Cookies: the French CNIL encourages private and public organizations to audit their websites and mobile applications

A large majority of public sector websites concerned

As part of its support and consulting mission, the CNIL wanted to contact a number of public bodies to encourage them to quickly audit their websites and mobile applications in order to take action, if necessary, and as quickly as possible, to meet the requirements of the regulations.

200 local authorities, ministries and government operators have received awareness-raising letters and emails. The CNIL also relied on certain public sector network heads (Association of French Mayors, Assembly of French Departments, Regions of France, Réseau Déclic, Conference of University Presidents, SupDPO) to ensure wide distribution of this campaign.

Indeed, the CNIL has noted that the vast majority of public sector websites do not fully comply, to date, with the legal provisions relating to cookies.

The CNIL has thus drawn attention to the need to take certain actions as soon as possible:

• The cookies banner, appearing in particular on the home page of a website, must detail the purposes for which these cookies are deposited on users’ devices. Indeed, the mere presence of general information such as “This site uses cookies” or “Cookies are used to improve the efficiency of the services offered to you” is not sufficient.
• The user must be able to accept or refuse cookies with the same degree of simplicity. The CNIL has had the opportunity to recall that the integration of a button “Refuse all” on the same level and in the same format as the button “Accept all” allows to offer a clear and simple choice for the Internet user. It is also possible, for example, to explicitly offer the user the possibility of refusing trackers by closing the cookie banner. On the other hand, the mere presence of a “Set” button in addition to the “Accept all” button tends, in practice, to dissuade refusal and therefore does not make it possible to comply with the requirements set by the RGPD.

Deposition of cookies without prior consent: a hundred or so private actors informed by the CNIL (French Data Protection Authority)

In conjunction with the publication of the guidelines and recommendation concerning the use of cookies and other tracers, the CNIL has set up an observatory. The purpose of this observatory is to periodically analyze the cookie deposition practices of the 1,000 sites with the largest audience in France, by analyzing the cookies deposited on the first page viewed by an Internet user consulting them.

The main results and the methodology applied are available on the website of LINC, the CNIL’s Digital Innovation Laboratory.

On the basis of these results and to make them aware of the risks incurred in the event of non-compliance, the CNIL has decided to send letters to websites with large audiences in France that deposit cookies from more than 6 third-party domains without prior consent. In parallel with its action towards public bodies, the CNIL has also reminded them that the reinforcement of the consent requirements set by the RGPD makes it necessary to develop interfaces for collecting the choices of users of applications or websites using tracking techniques (for example when they integrate content from external sources such as social network buttons).