CNIL urges corporations to verify their web sites and apps for cookie compliance

On February 4, 2021, the French Data Protection Agency (“CNIL”) announced (in French) that it had sent letters and emails to around 300 private and public organizations to inform them of the new rules of the Cookie Law and the need to remind websites and apps to check compliance with these rules by March 31, 2021.


On October 1st, 2020, the CNIL published a revised version of its guidelines on cookies and similar technologies (the “Guidelines”), its final recommendations on the practical modalities of obtaining user consent to save or read non-essential cookies and similar technologies on their devices (the “Recommendations”) and a series of questions and answers about the Recommendations. The CNIL decided to allow a transition period of six months to comply with the guidelines (i.e. until March 31, 2021) and announced that after this transition period it would conduct inspections to enforce the guidelines.

Bad cookie practices in the public sector

The CNIL found that the vast majority of public sector websites still do not fully respect the cookie rules set out in the guidelines. The CNIL therefore sent letters and emails to 200 public organizations, reminding them of the need to remedy this situation immediately. In particular, the CNIL drew attention to the following:

  • The cookie banner must indicate the purposes for which cookies are set on users’ devices. General information such as “This website uses cookies” or “Cookies are used to improve the efficiency of the services we offer you” is insufficient.
  • Users must be able to accept or reject cookies with the same ease. If the cookie banner includes an “Accept All” button, web operators must add a “Reject All” button at the same level and in the same format as the “Accept All” button. Alternatively, web operators can give users the option of rejecting cookies by closing the cookie banner. However, this needs to be made clear to users. e.B. by including a link “Continue without accepting” in the cookie banner. The CNIL reminded organizations that the mere presence of the “Accept all” and “Cookie settings” buttons is not enough.

Cookies set by companies without the prior consent of users

The CNIL regularly analyzes the cookie practices of the 1,000 most popular websites in France. Based on the results of their analysis so far, the CNIL has decided to send letters to around 100 operators of the most popular websites in France that set cookies from more than six third-party domains without asking users’ prior consent. The CNIL reminded companies of the need to change their cookie consent interfaces for the use of tracking technologies on their websites or apps, e.g. B. when adding content from external sources such as social media plug-ins.

Analytics cookies

The CNIL also reminded public and private organizations that analytical cookies can be exempted from consent if the cookies are only used to compile anonymous statistics that are strictly necessary for the proper functioning of the service and exclusively for the operator of the website in question or app. In the coming weeks, the CNIL will publish further information on the analytical solutions exempted from consent.

Comments are closed.