Definition
Users must give informed and unambiguous consent and receive clear information about cookies, including processing purposes and data controller identity, according to the law.
Excerpt
Any subscriber or user of an electronic communications service must be informed in a clear and comprehensive manner, unless he has been informed in advance, by the controller or his representative of:
1. The purpose of any action to access, by electronic transmission, information already stored in his/her electronic communications terminal equipment, or to record information in such equipment;
2. The means at his/her disposal to oppose it.
Such access or registration may only take place if the subscriber or user person has expressed, after having received this information, his/her consent, which may result from appropriate parameters of his/her connection device or any other device under his control.
These provisions shall not apply if access to information stored in the user’s terminal equipment or registration of information in the user’s terminal equipment:
1. either has the exclusive purpose of allowing or facilitating communication by electronic means, or
2. is strictly necessary for the provision of an online communication service at the express request of the user.
Related cases
Google LLC and Google Ireland Limited required users to go through several steps to refuse cookies, and for not providing a “refuse all” button in the first layer of the cookie notice.
TikTok was fined by the French DPA for implementing advertising identifiers without consent and for having an insufficiently informative cookie banner. The banner allowed users to accept all cookies with one click, making it difficult to refuse them, and some advertising cookies were placed even if a user did not consent.
VOODOO was fined by the French DPA for not obtaining user consent for personalized advertising and for providing false information about user tracking behavior. Users were presented with a misleading choice of accepting or declining tracking, followed by a second window requiring acceptance of the provider's data protection policy.
SOCIETE DU FIGARO was held responsible for allowing partners to deposit cookies on user terminals for advertising purposes without obtaining their consent or action. The company failed to provide users with effective means to refuse the deposit of cookies for advertising purposes, despite expressing their desire to do so.
The French DPA found Facebook guilty for making it more complex for users to refuse cookies than to accept them, and for not providing users with clear information on refusal of cookies.
CNIL found Amazon guilty of depositing cookies without prior consent and the failure to inform users about depositing cookie or the means to refuse them.
The French DPA fined Microsoft for installing non-essential cookies without valid consent and making refusal of cookies harder than accepting them by placing them on a second layer.
The French DPA fined Apple for implementing the ‘personalised ads’ setting as default without prior consent and making it hard to change the setting by involving multiple steps.