Cookies And Consent: France Clarifies Responsibilities For Online Advertisers

Author:Mr Daniel McLoon, Mauricio F. Paez, Olivier Haas and Undine von Diemar
Profession:Jones Day

In the online advertising sector, achieving a successful advertising campaign often involves implementing cookies (small files stored on computers or mobile devices that contain information on the user's browsing history), which will increase the efficiency of a campaign, typically by enabling the tracking of a user's online activity as well as retargeting and/or profiling actions.

As the use of cookies often involves not only the editor of a website but also third-party service providers, mapping the respective responsibilities of the parties is critical to complying with the regulatory framework.

Generally, online operators who determine the purposes and the means of the data processing are considered as data controllers, whereas the operators who only process personal data on behalf of a data controller will be considered as data processors. EU data protection regulations require that data controllers obtain the prior consent of data subjects for the implementation of cookies, except in a limited number of exceptions.

After conducting a survey of online advertising using cookies, CNIL, the French data protection authority, reached two conclusions:

Website publishers that process personal data that they collect through their own cookies, or through third-party cookies managed on behalf the publishers, will be considered as data controllers. This includes website publishers that use analytic tools to monitor audiences and/or to monitor investments made into their advertising media. Here, third-party providers of cookies will be considered as data processors. Third-party providers of cookies that...

To continue reading