Cookies: penalty of 50,000 euros against SOCIETE DU FIGARO
The CNIL restricted committee has imposed a fine of 50,000 euros on SOCIETE DU FIGARO for installing advertising cookies from the lefigaro.fr website without obtaining the prior consent of Internet users.
Having received a complaint, the CNIL carried out several checks between 2020 and 2021 on the lefigaro.fr news website. These checks revealed that when a user visited this website, cookies were being automatically placed on their computer by partners of the company, without them performing any action or in spite of their refusal. Several of these were advertising cookies and should have required the user’s consent.
Based on these elements, the restricted committee – the CNIL body responsible for pronouncing sanctions – considered that the company had failed in its obligations because it did not systematically ensure that users’ consent was obtained before advertising cookies were installed or that their refusal to have such cookies installed was respected. It therefore issued a fine of 50,000 euros and decided to make its decision public.
The restricted committee is today sanctioning the failure to comply with obligations which date from before the GDPR came into force and which survive in the new guidelines and the CNIL recommendation of 1st October 2020.
SOCIETE DU FIGARO’s liability
As publisher of the lefigaro.fr website, SOCIETE DU FIGARO has a share of liability regarding compliance with the legislation on cookies (Article 82 of the French Data Protection Act) by its partners who install cookies on its website. It must particularly ensure that they do not install cookies that require consent before users have chosen to accept or refuse. It must also ensure that they respect the users’ refusal.
The restricted committee considers that the fact that the cookies come from partners does not release the website publisher from its own liability insofar as it is in control of its website and its servers.
The restricted committee considered that the company’s liability is a best efforts obligation and that SOCIETE DU FIGARO had not fulfilled it.
This decision follows on from the French Conseil d’État decision regarding Editions Croque Futur of 6 June, 2018, which already specified the allocation of liabilities between website publishers and their partners.
The identified breach
Despite the implementation of several tools (a consent management platform, tools to identify cookies installed despite an indication of a refusal or before the user performs any action), the CNIL’s checks have found on many occasions that cookies which required consent were installed before any action was performed by the Internet user or continued to be read in spite of their refusal.
This decision is part of the overall compliance strategy initiated by the CNIL 2 years ago for French and foreign players publishing high-traffic websites and having practices contrary to the legislation on cookies.
Between 2020 and 2021, the CNIL adopted around 70 corrective measures (orders and sanctions) in connection with non-compliance with the legislation on cookies. In 60% of the cases, they were “foreign” organisations (parent company outside France).
These measures mainly concerned large private-sector players from a wide variety of economic sectors.