Do you engage in targeted advertising in France through the use of cookies on third party websites? If you do, you will want to know that the CNIL, the French data protection watchdog, has recently announced its intention to extend its monitoring beyond website publishers.
This announcement comes in the wake of a 2011 change in the EU law on “tracers” that signals a move away from the then-prevalent opt-out mechanism, and now requires express prior consent from users (opt-in) before their data is collected.
Under the law, consent shall be given “through a positive action by the person who has been previously informed of the consequences of this choice, and who has the means to exercise this decision.” In addition, users need the ability to withdraw their consent at any time, which means that they should be given an easy way to delete cookies previously set and to block any new incoming cookies.
Many website publishers have expressed concerns with the requirement to obtain prior consent, arguing it would prevent them from showing certain advertisements leading to significant losses of revenue, but also that many of these cookies actually come from 3rd party partners over whose activities they have no control. As a result website publishers claim that they should not bear the full responsibility for applying the rules as they relate to 3rd party cookies.
The CNIL is of the same opinion. In a recommendation from 5 December 2013, the CNIL reaffirmed the EU principle of shared responsibility between website operators and their partners collecting user data via the website operator’s website. Third party cookies providers also fall in the category of data controllers under the law. They determine the purpose for which and the manner in which personal data of website users is collected using these cookies. As such they are equally responsible for complying with EU privacy laws to the same extent as website owners are. Without the user’s prior consent, these third party partners cannot collect and use the user information.
So what does that mean for you?
It could mean two things, depending on your role:
If your company’s business activities include using cookies on third party websites, from which you are able to collect data on visitors to those websites, you should ensure you comply with EU and French data protection principles (e.g. information, data retention, right of users to review and correct their data, or to withdraw consent). Just because you aren’t the website owner does not mean you are not liable under the law.
If you are a website operator leveraging the support of 3rd party partners as part of your business model, and if these partners use tracers on your website as part of their services to you, the CNIL recommends that you publish on your website a list of those partners who are involved in the processing of user data, which list should, at a minimum, direct the user to pages on partner websites where the partner explains in clear terms the type of data used and the purposes of the processing carried out, as well as explains to your website users how to exercise rights such as the right to object to the processing, and, if applicable, provides the users with a list of recipient companies for the information.
For more information please visit the CNIL’s website at https://www.cnil.fr/en/home