Further to an inspection from the French Data Protection Authority (CNIL), Editions Croque Futur, publisher of the website www.challenges.fr, had received a notice to comply with the French Data Protection Act. As the company did not comply with the requirements set out in that notification, the French Authority filed sanction proceedings leading the company to pay a fine of 25,000 euros.
The company was charged for not mentioning the mandatory notices required by the French Data Protection Act on the forms enabling to create an account on the company’s website, resulting in a breach, by the data controller, of its obligation to provide the data subjects with the information required to obtain their consent to the collection of their personal data.
The company was also charged for not implementing an opt-out mechanism to the storage of cookies on web users’ devices.
In its decision dated 6 June 2018 (Conseil d’Etat, June 6th 2018, decision n°412589), ruling on Editions Croque Futur’s appeal against the CNIL’s decision, the Conseil d’Etat (French Supreme Administrative Court) recalled that web users shall be fully informed, on each website they visit, about the purposes of cookies dropped by the website and how they can oppose them.
As a defence, the company argued that some of the cookies were « necessary for the economic viability of the website » and that users therefore did not have opportunity to oppose them. The Conseil d’Etat dismissed this argument, considering that this was not proving that those cookies were « strictly necessary to the provision of an online communication service », which is the sole exception allowing a data controller to drop cookies on web user’s device without his prior express consent.
The company also asserted that the internet users were informed about how to configure their web browser to prevent cookies. However, the Conseil d’Etat confirmed, as the CNIL previously did, that informing web users on the way to configure their web browser does not constitute a valid method of opposition to cookies drop and thus, to the collection or processing of web users’ personal data.
In a nutshell, website editors shall implement a mechanism enabling web users to give their consent to cookies drop as well as to oppose, at any time, all or part of the cookies apart from some specific cookies (see the CNIL’s recommendations : Cookies Recommendations).
We note that this case was ruled under the French Data Protection Act as applicable in 2016.
Today, with the entry into force of the General Data Protection Regulation (GDPR) and the ongoing reform of the French Data Protection Act, such failure may be sanctioned more significantly, with penalties up to 20 million Euros and/or 4% of the company global turnover