[FR] CNIL issues formal notices to 20 organisations in breach of new rules on cookies

IRIS 2021-7:1/10

Amélie Blocman


On 25 May 2021, the Commission nationale de l'informatique et des libertés (French data protection authority – CNIL) announced that it had issued 20 formal notices to organisations, including international players in the digital economy and public bodies, for breaching the new rules on cookies. On 1 October 2020, the CNIL had published its guidelines and a new recommendation on consent to targeted advertising and the use of trackers in order to implement the principles of the General Data Protection Regulation (GDPR), which include the need to obtain explicit consent to collect personal data. Website and mobile application providers had been given six months, i.e. until the end of March 2021, to comply with the new guidelines.

After beginning its investigations at the start of April, the CNIL found that a number of organisations were still not allowing Internet users to “refuse cookies as easily as they can accept them.” It therefore decided to issue formal notices to those whose practices did not comply with the legislation on cookies. These unnamed organisations had one month to comply and faced fines of up to 2% of their turnover if they failed to do so. In December 2020, the CNIL fined Google and Amazon EUR 100 Million and EUR 35 Million respectively for non-compliant information banners under pre-GDPR legislation. It pointed out that this was the “first campaign of investigations” and that “similar actions will be carried out in the coming months”.



This article has been published in IRIS Legal Observations of the European Audiovisual Observatory.