Call us: +32 2 566 90 00 Email: [email protected]

Online advertising: after monitoring, CNIL sets out applicable regulations

On 27 July 2016, CNIL announced it would be extending its monitoring of cookies (and other trackers) beyond website publishers to also cover third-party issuers. This involved identifying the responsibilities of all parties along the complex value chain of online advertising.


Monitoring conducted by CNIL services of thirteen cookie issuers based in France and the US identified two distinct scenarios:

CASE No.1. The website publisher sets the cookies itself, or approves the setting of third-party cookies, in order to process data purely for its own use


When a publisher determines how and why the processing of data collected via cookies (whether set either internally or externally (by a third party)) shall be carried out, they shall be deemed responsible for this processing (under Article 3 of the [French] Law). They must therefore assume all obligations under the law, specifically Article 32-II (obtaining prior informed consent, supplying the means to refuse the setting of the relevant cookies).

If the cookie used comes from a third-party server, the latter shall be deemed a sub-contractor as it is processing “personal data on behalf of” and in accordance with the instructions of the publisher (Article 35 of the Law). When cookies are only used as part of a subcontracted service, a contract between the publisher and the cookie issuer should expressly forbid the latter from exploiting data collected through cookies for their own use or for that of other companies.

This covers the following scenarios:

  • E-commerce websites on which advertising sales networks or advertising services providers set cookies for “re-targeting” purposes, which involves “sending targeted website advertisements to profiles which have already visited that advertiser’s website at least once.”;
  • Website publishers who use audience measurement and/or analysis tools (in conjunction with cookies) whether these be developed internally or by a third party;
  • Website publishers who use cookies to measure investment in advertising spaces that they provide and to thus maximise positioning, to assist with invoicing, etc.


CASE No.2. Data collected by third-party cookies is exploited, not by the publisher of the website upon which they are set, but by their issuer

Here the situation is reversed: the website publisher does not define how and why data collected by cookies is used, but simply calls upon "direct" third parties who set cookies on their website visitors’ computers. These “direct” third parties are then likely to contact other third parties with which the original publisher has no direct contact.

The third-party cookie issuer decides how data collected will be processed, whether data is to be exploited for their own purposes or to sell analysis and profiling services to clients or other third parties.

In practice, this situation involves third-party cookie issuers setting cookies on different sites, not only on behalf of the publishers of the websites in question, but to enrich their own databases with navigation data.

This may involve for instance:

  • An advertising network which follows internet users around different sites in order to build up a profile of them or to categorise them in market segments which can be used/sold to other third parties;
  • A real-time auction network which sells advertisers the right to show an advertisement on a webpage;
  • Third parties acting for sponsors (managing what are known as Demand Side Platforms (DSPs) which purchase advertising spaces through automatic bidding and use information related to these spaces to improve their targeting. Essentially, on such occasions, some of these parties may gather navigation data based on cookies for which they have bid, without necessarily handing this information to the advertiser on whose account they are acting.

The third-party cookie issuer should in this instance be considered responsible for this process and, consequently, must comply with all relevant legal obligations, in particular Article 32-II.

Conversely, website publishers having approved the setting of cookies should be deemed subcontractors, acting on behalf of and in accordance with the instructions of the third-party cookie issuer. The relationship between the subcontracting website publisher and the cookie issuer should be governed by a contract which ensures that prior, informed consent is gained from the appropriate individuals on the site visited, as well as supplying the prior means to refuse the setting of the relevant cookies.



For the majority of websites, the two cases above both apply simultaneously. Consequently, determining who is responsible for both processing and subcontracting shall be done on a case-by-case basis, on the basis of the type and provenance of the cookies. In the event that the same cookie is used for processing by different parties (both the publisher and the third-party cookie setter) each party shall be responsible for advising of and obtaining the consent required for any processing for which they are responsible.

CNIL estimates that, in all cases, the publishers of sites which, when visited, trigger the setting of cookies, are the only ones who can provide direct information on cookies set on internet users' computers. In practice, whether they are responsible for processing (case number 1) or subcontracting (case number 2), it is therefore their responsibility to put at their disposal information on the groups of cookies set and their means of refusing them. However, in case number 2 and inasmuch as website publishers must inform internet users of any processing of their data by a third party, only the latter shall be deemed responsible if this information is incomplete or incorrect.


On January 10, 2017, the European Commission published a draft European ePrivacy Regulation, which is to replace the current Directive 2002/58/EC of 12 July 2002, "Directive on Privacy and Electronic Communications”. This Directive is the European instrument covering the use of cookies and other trackers, on which article 32.II of the French data protection act is based. The applicable regulatory framework is liable to change over the next few months, as the Commission has announced its intention to adopt a new instrument during the last half of 2017, which will enter into force in May 2018. CNIL will be closely following changes to the ePrivacy Regulation, with a view to appropriately updating its own regulations to ensure consistency within the overall regulatory framework.