Data Protection in France

Online privacy in France

EU regulation

Cookies

The EU Cookie Directive has been implemented by Article 82 of the Law, which states that any subscriber or user of electronic communications services must be fully and clearly informed by the data controller or its representative of:

  • the purpose of any cookie (i.e. any means of accessing or storing information on the subscriber’s / user’s device, e.g. when visiting a website, reading an email, installing or using software or an app); and
  • the means of refusing cookies.

This provision further states that the placement of cookies requires valid consent from the subscriber or user (which can be expressed via browser settings if the user can choose the cookies he / she accepts and for which purpose), unless:

  • the sole purpose of the cookie is to allow or facilitate electronic communications; or
  • the cookie is strictly necessary to provide online communication services specifically requested by the user.

Location and traffic data

The Postal and Electronic Communications Code deals with the collection and processing of location and traffic data by electronic communication service providers (CSPs).

All traffic data held by a CSP must be erased or anonymised. However, traffic data may be retained, for example:

  • for the purpose of finding, observing and prosecuting criminal offences;
  • for the purpose of billing and payment of electronic communications services; or
  • for the CSP’s marketing of its own communication services, provided the user has given consent thereto.

Subject to exceptions (observing and prosecuting criminal offences; billing and payment of electronic communications services), location data may be used in very limited circumstances, for example:

  • during the communication, for the proper routing of such communication; and
  • where the subscriber has given informed consent, in which case the location data may be processed and stored after the communication has ended. Consent can be revoked free of charge at any time.

France regulation

Cookies

The French Data Protection Supervisory Authority (CNIL) replaced its 2013 guidelines regarding cookies and trackers, which were no longer compliant with the GDPR, by revised guidelines. Following the adoption of a version of its guidelines on cookies and other trackers on July 4, 2019, which have been partially annulled by a decision from the French highest administrative Court, the Conseil d’Etat, on 19 June 2020, the CNIL has adopted revised guidelines as well as recommendations on the practical procedures for collecting consent concerning cookies and other trackers. The CNIL’s revised guidelines, adopted by way of deliberation No. 2020-091 of September 17th, 2020, are based on Article 82 of the Law, implementing Article 5 (3) of EU directive “ePrivacy”, into French law.

While the revised guidelines provide the CNIL’s guidance on how to read the relevant provisions of the French Data Protection Act, which governs the use of cookies and other trackers in France, the recommendations adopted by deliberation No. 2020-92 of September 17th, 2020, provide practical guidance and examples to help professionals navigate the rules applicable to cookies and other trackers and comply with the requirements of Article 82 of the French Data Protection Act. These recommendations constitute “soft law” and are not binding but provide strong references for organizations to anticipate how the CNIL may conduct its compliance investigations.

Regarding consent, the CNIL has specified that consent must be:

  • unambigous: to align with the guidelines on consent issued by the Article 29 Working Party, the CNIL repeals its previous position according to which scrolling down, browsing or swiping through a website or app was considered as an acceptable expression of consent to cookies and allowed for cookies to be placed. Therefore, for the CNIL, continuing to navigate on a website or using an application is no more acceptable to evidence a consent to cookies. The absence of action from the user (i.e., no choice from the user) can no longer be construed as a valid consent but should rather be construed as refusal. This operates a shift from “soft opt-in” to active consent. The revised guidelines also outlines that pre-ticked boxes do not meet the GDPR standard of consent;
  • freely given: the data subject must be able to exercise freely his / her choice. The CNIL has revised (albeit subtlety) its previous positioning regarding “cookie walls” (the practice of subjecting prior access to a website or application to the acceptance of cookies) – where the CNIL considered that consent could never be freely given when collected using cookie walls, the revised guidelines now specify that cookie walls are likely to hinder freely given consent. In addition, the CNIL has specified in its case law, that failure to provide a mean to refuse cookies “as easily” as it is to accept them (e.g., by way of dedicated buttons on a cookie banner) results in consent being not freely given, since users will lean toward accepting cookies rather than performing multiple clicks to refuse;
  • specific: consent must be tailored to each purpose. Therefore acceptance of the general terms and conditions as a whole (“bundled” consent) does not constitute valid consent;
  • informed: information to data subjects must be easily understandable by any of them. Information must be given in plain language. The use of complex technical or legal terms does not meet the requirement of prior information. Such information must at least include (i) the identity of the data controller(s) implementing the trackers (ii) a thorough list of the purpose(s) of the reading or writing operations (iii) the means available to consent or object to the use of cookies (iv) the consequences of accepting or refusing the use of cookies and (v) the right to withdraw consent;
  • evidenced: all organizations that use cookies must implement appropriate mechanisms that allow them to demonstrate, at all times, that they have validly obtained consent from users. the revised guidelines specifically provide that users choices, be it consent or refusal, must be (i) clearly presented to users, notably as regards the available means to exercise such choice, (ii) collected and clearly evidenced (the recommendations give examples of how to ensure such evidence through the use of a consent management platform, screen capture, etc.) and (iii) recorded by data controllers, for an appropriate duration during which they would not ask the users again for their consent. Such duration may vary depending on the nature of the site or application concerned. According to the Recommendations, a good practice in that respect is 6 months – at the expiry of that term, controllers could ask users again to consent (or refuse) to the use of cookies and trackers; and
  • revocable: organizations are encouraged to put in place user-friendly solutions to allow users to withdraw their consent as easily as they gave it. The CNIL highlights the fact that means to refuse cookies and trackers must be “as easy” as means available to accept use thereof. As a result, users must not be subjected to complex procedures for refusing cookies and trackers and withdraw their consent, which they must be able to do at any time. To that end, the CNIL provides practical examples and good practices in the Recommendations, from the use of a “reject all” button to the availability of a visible “cookies” icon enabling users to parameter their choices and withdraw their consent. 

The revised guidelines do not provide a general rule regarding the data retention of cookies and the information collected via such cookies. The CNIL simply recommends that the user’s consent (or refusal) is renewed every 6 months. However, the CNIL has maintained, as guidance, the following data retention terms for certain analytics cookies that do not require users’ consent:

  • the lifetime of these cookies should be limited to a period that allows a relevant comparison of audiences over time, as it is the case with a period of 13 months, and is not automatically extended for new visits;
  • the information collected via these cookies is kept for a maximum period of 25 months; and
  • the above-mentioned lifetimes and retention periods are periodically reviewed to ensure that they are limited to what is strictly necessary.

The CNIL regularly undertakes massive online investigations (whether spontaneously or following user complaints) in order to check compliance with its guidelines. Further to said investigations, several waves of formal notices have been sent to organizations from different sectors (major platforms of the digital economy, e-commerce companies, car rental companies, public service authorities, bank companies, etc.).

The CNIL has also fined companies for non-compliance regarding the use of cookies. Heavy sanctions have been applied to GAFAM companies in particular, with administrative fines up to 90 million Euros for failures to comply with Article 82 of the Law. It is interesting to note that, in its decisions regarding cookies, the CNIL imposes its competence even in the presence of a Lead Authority appointed by the company sanctioned, on the ground that the French Supervisory Authority remains the competent authority to control compliance of the e-Privacy Directive requirements, which are specific rules prevailing on the general rules resulting from the GDPR where thus the “One Stop Shop” process does not apply. In March 2023, the CNIL announced that user tracking by mobile phones was a priority topic for its investigations in 2023. It indicated that it carried out several investigations on applications that access identifiers generated by mobile operating systems in the absence of user consent.

In March 2023, the CNIL announced that user tracking by mobile phones was a priority topic for its investigations in 2023. The CNIL indicated that it carried out several investigations on applications that access identifiers generated by mobile operating systems in the absence of user consent. Following these investigations, the CNIL adopted specific guidelines in September 2024 to help professionals design privacy-friendly mobile applications. The CNIL has announced that from spring 2025 it will carry out new investigation campaigns on mobile applications to make sure these guidelines are complied with. 

In July 2024, the CNIL analyzed the consequences of the end of third-party cookies and the development of alternative techniques for ad targeting purposes, including Google’s Privacy Sandbox. The CNIL has reminded the importance of obtaining user consent in this context (e.g. through App Tracking Transparency on Apple devices). 

Open data and reuse of publicly available data

In June 2024, the CNIL published several recommendations on open data and on the reuse of publicly available data (e.g. on how to identify the applicable legal basis, on how to inform data subjects, on how to ensure compliance with the minimization principle). The CNIL also published specific recommendations applicable to specific use cases involving the reuse of publicly available data (e.g. to create professional directories or to compile / enrich files for direct marketing purposes).

Artificial intelligence and data protection

The CNIL has recently published several AI compliance tools, such as “how-to sheets” for the creation of databases (involving personal data) in order to train artificial intelligence (AI) systems and a Q&A on the use of generative AI systems.

Continue reading

  • no results

Previous topic
Back to top