users can withdraw their consent at any time, and that cookies and consents have a duration limited to 13 month maximum. For the CNIL, both web publishers and third party advertising networks are jointly liable for insuring that the cookie rules are complied with. The CNIL has published an application that users can download in order to verify web cookies are set on a user's terminal.
The CNIL's recommendations are in line with the expectations of all of the other EU data protection authorities, so in practice the September deadline to get cookie compliance in order applies across all European websites.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016