Cookie Sweep Day is coming!
The French data protection authority CNIL will conduct a “cookie sweep” this coming September 15 to verify compliance with its recommendations on cookies and tracers used to collect and store personal user information on websites. These audits will be both on-site and remote inspections, meaning that as a website owner, your premises could be subject to a visit by the authorities for non-compliance.
The CNIL will feed the data crumbs it gathers into a program of website audits it will conduct in October.
The cookie sweep is not limited to France – all other EU national data protection authorities will be conducting their own sweeps as well across the Member States, to inspect and monitor cookie compliance with the ePrivacy Directive.
Should you be concerned?
To be clear, under the regulations, only certain cookies require a user’s prior consent – in general, cookies set by third party advertising networks. In a word, if you’re monetizing your site with third party ads, you must ask users for their consent to those cookies (if you’re not already asking for prior consent for these, you should really do it, er, now).
Users must be able to withdraw consent at any time, and cookies and consents must be reset at a minimum every 13 months. The CNIL holds sites and third party advertising networks jointly liable for compliance.
What’s the risk?
If you’re running a business through ads or tracking via your site, the financial risk is moderate, depending on your size. This past January the CNIL fined Google €150,000 for having cookies set while the banner was loading instead of after consent was given. Clever folks, Google. Anyway, the risk is there.
Functional cookies and web analytics cookies do not require prior consent but users must have clear and user-friendly information regarding these cookies, including information on how to opt-out.
Another important note is that sites cannot deny users access if they choose to block advertising cookies and cannot make acceptance of advertising cookies a condition of using the service. Where a business model depends on making content or services freely available in exchange for targeted advertising via cookies, the regulations are…highly disruptive.
The CNIL has also put up an app (“CookieViz”) for users to verify cookies on their Mac, Windows or Linux device.