Following the publication of the cookie guidelines and recommendations, the French Data Protection Authority (DPA), the CNIL, has issued 20 organisations with formal notices giving them a month to comply with cookie laws. These include international digital players and public bodies. If they fail to comply by the deadline, they face fines of up to 2% of their turnover. The CNIL has stated that refusing cookies should be as easy as accepting them and referred to fines issued to Google and Amazon of 100 million euros and 35 million euros respectively in December 2020 for cookie non-compliance.
In a similar vein, German lawmakers have passed the Telecommunications Telemedia Data Protection Act (TTDSG), also known as the German cookie law which is in line with the 2009 ePrivacy Directive. This law requires express consent from users for cookies and other tracking technologies unless the cookie is necessary to operate a service explicitly requested by the user. This follows the German Federal Court ruling on 28 May 2020 affirming the obligation to seek cookie consent on the part of website operators.
Seeking user consent
These developments demonstrate the importance of seeking user consent before installing cookies. Relying on legitimate interests is no longer sufficient.
Given the large fines that have been handed out regarding violation of cookie laws, it is important to involve a Data Protection Officer (DPO) to assist businesses in evaluating, pre-empting and mitigating the potential risks of violation by amending and adopting appropriate policies and procedures.