Insights

  • Home
  • Insights
  • French Data Protection Authority Clarifies Responsibilities for the Use of Cookies in Online Advertising

Share

French Data Protection Authority Clarifies Responsibilities for the Use of Cookies in Online Advertising

French Data Protection Authority Clarifies Responsibilities for the Use of Cookies in Online Advertising

June 2017 Alert

In the online advertising sector, achieving a successful advertising campaign often involves implementing cookies (small files stored on computers or mobile devices that contain information on the user's browsing history), which will increase the efficiency of a campaign, typically by enabling the tracking of a user's online activity as well as retargeting and/or profiling actions.

As the use of cookies often involves not only the editor of a website but also third-party service providers, mapping the respective responsibilities of the parties is critical to complying with the regulatory framework.

Generally, online operators who determine the purposes and the means of the data processing are considered as data controllers, whereas the operators who only process personal data on behalf of a data controller will be considered as data processors. EU data protection regulations require that data controllers obtain the prior consent of data subjects for the implementation of cookies, except in a limited number of exceptions.

After conducting a survey of online advertising using cookies, CNIL, the French data protection authority, reached two conclusions:

 

  • Website publishers that process personal data that they collect through their own cookies, or through third-party cookies managed on behalf the publishers, will be considered as data controllers. This includes website publishers that use analytic tools to monitor audiences and/or to monitor investments made into their advertising media. Here, third-party providers of cookies will be considered as data processors.
  • Third-party providers of cookies that process, on their own behalf, personal data they collect through their own cookies will be considered as data controllers. This will typically involve: (i) an advertising department tracking users on several websites to determine their profiles; (ii) real-time bidding platforms; and (iii) any service provider that collects personal data in order to build its own database.

Businesses active in France must assess their compliance with respect to the use of cookies, especially when resorting to third-party service providers for the management of cookies. This is especially urgent now that France's level of potential fines recently has been increased (€3 million) and most likely will be raised even further (up to €20 million and 4 percent of a company's worldwide annual turnover) in 2018, when the draft e-Privacy regulation is finalized and becomes applicable.

For further information on the draft ePrivacy regulation, please view our related Commentary, "ePrivacy—European Commission Tries to Catch Up with the Evolution of Modern Communication Technologies."

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.

Daniel J. McLoon
Los Angeles
+1.213.243.2580
djmcloon@jonesday.com

Mauricio F. Paez
New York
+1.212.326.7889
mfpaez@jonesday.com

Olivier Haas
Paris
+33.1.56.59.38.84
ohaas@jonesday.com

Undine von Diemar
Munich
+49.89.20.60.42.200
uvondiemar@jonesday.com

Hatziri Minaudier, an associate in the Paris Office, assisted in the preparation of this Alert.  

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.

You May Also Be Interested In

April 2024 Alert

Here We Go Again: U.S. Congress Reintroduces New Comprehensive Federal Privacy Law

April 2024 Alert

FDA Proposes Updated Guidance Concerning Cybersecurity of Medical Devices

April 2024 White Paper

2023 False Claims Act Enforcement in Health Care and Life Sciences, Part II

April 2024 Alert

CISA Releases Proposed Cyber Incident and Ransom Payment Reporting Rules to Implement CIRCIA

Before sending, please note:

Information on www.jonesday.com is for general use and is not legal advice. The mailing of this email is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.