Privacy & Information Security Law Blog

On April 16, 2015, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2014 (the “Report”) highlighting its main accomplishments in 2014 and outlining some of the topics it will consider further in 2015.

The Report presents the results of the inspections conducted by the CNIL to assess compliance with its cookie law guidance issued in December 2013. The inspections revealed that most websites with a wide audience posted a cookie banner and obtained users’ consent for the use of cookies and similar technologies by following a two-step approach, as recommended by the CNIL. However, the inspections also revealed that cookies are almost always placed on users’ devices as soon as users visit a homepage and in the absence of any action from users indicating that they consent to the use of cookies. In addition, the CNIL noted that several websites still advise users that they may opt out of having cookies on their website by simply blocking all cookies in their web browser. In the CNIL’s view, such a solution is inadequate since users must be able to (1) accept or refuse cookies based on the purpose or type of cookie and (2) use the website even if they refuse cookies. Further, the CNIL noted that many cookies had a lifespan equal or exceeding 2 years, whereas the CNIL’s guidance makes it clear that cookies should be programmed to expire 13 months after they are placed on a user’s device.

Topics the CNIL will examine further in 2015 include connected vehicles and the role of personal data in the cultural and entertainment content market.

Other key highlights from the Report include:

• In 2014, the CNIL received 5,825 complaints (a slight increase of 3% compared to 2013). 39% of these complaints (which is a plurality of the complaints) concerned the Internet sector and were related to e-reputation issues, such as deleting text, photographs, videos, contact information, comments, fake online profiles, and the reuse of publicly available data on the Internet. 16% of the complaints concerned marketing issues, such as de-listing from advertising registers, objections to receiving marketing emails, and the retention of banking data. 14% of the complaints were filed by employees or trade unions in relation to HR issues, such as video or cyber surveillance, geolocation, and access to an employee’s professional file. In all sectors, the main causes for complaints were the objection to appearing in a register and the difficulties individuals faced in obtaining a copy of their personal data. The number of complaints is likely to grow in 2015 because, since April 2015, the CNIL has extended the possibility for individuals to file their complaints online (such as those that deal with the difficulty of having their personal data deleted from websites, blogs, forums, social networks or search engines, or in the case of employee monitoring).
• In 2014, the CNIL conducted 421 inspections of organizations, including 58 online inspections. Only 18 proposed penalties were examined by the CNIL (compared to 14 proposed penalties in 2013) and eight fines were imposed since, in most cases, organizations decided to comply with French data protection law following a complaint or an inspection.

Finally, the Report also discusses further developments at the national and international levels, including the implementation of the right to be de-listed from search results and the slight progress made on the Proposed EU General Data Protection Regulation.