Faced with a surge in complaints from Internet users, the French National Commission for Information Technology and Civil Liberties (CNIL) has recently stepped up its efforts to require website publishers to modify their cookie banners deemed misleading. This formal notice, announced in early December 2024, illustrates the increased vigilance of the French regulatory body in respecting user consent online.
The legal basis for formal notices: compliance with cookie guidelines
The CNIL relies primarily on the Data Protection Act and the recommendations of the European Data Protection Committee to assess the compliance of consent collection banners. When a complaint is filed, a rigorous analysis of these banners is carried out in light of this strict legal framework. The conclusions of this instruction may lead to a formal notice, as was the case recently.
Cookie banners must allow the user to easily refuse the deposit of tracers, just as they can accept them. The simplicity and clarity of the information are therefore essential. However, some underhand practices have alerted the CNIL. Some publishers make the refusal option less visible or more complex to activate, thus pushing the Internet user to consent without real consideration.
Non-compliant practices observed by certain publishers
Among the grievances noted by the CNIL, several vilify the ambiguous presentation of consent options on cookie banners. Concretely, here are some examples: the disproportionate size of the acceptance buttons compared to the refusal buttons, the use of colors and fonts that only highlight consent, or a location that is difficult to discern for the refusal option among other informative mentions.
It is also not uncommon for forms to be designed with fragmented information, making navigation to the refusal option tedious and confusing. In some situations, Internet users faced with the choice of accepting or refusing cookies, clearly only see the acceptance option appear several times, while the refusal option seems to be deliberately relegated to the background.
Reactions and comments from the CNIL
The President of the CNIL stressed that these practices constitute a flagrant violation of the Data Protection Act. Consequently, the publishers concerned have one month to rectify their consent collection banner in order to avoid potential sanctions. However, it is important to note that for the moment, no financial penalty is directly associated with the latest formal notices.
The approach adopted by the CNIL remains more oriented towards pedagogy and compliance, rather than punitive. Mathias Moulin, an influential member within the commission, confirmed this perspective, stating that "we do not have a punitive logic, but rather one of compliance of the actors". This approach aims to encourage better compliance of publishers with the defined standards and to ensure effective protection of user data.
A regulatory context that is still evolving
This action by the CNIL is in line with the efforts made since the entry into force of the General Data Protection Regulation (GDPR) in May 2018. While the first years after the application of this regulation saw a period of adaptation, the more recent actions of the CNIL show increasing firmness in its requirements with regard to the digital practices of companies.
In 2021, the CNIL already recalled the financial risks imposed on non-compliant entities, which could reach 2% of their annual turnover. This incentive aimed to reinforce the importance of compliance with consent collection protocols, which is essential to ensure digital trust.
The major challenges of compliance
For website publishers, aligning their practices with CNIL requirements is not only a matter of legal compliance. It is also essential to maintain transparency and user trust. In this day and age, when awareness of privacy and personal data security issues is growing, unclear or misleading practices could very well tarnish the brand image of the companies concerned.
With the rapid evolution of technologies and online tracking methods, the CNIL’s guidelines and recommendations represent an essential guideline for navigating this complex environment. Complying with these rules is a proactive approach to anticipate potential legislative changes and consumers’ increased expectations regarding the management of their data.
A technical and organizational challenge for companies
Making cookie banners consistent with CNIL requirements requires companies to make both technical adaptations and raise internal awareness. It is not simply a matter of changing the color or location of a button, but often of thoroughly reviewing user preference management processes.
Some companies have had to invest in audits and call on compliance experts to ensure that all regulatory obligations are met. These steps can represent significant costs, especially for small structures, but they are essential to avoid legal risks and preserve the relationship of trust with users.
Ultimately, the CNIL's recent actions aim to protect the rights of Internet users while supporting publishers in a compliance dynamic. The challenge lies in the ability of websites to respect the high standards required by the regulation while offering a clear and transparent user experience.
0 Comments