CNIL’s Cookie Sweep is Followed by Audits for Compliance

Earlier in September, the French data protection authority (CNIL), as well as its European counterparts, began conducting sweeps in order to assess compliance with European Union and French rules requiring websites to obtain consent before installing or reading cookies. During the so called “EU Cookie Sweep Day,” the CNIL assessed the levels of compliance on approximately 100 of the most visited websites that are targeting French and European customers, operating either within or outside the EU, and that use cookies or other similar technology to collect personal data. CNIL’s focus was mostly compliance on the notice and consent rules of the EU cookie requirements, and more specifically (i) the number and types of cookies stored on the internet user’s computer, (ii) the way the information on cookies is conveyed to the internet users, (iii) the visibility and quality of the information, (iv) the process of obtaining the internet user’s consent and (v) the consequences for a user refusing cookies. CNIL and other European counterparts will share the result of the sweep in the upcoming months. Following “EU Cookie Sweep Day,” CNIL has been conducting additional cookie audits, auditing websites in France to continue to verify compliance with French cookie provisions.

Tip: While the purpose of the “EU Cookie Sweep Day” was not to sanction non-compliant web sites, but rather to enforce compliance with cookie rules under national law, with the ongoing audits, CNIL has the power to conduct on-site and on-line inspections. These inspections can be followed by administrative actions. For companies that have European websites, now is the time to make sure that an appropriate “Cookie Policy” and procedure is in place.