On July 11, 2014, the French Data Protection Authority (the “CNIL”) announced that, starting in October 2014, it will conduct on-site and remote inspections to verify whether companies are complying with its new guidance on the use of cookies and other technologies. These inspections will take place in connection with the European “cookies sweep day” initiative, which will be launched from September 15 – 19, 2014. During that initiative, each EU data protection authority will review how users are informed of, and consent to the use of, cookies.

In particular, the CNIL indicated that it will examine:

  • The types of cookies used by a given website (i.e., HTTP cookies, flash cookies (local shared objects), fingerprinting techniques);
  • The purposes for the cookies;
  • Whether the web publisher is aware of the purposes of all the cookies placed on, or accessed from, its website (whether they’re first- or third party cookies); and
  • If old or obsolete cookies are on the website.

In cases where the use of cookies requires users’ prior consent, the CNIL also will examine:

  • Whether such cookies are placed or accessed before the user has given his/her consent;
  • How the user provides consent (e.g., by clicking on a button, by continuing to use the website after having read a banner);
  • Whether the consent mechanism is user-friendly and ergonomic;
  • Whether the information provided about cookies is visible and simple;
  • What happens if a user refuses to consent to the use of cookies (e.g., if the only way an e-commerce site allows a user to prevent the use of cookies is if the user blocks all cookies at the browser level, but this prevents the user from making online purchases);
  • Whether users can withdraw their consent at any time; and
  • When cookies have been set to expire.

The CNIL made it clear that it may issue sanctions following these inspections in case of non-compliance with French law. Accordingly, companies that operate French websites should take immediate steps to ensure they are complying with the CNIL’s new cookie guidance.