Refusing cookies should be as easy as accepting them: the CNIL continues its action and issues new orders
Since May 2021, the CNIL issued orders to around sixty players that do not make refusing cookies as easily as accepting them. The CNIL has continued its investigations, following which the chair has issued some thirty new orders for non-compliance.
The CNIL is continuing its global strategy to ensure compliance by actors using cookies. Since May 2021, the CNIL chair has issued around sixty orders to comply. Online investigations to identify possible breaches in relation to cookies are continuing and have revealed that a number of organisations still do not allow Internet users to refuse cookies as easily as to accept them.
As a result, the CNIL chair has decided to send new orders to around thirty organizations concerned. To date, the CNIL has issued orders to nearly 90 players on this subject.
This new series of measures can be explained by the persistence of many bad practices in terms of cookies. The recent investigations carried out by the CNIL have shown that:
- cookies subject to consent were automatically deposited on the user's terminal before acceptance by the user, upon arrival on the site;
- information banners are still not compliant because they do not allow the user to refuse the deposit of cookies as easily as to accept it;
- information banners offer the user a means of refusing cookies as easily as accepting them, but the proposed mechanism is not effective because cookies subject to consent are still deposited after the refusal expressed by the user.
The thirty or so orders concern private, national and international organisations as well as public bodies with practices that breaches the legislation on cookies. They have one month to comply.
Those affected by these orders include:
- public institutions;
- higher education;
- companies in the clothing sector;
- companies in the transport sector;
- a company in the retail sector;
- a company in the distance selling sector.
This new campaign supplements the procedures reviewed by the CNIL's restricted committee, the body responsible for issuing sanctions, which can result in fines of up to 2% of annual worldwide turnover.
The CNIL's investigation is a long-term one. Other verification campaigns and corrective measures will be carried out to ensure that the privacy of French Internet users is respected. The aim is to ensure the effectiveness of the work initiated by the CNIL two years ago, which notably assumed concrete form, on 1erOctober 2020, with the adoption of the guidelines and a recommendation.