France Implements New Cookie Consent Requirements, Data Breach Disclosure and Notification Rules

On August 24, 2011, in accordance with the EU’s recent revisions to the 2002 e-Privacy Directive, France implemented a law introducing new consent requirements for electronic cookies as well as disclosure and notification rules related to data breaches. The French ordinance complies with the revised e‑Privacy Directive by requiring user consent before websites can track visitors with cookies. However, it permits this consent to be obtained from the setting of parameters or other communication system preferences under the user’s control, which means that browser settings may be sufficient prior consent.

France’s new approach is consistent with guidance published by the U.K. Information Commissioner’s Office, although it is less strict than the recommendations from the Article 29 Working Party. For a detailed background of European cookie policy, its continuing implementation, and recommendations for compliance during this period of transition, see DWT’s advisory on Six Tips for Compliance with Europe’s New Cookie Rules.

In addition to the cookie rules, the French ordinance requires ISPs and telecommunications operators to notify the French data protection authority of any data security breach. These service providers must also notify the subject of a data breach unless the compromised data has been rendered indecipherable or incomprehensible to unauthorized persons. Criminal sanctions for non-compliance with the data breach provisions include up to five years in prison and a fine of up to €300,000.

The above authors, DWT’s Robert Stankey and Adam Shoemaker, will present further information about new changes to Europe’s data privacy rules, including especially those concerning electronic cookies, in a September 21 webinar, which can be signed up for here.