Evolution of practices on the Web regarding cookies: the CNIL evaluates the impact of its action plan

As part of its action plan on cookies and other tracing devices, the CNIL published a new version of its guidelines and a recommendation on October 1, 2020 (in French), following public consultation and with the ecosystem. After this first step, the CNIL has established a transitional period to allow website publishers to comply with the new rules, before launching enforcement actions, as of April 2021.

At the same time, the CNIL undertook an evaluation of the implementation of these guidelines and recommendations. The objective was to examine the effectiveness of these tools, their relevance, their proper understanding by individuals and data controllers, as well as their likely impacts, particularly economic ones.

This approach, which aimed at measuring the effects of its decisions on the ground, was based on:

• regular surveys to evaluate the understanding and use of the new rules by French Internet users;
• setting up an internal observatory to study the evolution of French web practices regarding cookies.

Better informed users and an increasing rejection rate

Five waves of surveys were conducted by IFOP, from December 2019 to June 2022, on samples of more than 1,000 people representative of the French population, aged 18 and over, by self-administered online surveys.

A much better knowledge of the regulations

In June 2022, 95% of respondents say they know what cookies are and 52% of them know exactly what recent regulatory changes on the subject are (compared to only 44% in November 2020). People are also well aware of the different uses of cookies: targeted advertising (81%), audience measurement (78%), or location-based advertising (78%) and display of external videos (64%).

The collection of consent and sufficiently precise information have undoubtedly enabled Internet users to understand better how their data is used.

However, despite these figures, French Internet users still have an impression of opacity: the vast majority reports that information on companies making use of cookies in the advertising ecosystem is insufficient or non-existent (68%) and only 32% consider it sufficient (+8 points vs. 2019).

Quality of information on websites tracking navigation via cookies (June 2022)

In June 2022, 20% of respondents still report that websites give them less control over cookies than they did a year ago. This lack of trust toward digital technology concerns mainly people under 35, employees, workers and, to a lesser extent, non-graduates.

A cookie refusal rate on the rise

The evolution of the refusal rate over time provides overall support to the role of an informed and active citizen-consumer. Although the overall refusal rate reached 39% in June 2022, it has not become the majority: this does not reflect the so-called "consent fatigue" online. The rate of people declaring that they configure cookies increased from 43% in November 2020 to 49% in June 2022 (conversely, people who use the Internet less: people over 65, people who spend less than an hour a day surfing, tend to configure cookies less).

The acceptance rate of cookies, at 59%, remains high and comparable with the one found by the 2022 digital barometer survey conducted on the same population by the French CREDOC, at 65%.

Accepting or refusing cookies: a choice unrelated to socio-professional category

The attitude towards cookies goes beyond the usual divides of socio-professional category, age or geography. Among the categories giving less agreement, beyond the margin of error, we find workers, retired people and inhabitants of the Ile-de-France region, while 25-34 year olds, inhabitants of the South-East France or of a rural area give their agreement more often than the average. It should be noted, though, that the refusal rate increases over time among 18-24 year olds (+5 points between October 2021 and June 2022, when 34% of under 35 year olds refuse cookies as compared to 41% of over 35 year olds).

Moreover, even though workers and employees use the Internet less frequently than managers and intermediate occupations (77% for workers, 82% for employees versus 95% for managers and 90% for intermediate occupations, according to INSEE's 2019 ICT household survey), this difference in usage does not translate into a difference in attitude towards cookies: workers and employees, on the one hand, and managers and intermediate occupations on the other hand, have a refusal rate amounting to 39% in IFOP’s data overall, just like the national average.

Interestingly enough, the effect of diploma as well as the use of the Internet is ambivalent: if people with a diploma level lower than CAP/BEP refuse more frequently, higher education graduates have a systematic refusal rate higher than the average. Similarly, less frequent use of the Internet (less than 1 hour per day) and intensive use (more than 4 hours per day) are associated with a refusal rate higher than average. The attachment to privacy does not, thus, appear here as a privilege of the economically most advantaged categories, but could also be interpreted as a refusal of the economic exploitation of their data by the economically less advantaged categories.

The most accepted purposes are audience measurement (61% "yes" in June 2022 versus 59% in December 2019) and site personalization (56% versus 55%), while targeted advertising is less accepted (52% acceptance in June 2022, versus 44% in December 2019). Moreover, a high acceptance rate of these purposes goes hand in hand with their good knowledge by citizens.

Observe the evolution of French website practices over time

Following a methodology for analyzing website practices with regard to cookies, based on the CookieViz solution developed by the CNIL, our Digital Innovation Laboratory (LINC) monitored the practices of the 1,000 most popular websites in France from January 2021 to August 2022. The purpose of the analysis was not to assess the compliance of these websites with regulations, but to observe the number of third-party cookies deposited or read before any action by the user.

Third-party cookies are cookies deposited on domains other than that of a visited website, generally managed by third-party services that have been requested by that website and not at the initiative of the users themselves: these cookies may be necessary for the proper functioning of the website, but are mainly used by the third-party service to see which pages have been visited on the website in question by users and to collect information about them, particularly for advertising purposes. 

The results show that CNIL's action has reduced the intensity of tracking activity for advertising purposes on websites visited by Internet users in France. The proportion of websites depositing more than 6 third-party cookies dropped from 24% to 12% between January 2021 and August 2022. At the same time, the proportion of websites that do not deposit any third-party cookie has increased from 20% to 29%. There has been, as well, a reduction in the average number of third-party cookies deposited per website (see below), a number that needs to be compared to websites’ information and consent management practices before concluding that they are non-compliant.

These figures concerning the first visit to websites, before the user expresses a choice with regard to tracking, show initial positive results from CNIL's action plan. However, the figures indicate that the tracking of browsing data by digital advertising companies, without consent of individuals, remains potentially significant: as a result, the CNIL will maintain its compliance efforts on websites with a large audience in France.

CookieViz: CNIL's browser extension for tracking third-party cookies online

Internet users can also get an idea of the cookie practices of the websites they visit by using CNIL's CookieViz solution. This solution is now available as an extension to your browser (in French).

The extension analyzes the cookies deposited on the browser and the number of third parties that have deposited them.

CNIL controls, orders to comply and sanctions

Since the publication of its guidelines and recommendation, the CNIL has carried out numerous checks on the compliance of websites visited by Internet users in France.

These controls have focused on the most popular websites for French users, whether the publisher of the website is established in France, in the rest of the EU or in a third country. Indeed, the new rules (resulting from the e-Privacy directive) are applicable to all the actors of the Web, whoever they are, as soon as the Internet user is located in France.

After a six-month transitional period, expiring on March 31, 2021, the CNIL issued 94 orders to non-compliant entities after a campaign of 125 online controls. In total, three waves of orders to comply were issued (May 2021, end of June 2021, December 2021), closed after the websites concerned had regularized their situation.

At the same time, regarding major digital players who could not ignore the entry into force of the new rules and had the means to comply directly, sanction procedures were launched. Thus, the CNIL fined Google (250 M€), Facebook (60 M€) and Amazon (35 M€), ordering them to comply with the new rules within three months.

In total, the CNIL has imposed 8 sanctions from 2020 to 2022 on cookies, for infringements such as lack of information, deposit of cookies without prior consent, failure of the refusal mechanism, or impossibility to refuse cookies as easily as to accept them.

The cumulative amount of these sanctions reached 421 million euros. For some transnational players, the impact of these sanctions often extended beyond France, as the entities complied with the new rules for all their European operations.