As the final weeks of summer set in, and kids reluctantly get ready to go back to school, another important change is on the horizon, and if cookie consent is on your work list, you better pay attention.
Starting in October, the French data protection authority (the CNIL) will commence auditing websites, and for the first time ever, it will be able to do so remotely. This was the focus at a panel discussion on Thursday, hosted by Ghostery Enterprise and moderated by its Chief Privacy Officer Todd Ruback, CIPP/US, CIPP/E, CIPT.
“What was once a hot topic, over time it ceased being a hot topic,” said Hogan Lovells Partner Eduardo Ustaran, CIPP/E. “But now it’s becoming hot again. Cookie consent is a key area of attention and is back on the worry list of many organizations.”
Are businesses cutting corners with their cookie policies?
“That will be revealed soon,” Ustaran said, adding in his analysis, “Indeed, people are cutting corners.”
According to the CNIL’s Vincent Toubiana, the sweep is not an official audit, but it may cause one. The real enforcement, however, will take place in October when the CNIL, for one, will start auditing websites.
Toubiana said the agency will first look at what types of cookies and trackers are set on a given website and, importantly, that includes HTTP cookies, Flash cookies and fingerprinting. Toubiana also said the CNIL will look at the purposes for which cookies are being used. For example, is the site editor aware of all the cookies that are set on its website? And are there any cookies that require consent?
More specifically, if cookies on a website do require consent, the CNIL will look at whether a consent mechanism is readily available. Are cookies dropped prior to a user expressing consent? And how does a user express that consent? These will be questions the CNIL will be asking.
Ustaran said one of the biggest problems website operators are struggling with involves the timing of notice and the dropping of cookies. “My gut feeling is that those banners (that provide cookie notice) appear simultaneously as cookies being dropped” onto a user’s device, he said. “Effectively, there is not real choice; you see notice, but you are not taking any action before the cookies are dropped. The sequence should be notice, then consent, then the cookies drop.”
He added, “This is probably the most difficult area from a practical perspective.”
Toubiana also shared some common pitfalls in the cookie consent ecosystem. He said simply informing users is not enough. Users need to take some sort of positive action. Plus, relying on browser settings will not get operators off the hook. He also stressed that device fingerprinting, as a way of replacing cookies, is not a way around the regulations. He said the “cookie regulation” is, in fact, technology-agnostic and “switching to fingerprinting won’t solve the issue at all.”
The consequences for noncompliance are not a walk in the park, either. Organizations could face fines of up to 150,000 euros with the possibility of a published sanction. And, as Toubiana pointed out, enforcement is a continuous process. The auditing that will officially kick off in October will continue over the year.
Will organizations that are scrambling right now be given any warning? Yes, but the warning may be public. Those that are warned, however, will have time to reach compliance prior to being fined. To help, the CNIL also offers a toolbox for website operators, including cookie visualization tools, exempted audience measurement tools, cookie-consent scripts for Google Analytics and “privacy-friendly” social widgets.
And why all this attention now, years after the Cookie Directive?
Ustaran said there are two main reasons.
“I think all reasonable regulators will say this directive has been out there for a while, so come on guys, get your act together,” he said. And secondly, “We are all seeing a reliance on profiling, online behavioral advertising—it’s now or never. Either it’s enforced now or ignored forever.”
He added, “The next six months will be crucial.”
If you want to comment on this post, you need to login.