On October 1, 2020, the CNIL published a revised version of its guidelines on cookies and similar technologies (the “Guidelines”), its final recommendations on acceptable methods for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”), and a set of FAQs regarding the Recommendations. The CNIL provided a six-month transition period for businesses to comply with the Guidelines (i.e., until March 31, 2021), and has been focused on enforcing its Guidelines and Recommendations.
CNIL’s Decisions and Sanctions
According to the CNIL, the companies’ cookie notices and consent practices affect the freedom of the website users’ consent, as it influences users’ choice in favor of consent.
The CNIL asserted that it drew its authority to investigate the companies’ cookie practices under the e-Privacy Directive, which is transposed into national law by each EU Member State (i.e., in Article 82 of the French Data Protection Act). Accordingly, the CNIL asserted that the cooperation and so-called “one-stop-shop” mechanisms set forth in the EU General Data Protection Regulation (“GDPR”) did not apply, and that the CNIL had the power to enforce the French Data Protection Act and its related cookie Guidelines and Recommendations irrespective of the location of the companies’ main establishment under the GDPR.
In response, Facebook argued that the allegedly infringed cookie consent rule stems from the CNIL’s Guidelines and Recommendations and is not specifically mentioned in the e-Privacy Directive. Instead, Facebook argued the cookie consent rule relates to the application of the GDPR’s consent requirements, and the GDPR’s one-stop-shop mechanism therefore should apply. In practice, this would have resulted in the CNIL having no authority to sanction Facebook, as Facebook’s main establishment is located in Ireland. As mentioned above, the CNIL rejected Facebook’s argument and responded that its rules on cookies (and its related Guidelines and Recommendations) stem from the e-Privacy Directive, which is implemented at the national level and does not provide for a one-stop-shop mechanism. Additionally, the CNIL highlighted that the rules of the e-Privacy Directive prevail as lex specialis over the GDPR (i.e., where two laws govern the same factual situation, a law governing a specific subject matter overrides a law governing only general matters). According to the CNIL, the fact that the GDPR consent requirements must be applied when collecting consent in the context of the e-Privacy Directive does not result in the application of the GDPR and its one-stop-shop mechanism in these cases.
Read the CNIL’s press release on the two fines in English.