Using Cookies = Data Processing
The French State Court confirms that the use of cookies and other similar technologies constitutes data processing.
Photo by Fancycrave on Unsplash
In its decision of 6th June 2018, the French State Court ruled that being able to change browser settings is not a valid method of opposing to cookies being used. This decision confirmed previous reasoning by the French Data Protection Authority, the CNIL.
Decision of the French Data Protection Authority
Back in May 2017, the CNIL ordered website, challenges.fr to pay EUR 25,000 in fines for its failure to respect the obligation to inform its website visitors about cookies placed on their devices. The CNIL also noted that challenges.fr had also failed to respond its visitors' right to object, despite having been put on notice to do so.
Facts of the Case
After having received several complaints about failings in Challenges.fr's Cookies Policy, the CNIL audited Editions Croque Futur, the company which owns Challenges.fr. back in November 2014. The CNIL confirmed that the Cookies Policy was not satisfactory and ordered Editions Croque Futur to update the policy in accordance with the requirements as set out in the applicable data protection law. The CNIL gave Editions Croque Future three months during which to meet its compliance obligations, which also included only keeping data collected via cookies for a period of 13 months. Editions Croque Future only responded that it had to wait for its partner site, Nouvel Observateur, to update its webpage.
What was the problem with the "Cookies" practices?
The obligation to provide information about the use of cookies and the implementation of a mechanism allowing users to opt-out of cookies on the user's device was missing.
The data protection law in force at the time (pre-GDPR), required that users need to be provided with information about the cookies, why they are used, and how to opt-out. The law also required that consent needs to be obtained from users before the cookies file is placed on the device, unless the cookie is necessary for purely functional reasonsor if it is in line with a service which is provided at the user's request.
The website also contained no mention about the retention period of data collected in accordance with the purposes for which it was collected, which the CNIL considered should be limited to 13 months.
Editions Croque Futur was unable to show that it had made any effort with its partner sites to ensure that they were also compliant with the data retention period for information collected via cookies.
When is a cookie "necessary"?
The pre-GDPR French data protection law states that a cookie is necessary for functional reasons when it is needed for the website to work or be viewed correctly.
In it's decision this month, the French State Court confirmed that the fact that some cookies are used for advertising purposes which are necessary for the financial success of a website is not sufficient to constitute "necessity" for the purposes of the law.
Give website visitors a choice
The French State Court also considered that the Challenges.fr website did not allow users to clearly differentiate between the different categories of cookies, and the use of cookies was not subject to prior consent being obtained. There was also no possibility for users of the site to opt-out of the use of cookies or be informed of the consequences of doing so.
Third Party Cookies?
The French State Court held that Editions Croque Futur is the data controller and is responsible for the cookies it places on its site.
The Court also noted that Editions Croque Futur permitted the placement of third-party cookies on its sites.
The Court considered that website publishers who authorise the placement and use of third party cookies must also be considered as data controller in respect of those cookies, even if they are not bound by all of the obligations imposed on the third party who issued the cookie (indeed, the third party is sole responsible for ensuring the data collected by its cookies has a valid purpose and appropriate retention period).
The State Court Decision:
The final decision confirmed that the CNIL's restrictive viewpoint - that browser settings available to users do not constitue a valid method of opting-out of the placement of cookies.
In this case, the State Court held that Challenges.fr had not complied with the CNIL's warning following the audit, since it had not respected its obligation of information and opt-out in respect of cookies used on its site, and there was no evidence that they had attempted to do so via partner sites either.
What does this mean for businesses and website owners?
Website owners and publishers in France need to ensure that in the event they allow third parties to place cookies on their websites, that those third party cookies are compliant with French law.
Website owners and publishers need to make sure that they have adequate cookies policies on their websites, as well as cookies banners allowing for easy opt-out and which provide clear information about cookies to their website visitors.
The fine in this case was imposed pursuant to the pre-GDPR law. The new data protection regime in force since 25th May 2018 allows data protection authorities such as the CNIL to impose much higher sanctions. The GDPR itself also imposes stricter requirements for valid consent and obligations on data controllers and processors to be transparent and fair in their processing of personal data, whether by cookies or otherwise.
Article by the Team @ Gerrish Legal, July 2018