Privacy & Information Security Law Blog

On December 12, 2024, the French Data Protection Authority (“CNIL”) announced that it had issued notices to several organizations ordering them to modify the cookie banners on their websites to bring them into compliance. The notices followed complaints made to the CNIL regarding dark patterns on cookie banners that encouraged website users to accept the use of non-essential cookies. Following its investigation into the complaints, the CNIL found two key areas of non-compliance, which formed the basis of its orders:

• The method for rejecting the use of non-essential cookies was not as easy for the website user to select as the method for accepting the use of non-essential cookies. For example, the CNIL found that the method for accepting non-essential cookies was presented in a color, font size, and font style that disproportionately emphasized acceptance over the option to reject.
• Website users were encouraged to provide consent for non-essential cookies through the use of ambiguous or misleading designs. For example, the CNIL found that the option to reject non-essential cookies was placed next to other paragraphs without sufficient spacing to visually distinguish it from all other information.

Organizations that received notices from the CNIL have one month to comply.