Three rules from recent French cookie decisions
Now let’s look at some of France’s most recent cookie-related decisions, all adopted since mid-December 2022, to see what practices lead the CNIL to sanction companies.
Three clear rules emerge from these decisions:
- Get consent
- Get consent properly
- Be transparent
Rule number 1: Get consent
Microsoft received a €60 million fine on 19 December 2022 due to its cookie consent practices on the Bing search engine.
The CNIL noted that the company pushed two cookies onto its users without requesting consent at all. One of these cookies was for advertising purposes, and the other cookie reportedly had “multiple purposes”, including “the fight against advertising fraud”.
A similar issue arose regarding a €3 million fine against games company Voodoo, issued 29 December 2022.
The CNIL found that Voodoo was setting Apple’s ID for Vendors (IDFV) on users’ devices even after they had refused consent for tracking via the iOS “App Tracking Transparency” (ATT) pop-up.
A reminder: It’s not only marketing and most analytics cookies that require consent under EU law—it’s any cookies that are not classed as “essential” or “strictly necessary” under the ePrivacy Directive.
Rule number 2: Get consent properly
On several occasions, the CNIL has sanctioned companies for making it harder to refuse consent than to accept consent.
One example is the aforementioned Microsoft decision. The regulator found that where Microsoft was asking for Bing users’ consent, the company was not doing so fairly.
“Two clicks were needed to refuse all cookies, while only one was needed to accept them,” the regulator noted in its press release about the fine.
Under the ePrivacy Directive (implemented under France’s Data Protection Law), “consent” means “GDPR standard consent”. That means consent must be freely given, specific, informed, unambiguous and provided via a “clear, affirmative action”.
In the cookie context, this partly means providing two equally accessible options to “accept” or “refuse” cookies. Don’t hide the “refuse” option.
Rule number 3: Be transparent
In addition to getting GDPR-standard consent for non-essential cookies, you must provide GDPR-standard information about what those cookies are for.
In the CNIL’s recent TikTok decision, the regulator notes that users “were not informed in a sufficiently precise manner” of the reason that TikTok wanted to set cookies on its users’ devices.
TikTok reportedly failed to make information about its cookies sufficiently clear—either on the cookie consent window itself or the “settings” menu accessible from the window.
EU law requires website and app operators to provide transparent information about the cookies they use. This means providing some concise information on the cookie consent mechanism itself, and then more detailed information in a privacy or cookies notice.
Users must be told about the names and purposes of specific cookies used on a website or app, together with information about the length of time cookies persist on the user’s device and any third parties with whom their data might be shared.