France's CNIL Issues Update on Cookie Compliance Enforcement Actions

September 28, 2021 - Jeff Edwards

Back in July, France’s Data Protection Authority (DPA), the CNIL, issued formal notices to forty organizations it said had failed to follow the GDPR’s cookie compliance guidelines. The non-compliant parties had until September 6th to comply.

Now, two months later, the CNIL has issued an update on the status of their compliance notices. The DPA announced that 30 of the 40 organizations have made themselves compliant, while another four have requested a delay due to “technical or operational constraints. Another four organizations have not yet responded to the CNIL’s notice.

In their statement, the CNIL said that the requests for time extensions are currently being considered for approval, and will only be granted if they are “duly justified.” Organizations that haven’t responded to the CNIL’s notice will face penalties of up to 2% of annual turnover.

New Enforcement Actions Will Target Public Sector and Political Parties

The CNIL also announced that new compliance control campaigns are in process. These upcoming enforcement actions will target French and international private companies, but will also target public sector organizations with websites that generate significant traffic. The CNIL also said that “particular attention” will be given to websites of political parties, due to the upcoming French presidential election in 2022.  Between 2020 and 2021, the CNIL has issued approximately 70 corrective measures, including formal notices and sanctions, against organizations that do not comply with the GDPR’s legislation on cookies.

Enforcement Actions Will Continue to Focus on Cookie Compliance and Preference Enforcement

The CNIL explicitly said that forthcoming enforcement actions will continue to focus on cookie compliance, primarily the requirement to make refusing cookies as simple as accepting them, but also on the “effective compliance with this choice,” i.e. the ability to enforce the consumer’s consent preferences.

The CNIL’s previously released guidance on cookie compliance gives clear instructions for handling user consent for cookies and other tracking technologies. The CNIL’s guidance says that:

  • Soft opt-in, or implied consent, is not a valid expression of the user's consent.
  • Users can only consent to tracking through a clear positive act (such as clicking on "I accept" in a cookie banner).
  • Default opt-in is not allowed for any cookie or tracker that is not essential to the operation of the service. Tracking cookies must be opted out upon loading the page and may only be fired with the express consent of the user.
  • Users must be able to withdraw their consent easily and at any time with an option available for them to do so.
  • Refusing cookies should be as easy as accepting them.
  • Users must be clearly informed of the purposes of the cookies before consenting, as well as the consequences of opting in or out.
  • Users must be informed of the identity of all actors using tracking subject to consent.
  • The organizations operating cookies and other tracking must be able to provide, at any time, proof of the valid collection of the free, informed, specific and unambiguous consent of the user.

 Any website or application that targets French visitors must comply with the CNIL’s requirements.

Ensighten Offers True Cookie Compliance and Enforcement

Ensighten Consent Management solution can help you build a fully compliant website and simplify compliance with the GDPR, CCPA, LGPD, and many more laws and frameworks.

With Ensighten Consent Management Plus (CMP+), you can set up customizable consent banners for and give your customers a clear-cut choice on how their data is used, or whether it is collected at all.

And unlike most consent management platforms, Ensighten CMP+ has actual enforcement capabilities, on the client-side, without requiring integrations with third parties. So user preferences are applied instantaneously, and no cookies or tracking measures can be fired before consent is given.

You can also use Ensighten to perform a full audit of your website—up to 5000 pages—so you can understand which cookies and tracking technologies are in use and identify potential security or compliance issues.

Request a demo today to see how Ensighten can help your organization stay compliant with evolving regulations worldwide.

Jeff Edwards

Jeff Edwards

Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now