France
Following the publication of the cookie guidelines and recommendations, the French Data Protection Authority (DPA), the CNIL, has issued 20 organisations with formal notices giving them a month to comply with cookie laws. These include international digital players and public bodies. If they fail to comply by the deadline, they face fines of up to 2% of their turnover. The CNIL has stated that refusing cookies should be as easy as accepting them and referred to fines issued to Google and Amazon of 100 million euros and 35 million euros respectively in December 2020 for cookie non-compliance.
Germany
In a similar vein, German lawmakers have passed the Telecommunications Telemedia Data Protection Act (TTDSG), also known as the German cookie law which is in line with the 2009 ePrivacy Directive. This law requires express consent from users for cookies and other tracking technologies unless the cookie is necessary to operate a service explicitly requested by the user. This follows the German Federal Court ruling on 28 May 2020 affirming the obligation to seek cookie consent on the part of website operators.
Seeking user consent
These developments demonstrate the importance of seeking user consent before installing cookies. Relying on legitimate interests is no longer sufficient.
Helga Turku, Data Protection and Privacy Director at HewardMills, said: “Local cookie compliance is an area that can be overlooked by companies, especially those operating globally. Businesses that use cookies on their websites should review their cookie policies considering the cookie compliance crackdown. They should assess their policies against the standards set out by data protection regulations of the jurisdictions in which the cookies are applied. As such, engaging the IT team or website manager is essential to ensure the cookie mechanism is properly configured and allows EU users to give consent.”
Given the large fines that have been handed out regarding violation of cookie laws, it is important to involve a Data Protection Officer (DPO) to assist businesses in evaluating, pre-empting and mitigating the potential risks of violation by amending and adopting appropriate policies and procedures.