CNIL

Subscribe to CNIL via RSS

On May 21, 2024, France adopted law No. 2024-449 to secure and regulate the digital space. This law grants new enforcement powers and authority to the French Data Protection Authority (CNIL), including to seize documents, record declarations during dawn raids, and enforce certain provisions of the Digital Services Act (DSA) and the Digital Governance Act (DGA).Continue Reading New Enforcement Powers for the French Data Protection Authority (CNIL)

On February 8, 2024, the French data protection authority (CNIL) published a list of its enforcement focus areas for 2024.[1] The CNIL will focus on the processing of children’s data by online services, the handling of individuals’ requests to access their personal data (so-called “DSAR”), the re-use of data processed for loyalty programs, and data processed in connection with the upcoming Olympic and Paralympic games.Continue Reading French Data Protection Authority Publishes Its 2024 Enforcement Focus Areas

On October 13, 2021, the French data protection authority (the CNIL) issued a short note (the “Note,” in French) on technologies such as fingerprinting, unique identifiers, and cohort-targeting, developed to replace traditional third-party cookies.

While the CNIL acknowledges that some of these technologies are less privacy invasive than third-party cookies, it stresses that the consent and transparency requirements also apply to these technologies.
Continue Reading CNIL Issues Guidance on Alternatives to Third-Party Cookies

On June 28, 2019, the French Data Protection Authority (CNIL) released its 2019-2020 action plan on ad targeting (action plan);1 among other things, the CNIL announced that it will issue new cookie guidance later this month and that, once the guidance is published, companies will have a 12-month grace period to come into compliance.

Background

When the General Data Protection Regulation (GDPR) became effective on May 25, 2018, it imposed stricter conditions for obtaining valid consent to process personal data. In short, consent must be freely given, specific, informed, and unambiguous. Individuals must also be able to withdraw their consent at any time. The European Data Protection Board (EDPB) issued guidelines to further clarify the “do’s and don’ts” for obtaining valid consent (consent guidelines), including that scrolling down or swiping through a website is not enough to obtain valid consent. Rather, consent must be obtained via a clear and affirmative action, such as clicking on an “I agree” button.Continue Reading The CNIL Announces Its 2019-2020 Action Plan on Ad Targeting

On April 15, 2019, the French Data Protection Authority (CNIL) published its 2018 activity report and announced its 2019 enforcement agenda. The CNIL’s message is clear: if some leniency was tolerated in 2018, this transitional period for GDPR enforcement is now over. Going forward, the CNIL will adopt a stricter approach when investigating companies’ GDPR compliance and make full use of its enforcement powers, including the power to fine.

Background

As of May 25, 2018, the EU General Data Protection Regulation (GDPR) imposes new and strict obligations on companies processing personal data. Most EU privacy regulators adopted a somewhat lenient approach when enforcing the new rules. Beside the €50 million fine against Google in early 2019, the CNIL has not made broad use of its enforcement powers since the GDPR became effective. All in all, 2018 was a transition year to allow companies to bring their practices into compliance.Continue Reading The French Data Protection Authority Announces Stricter Enforcement

In July 2018, the French data protection authority (the CNIL) issued two public formal notices against two marketing platform providers—

Teemo1 and Fidzup2—for failing to obtain valid consent under the General Data Protection Regulaton (GDPR) for the use of location data for profiling and targeted advertising.3 The CNIL gave the two French companies three months to change their practices to comply with EU data protection law. On October 3, 2018, the CNIL closed the matter against Teemo,4 as it considered that its updated practices now comply with the GDPR.5 The actions provide an indicator as to how Data Protection Authorities (DPAs) may approach enforcement under the GDPR.
Continue Reading France: CNIL Issues Formal Notices Against Two Marketing Platforms for Lack of Valid Consent for the Processing of Location Data