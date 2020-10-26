The question of the moment for organizations that want to both seize the opportunities of time and protect themselves against complaints is how to respect the rules of use as well as the user while they continue their activities and thrive?

From cookies to the CNIL, the legal ecosystem about the GDPR is evolving quickly and it is becoming difficult to ensure compliance without paying attention at all times.

The big question about cookies

The latest developments from the CNIL

Before we go into detail in the latest CNIL news, let’s remember the basics of computer cookies. This is a small file (or a tracer) that a website places on the Internet user’s hard drive without his knowledge when he consults it, in order to save his information during a later connection.

In short, the cookie is a type of cookie. It is therefore normal for websites (and the companies that manage them) to increasingly require legislation to inform the user about the cookie policy. That’s not all: Since the GDPR (General Data Protection Regulation) and its implementation in May 2018, websites have to allow the user to refuse cookies.

Recently the CNIL tightened the rules on cookies by making their use for advertising more complex. Websites must now inform internet users about the exact use of their data.

What exactly does “accept everything” or “reject everything” mean?

While “accept all” is often very straightforward when it comes to cookies (this is handy for the website owner), “reject all” is a less common option. In fact, of course, this increases the number of people who accept cookies for lack of time, attention, or clarity.

This will soon change: rejecting cookies must be as easy to select as accepting them. The acceptance of cookies can no longer be fuzzy for the user, he must be able to feel free to accept everything or refuse everything without promoting one or the other option.

We should also be aware of the problem of the “cookies wall”, a design approach that prevents the Internet user from surfing the website if they are not accepting cookies. New rules are being applied to ban this practice, but they have not yet been enacted.

Is private surfing a solution to intrusive cookies?

The “private browsing” mode offered by browsers makes it possible to explore the web without a cookie being installed on the computer. It is therefore a solution for users who want to avoid being tracked in their navigation. Of course, private surfing does not make the Internet user and the ISP anonymous, as the state can find him via his IP address. Specifying the purpose of the data collected is now a legal obligation

Following the recent regulatory advances made by the CNIL, the purpose of the data now needs to be defined for internet users. Why collect a postal address, for example? If the company wants to do this through their website or to register for a form, they must be able to explain the exact reason: for example sending a birthday present in the mail.

It’s the same with a phone number: there has to be a good reason, and even if only advertising is to be sent via SMS, the user needs to be informed (and why, of course, decline). Each company must therefore explain the purpose of any data collected from the user and this needs to be verified. It must be able to prove that a process is taking place.

Brands in the face of stricter laws

Given the new CNIL and GDPR rules, not all brands are created equal. Larger companies find it more difficult to manage the transition (which is part of their digital transformation) as it requires significant work.

These brands that got involved in time and with flying colors

Several WordPress plugins are available so that brands can easily meet the requirements. It’s a solution that effectively addresses the problem of cookies only for the simplest of websites and precisely only for those on WordPress.

For others it is necessary to write code to get the site compliant.

“Notification” cookie banners like “Slack” or “Popup” banners like Evian, Marken have different options and the possibilities for personalization are great: header, footer, etc.

Header:

At the end of the page:

Very real judgments and beyond the symbolic

The CNIL, for example, sanctioned the Spartoo brand after an inspection in May 2018. The result was a sanction of 250,000 euros and an injunction to comply with the GDPR as quickly as possible. Several shortcomings were found:

the principle of data minimization the obligation to limit the retention period of the data the obligation to inform individuals about the obligation to ensure data security

A conviction that is therefore not without consequence.

Even more important is the sanction imposed on Futura International: 500,000 euros for non-compliance with the rights of persons inquired about in the context of commercial transactions, in other words, illegal telephone advertising.

Optical Center, Bouygues Telecom and Uber France have also been fined several hundred thousand euros in recent years for disclosing data after a security breach.

Many brands had already been sanctioned to a lesser extent before the GDPR and the tightening of data protection measures: for example, CDiscount and Isotherm each had to pay 30,000 euros in 2009 for improper advertising by email and telephone.

But as these condemnations multiply, the trend should pick up and no company is immune … to the delight of users.

While websites and companies have until April 1, 2021 to catch up on the latest CNIL developments, the sequence of events could further tighten the tone to promote the protection of users’ personal data.

