French data protection regulator warns 20 websites on cookie use

The websites do not give users enough information about cookies and other tracking devices placed in their browsers, and do not seek proper consent, CNIL said (link in French).

Cookies are small text files, stored on internet users' computers, which record those internet users' online activity. Website operators often use cookies to record user behaviour for the purpose of analytics or to deliver personalised content to those individuals, whilst advertisers also use cookies to deliver targeted ads based on users' prior interactions online.

Under European legislation users must be informed of, and must give consent to, cookies that are to be stored on their computers.

CNIL published its own recommendations on the use of cookies in December 2013, and then carried out checks a year later to see if the rules were being complied with, it said. These included 24 on-the-spot checks, 27 online checks and two interviews.

"These audits found that, in general, websites do not sufficiently inform internet users, and do not gain their consent before installing cookies," CNIL said.

While they may add a banner informing users, sites often do not wait for consent, CNIL said.

Some sites also tell users to adjust their browser settings if they do not want cookies, but this is "not considered a valid method [of preventing the use of cookies] except in rare situations," the regulator said.

The 'notice' given is not a sanction, CNIL said, and no action will be taken if the sites comply with the law within a set time limit. It has not said what the time limit is.

"The initial response from the websites concerned shows willingness to comply," CNIL said.

CNIL's approach has always been to encourage companies to follow the rules rather than to punish those who don't, said Paris-based Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com.

"CNIL tends to use notices like this, along with other communications like its annual report, to explain the guidelines and how it can help companies to comply. In reality, these companies have had a lot of warning and opportunities to make sure their sites are compliant," Richard said.

The regulator is unlikely to impose sanctions on these companies unless they choose to completely ignore its notices, Richard said.

"Some may decide to just ignore it – some may say that they're not subject to this sort of French regulation, or that they don't have the resources to comply. But with new EU regulations due, they will save more time and money by engaging with CNIL than by ignoring it," she said.

The EU's rules on cookies are due to be reviewed by the European Commission this year as part of the digital single market strategy.

The Privacy and Electronic Communications (e-Privacy) Directive was last reformed in 2009 and resulted in major changes to the way website operators display information about cookies and obtain internet users' consent to their use.

CNIL is likely to adopt similar rules to the EU, Richard said, so companies who follow its guidelines now will find it easier to make sure they are in line with regulations. 

The notices given to the 20 websites do not cover the use of cookies for audience measurement, which is exempt from the rules on collection of consent. CNIL is looking into this area further, it said.

CNIL noted that the rules on cookies apply not just to website owners, but to all organisations in the sector including advertising agencies.