On 27 July 2016, CNIL announced it would be extending its monitoring of cookies (and other trackers) beyond website publishers to also cover third-party issuers. This involved identifying the responsibilities of all parties along the complex value chain of online advertising.
Monitoring conducted by CNIL services of thirteen cookie issuers based in France and the US identified two distinct scenarios:
CASE No.1. The website publisher sets the cookies itself, or approves the setting of third-party cookies, in order to process data purely for its own use
When a publisher determines how and why the processing of data collected via cookies (whether set either internally or externally (by a third party)) shall be carried out, they shall be deemed responsible for this processing (under Article 3 of the [French] Law). They must therefore assume all obligations under the law, specifically Article 32-II (obtaining prior informed consent, supplying the means to refuse the setting of the relevant cookies).
If the cookie used comes from a third-party server, the latter shall be deemed a sub-contractor as it is processing “personal data on behalf of” and in accordance with the instructions of the publisher (Article 35 of the Law). When cookies are only used as part of a subcontracted service, a contract between the publisher and the cookie issuer should expressly forbid the latter from exploiting data collected through cookies for their own use or for that of other companies.
This covers the following scenarios:
- E-commerce websites on which advertising sales networks or advertising services providers set cookies for “re-targeting” purposes, which involves “sending targeted website advertisements to profiles which have already visited that advertiser’s website at least once.”;
- Website publishers who use audience measurement and/or analysis tools (in conjunction with cookies) whether these be developed internally or by a third party;
CASE No.2. Data collected by third-party cookies is exploited, not by the publisher of the website upon which they are set, but by their issuer
Here the situation is reversed: the website publisher does not define how and why data collected by cookies is used, but simply calls upon "direct" third parties who set cookies on their website visitors’ computers. These “direct” third parties are then likely to contact other third parties with which the original publisher has no direct contact.
The third-party cookie issuer decides how data collected will be processed, whether data is to be exploited for their own purposes or to sell analysis and profiling services to clients or other third parties.
In practice, this situation involves third-party cookie issuers setting cookies on different sites, not only on behalf of the publishers of the websites in question, but to enrich their own databases with navigation data.
This may involve for instance:
- An advertising network which follows internet users around different sites in order to build up a profile of them or to categorise them in market segments which can be used/sold to other third parties;
- A real-time auction network which sells advertisers the right to show an advertisement on a webpage;
- Third parties acting for sponsors (managing what are known as Demand Side Platforms (DSPs) which purchase advertising spaces through automatic bidding and use information related to these spaces to improve their targeting. Essentially, on such occasions, some of these parties may gather navigation data based on cookies for which they have bid, without necessarily handing this information to the advertiser on whose account they are acting.
The third-party cookie issuer should in this instance be considered responsible for this process and, consequently, must comply with all relevant legal obligations, in particular Article 32-II.
Conversely, website publishers having approved the setting of cookies should be deemed subcontractors, acting on behalf of and in accordance with the instructions of the third-party cookie issuer. The relationship between the subcontracting website publisher and the cookie issuer should be governed by a contract which ensures that prior, informed consent is gained from the appropriate individuals on the site visited, as well as supplying the prior means to refuse the setting of the relevant cookies.
For the majority of websites, the two cases above both apply simultaneously. Consequently, determining who is responsible for both processing and subcontracting shall be done on a case-by-case basis, on the basis of the type and provenance of the cookies. In the event that the same cookie is used for processing by different parties (both the publisher and the third-party cookie setter) each party shall be responsible for advising of and obtaining the consent required for any processing for which they are responsible.
CNIL estimates that, in all cases, the publishers of sites which, when visited, trigger the setting of cookies, are the only ones who can provide direct information on cookies set on internet users' computers. In practice, whether they are responsible for processing (case number 1) or subcontracting (case number 2), it is therefore their responsibility to put at their disposal information on the groups of cookies set and their means of refusing them. However, in case number 2 and inasmuch as website publishers must inform internet users of any processing of their data by a third party, only the latter shall be deemed responsible if this information is incomplete or incorrect.