Cookies: CNIL extends monitoring beyond website publishers
The online advertising market has changed dramatically over the past three years, shifting from mass targeting based on large socio-demographic categories to individualized targeting. Targeted advertising requires having specific knowledge of consumers’ preferences, behaviors, and social connections.
Concretely, this involves tracing techniques and ever more sophisticated data analysis by actors in the value chain.
In order to give internet users greater control over their personal data, European legislation has changed the rules applying to “tracers,” switching from the “right to refuse” (droit d’opposition) principle to the “opt-in” principle, by which the use of tracers is subject to users’ prior consent. These rules were incorporated into the Data Protection Act in 2011, and specified in the CNIL recommendation of 5 December 2013.
Concretely, the internet user’s consent shall be given “through a positive action by the person who has been previously informed of the consequences of this choice, and who has the means to exercise this decision.”
For cookie consent to be valid, it shall be freely expressed before the cookie is set, the user having been informed of the purpose of the cookies set.
As consent can be withdrawn at any time, users shall have access to a simple means of:
- deleting cookies previously set;
- blocking new cookies from being read and set.
It is important to specify that under the law, prior user consent is not required to show advertising, as such. The obligation to obtain consent only applies when advertising includes tracing techniques and/or the gathering of personal information by the website or a third party.
CNIL working with professionals
In December 2013, CNIL published a recommendation and released several practical tools to assist in particular data controllers involved in targeted advertising campaigns.
In the autumn of 2014, CNIL began a series of online checks of various websites (dating, e-commerce, content publishing, classified ads websites, etc.).
Difficulties encountered by website publishers
Many website publishers have indicated problems they have encountered with regard to obtaining prior user consent for cookies, for two main reasons:
- this would prevent them from showing certain advertisements, leading to a significant loss of revenue;
- cookies may not come from their own servers, instead being linked to the activities of third-party partners which are outside of their control.
As a result, publishers alone cannot assume the full responsibility for applying the rules on tracers falling under the category of “third-party cookies,” i.e., those issued by third-party companies.
Responsibility of website publishers’ partners
The principle of shared responsibility is set out in European legislation and was reaffirmed by CNIL “when the setting and reading of cookies involves multiple actors” in its 5 December 2013 recommendation.
After all, data collected by “third-party” cookies are processed and exploited for purposes and under conditions that only these third-party companies or partners define.
As data controllers, these companies are bound to comply with the Data Protection Act, specifically the principle of prior consent for the use of tracers that gather user information. Without the user’s prior consent, the collection of user information further processed by these third parties is illegal.
In practice, this means that per the principle of shared responsibility set out by European legislation and laid out by CNIL in its 5 December 2013 recommendation, both website publishers and third-party companies may be held liable for the data collection by a cookie set before the user has given consent (which may be expressed by scrolling down the web page the user is browsing).
In addition, data gathered by tracers may be processed by multiple partners in a variety of ways, such as:
- using collected data on users’ browsing behavior in order to create profiles;
- making decisions about which advertisements will be shown based on this profile;
- defining profiling algorithms.
New monitoring extended to partners of website publishers
Faced with the complexity of the chain of actors involved in targeted advertising, the CNIL has chosen to broaden its scope of investigation beyond website publishers. Indeed, compliance cannot depend on publishers alone, and advertisement sponsors, data brokers, and other partners also need to ensure their compliance, in order to create sustainable models of targeted advertising that respect the rights of individuals. It is up to each actor to ensure their own compliance with obligations, in collaboration with their partners when necessary.
Review of obligations for website publishers and partners
As data processors, partners and publishers alike shall uphold the principles of the Data Protection Act, and notably:
- The principle of limiting how long data can be stored with regard to processing purposes (in practice, this means that the lifespan of cookies set shall be limited to 13 months, and data collected by cookies shall only be kept for a limited period).
- The principle of fairness applying to the data collection, meaning that it relates only to people who have been fully informed of how their personal data will be used. By law, partners who process data are required to inform the concerned internet users:
- of their identity;
- of the purpose of processing their data;
- of the recipients or categories of recipients of their data;
- of their rights to refuse, correct, or access their personal data and a clear manner of exercising these rights.
- The obligation to provide means of exercising the rights guaranteed by law, especially the right to refuse the saving of personal data.
With regard to tracers, the internet user’s first and only point of contact is the website they visit. To avoid flooding internet users with information on the many actors involved in processing their data, in practice, the following may be provided, as a minimum:
- a regularly updated list of partners made available on the website visited, to identify the parties responsible for data processing;
- for each partner, this list contains a hypertext leading to a specific page explaining in clear terms:
- the type of data used and the purposes of the processing carried out;
- how to exercise rights such as the right to refuse this data processing;
- if applicable, the list of recipient companies for the information.
When the European regulation on the protection of personal data enters into application in 2018, partners will also be required to disclose the origin of the information they use and how long data is saved, and to specify whether profiling is used and the underlying logic applied if automated decision-making is used.
The impact of the monitoring checks carried out on the entire chain will be assessed by CNIL over the coming months.