Norton Rose Fulbright - Data Protection Report blog

Often questioned about online advertising targeting by both the public and professionals, the CNIL released its action plan for 2019-2020 with a view to providing further details about the applicable advertising rules and to support stakeholders in their compliance with them.

The CNIL notes that two issues are currently of concern to stakeholders in the online marketing sector: (i) the direct marketing requirements; and (ii) cookies and other tracking devices. It notes that the applicable rules relating to direct marketing have been confirmed by the CNIL on several occasions and the six-month compliance period that was initially granted to companies has now expired. In relation to cookies, it notes that the consent requirements have been clarified by both the entry into force of the GDPR and the guidelines of the European Data Protection Board on consent. These make clear that browsing a website is no longer a valid expression of consent.

In light of the above, the CNIL’s action plan includes two main steps.

Step 1 : new guidance to be released in July 2019

In July, the CNIL intends to repeal its outdated 2013 cookie guidance – which currently allows organisations to obtain consent via a user browsing a website (e.g. implied consent) – and to provide guidelines regarding the applicable law in this area.

Stakeholders will be given a 12 month grace period to comply with the new recommendations, during which period the CNIL will continue to accept browsing of a website as an expression of consent to cookies. However, this will not prevent the CNIL from investigating complaints and conducting inspections to ensure that (i) no cookie is implemented before consent is obtained; and (ii) requirements that have not been modified in the guidelines and other obligations of the GDPR are met.

Step 2 : new recommendations to be released by December 2019 – early 2020 setting out practical measures on how to obtain consent

In the second half of 2019, the CNIL together with different groups of stakeholders (content editors, advertisers, service providers in the marketing sector, etc.) will meet at a series of working sessions in order to define some practical measures for obtaining consent. The CNIL will then publish its recommendation for public consultation by the end of 2019 (or early 2020 at the latest). It will then carry out audits of organisations’ compliance with the final recommendation six months after its final adoption.

Our take

Online advertising appears to be a major concern for data protection authorities. The number of complaints relating to online marketing, the recent public formal notices on advertising targeting, and the impending ePrivacy Regulation have led to the CNIL deciding that it needs to update its reference frameworks to align these with the current applicable law. Interestingly, the ICO has recently published a report setting out its views on adtech and specifically the use of personal data in “real time bidding”, and the key privacy compliance challenges arising from it (see our blog posts here and here).

However, the CNIL’s approach still seems somewhat reserved. Indeed, its action plan has provoked a strong reaction from the “Quadrature du Net”, a French association which defends the fundamental freedoms and rights of individuals in the digital world. The association considers that the CNIL’s approach has been lenient so far and that no further grace period should be granted in the application of the GDPR. The “Quadrature du Net” have noted that they would even consider taking this matter to the French Council of State if necessary.

In light of the above, our recommendation is that our clients should start taking stock of their online marketing practices to ensure that they are complying with the current requirements and, where possible, move away from implied consent. This would enable a smooth transition with the forthcoming provisions.

For more information, the CNIL’s publication is available here.