31.03.2021 the French Data Protection Authority (CNIL) will start to inspect whether websites and apps comply with the provisions applicable to cookies and other trackers.
What will the CNIL be inspecting?
The CNIL will inspect whether sites and apps set cookies or load remote resources (plugins, images, IFrames, scripts, beacons, fonts, stylesheets, media etc) from third parties in the browser of the end user.
Exempt or not exempt from consent?
Then, the CNIL will inspect whether any of the cookies or remote resources are exempt or not exempt from consent.
Under the conditions set out in Article 5(3)’s first sentence of Directive 2002/58 (hereinafter ‘ePD’), it is prohibited to store and/or access information, whether personal data or not, in the terminal equipment of users of electronic communication networks, except when permitted by users’ consent and except when consent as legal basis is exempted from.
Prior consent?
If the CNIL detects cookies or remote resources that are not exempt from consent, the CNIL will identify whether consent is requested and obtained prior to the setting of a cookie or loading of a remote resource.
If a website or app sets a non-consent exempted cookie or loads a remote resource prior to consent, there is a breach of law.
Informed consent?
If a website or app sets a non-consent exempted cookie or loads a remote resource after consent is given, the CNIL may also inspect:
- whether the consent dialogue provided the user with the required information and whether the information was comprehensible.
- whether the consent dialogue provided the user with Accept and Reject buttons and whether the buttons were comprehensible.
- whether the consent dialogue provided the information and buttons in a comprehensible design.
The CNIL will be asking whether the consent dialogue enabled the user to be informed about personal data processing and consent choices so as to enable users to make an informed choice. If this is not the case, then there is a breach of law.
Documented consent?
The CNIL may also inspect whether consent (history) is documented.
Webinar
Signatu has made a webinar about the requirements for the cookie consent dialogue, which is available here (in Norwegian).
How to comply?
With Signatu you can scan your website, and by a one click, generate a cookie policy and a cookie consent banner that is benchmarked against the CNIL cookie consent guideline.
Any questions?
Reach us at: hello@signatu.com
Cartoons by Henriette Dedichen.