On April 24 2025, the French supervisory authority (CNIL) issued a draft recommendation to address challenges in collecting user consent for cookies and trackers across multiple devices (the Draft Recommendation). The new...more
Following a wave of “session replay” wiretapping lawsuits in the United States, France’s Commission Nationale de l’Informatique et des Libertés (CNIL) has launched a consultation on tools for recording and replaying browsing...more
In 2024, the CNIL stepped up its enforcement action, issuing 87 sanctions, 180 compliance orders and 64 reprimands. However, only 12 decisions were made public, thus complicating the exercise of making the regulator’s...more
While mobile apps have become one of the major means of access to digital services, their ubiquity is accompanied by significant risks to users' privacy, due to the massive amount of personal data they collect and process....more
Following the very recent adoption of the EU Regulation on AI (the AI Regulation) the CNIL (the French data regulator) has issued the second in its series of recommendations for the development of privacy-friendly AI models....more
The French Data Protection Authority (CNIL) recently imposed a EUR 310,000 fine, representing 1% of its turnover, on FORIOU, a telemarketing company promoting loyalty programs. The fine stemmed from FORIOU’s use of...more
Authorities opened an investigation after Uber drivers in France sent complaints to the French privacy protection commission, the CNIL. The CNIL transferred the handling of the complaints to the Dutch Data Protection...more
Each year, the CNIL selects key areas of high interest to concentrate its investigations and assess the compliance of select commercial sectors. On February 8, The CNIL announced its four main areas of focus for...more
Following the publication of several press articles and employee complaints, the French data protection regulator (“CNIL”) carried out an investigation at the Amazon France Logistique’s (“Amazon”) warehouses. The CNIL's...more
French authorities have fined an air freight company for a string of employee data violations, and for its failure to fully cooperate with their investigation....more
The European Data Protection Board (EDPB) adopted a draft report of the work undertaken by the Cookie Banner Taskforce (the Report). The Report describes how regulators apply cookie legislation in handling certain types of...more
On 3 February 2022, the French Commission Nationale de l'Informatique et des Libertés (the "CNIL") published a set of commercial management guidelines for all organizations that conduct data processing for the management of...more
You need a data retention plan. No really. And not just in the European Union. In California too. Commission Nationale de l’Informatique et des Libertés (CNIL) has fined messaging platform Discord 800,000 EUR for (non...more
Websites that distribute content not intended for minors usually request that visitors confirm they are over 18 through a simple click. The efficiency of this approach is clearly limited, and 44% of 11-18 year olds in France...more
What do obscenity and data minimization have in common? As Justice Potter Stewart famously wrote in his concurring opinion to the U.S. Supreme Court’s decision in the 1964 free speech case Jacobellis v. Ohio, “I know it...more
The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations. The use of card, contactless, and innovative digital payment solutions has significantly...more
As jurisdictions across the world grapple with the effects of the more infectious delta variant, many governments either have taken or are considering more restrictive measures to reduce infection rates and community spread...more
On Tuesday, June 15, 2021, a French court ordered IKEA to pay 1 million euros ($1.2 million) for spying on its employees in France. The allegations included reviewing employees' bank account records, using fake employees to...more
The French Data Protection Authority (CNIL) published an FAQ on March 18, 2021 to further explain its earlier guidelines and “recommendation” on cookies and other tracking technologies, which were published on September 17,...more
This quarterly update highlights some of the international data protection issues that have caught our attention, and the attention of our clients, in the past three months....more
The Commission nationale de l'informatique et des libertés (CNIL) is the national data protection authority in France. Recently, it announced new guidance on cookies and online trackers (Guidelines). Operators of...more
In a decision (French only) dated 27 February 2020, the French Administrative Court of Marseille invalidated the deliberation of the Provence-Alpes-Côte d’Azur Regional Council which allowed to set up...more
Following the outbreak of COVID-19, organizations have been implementing exceptional measures to maintain "business-as-usual" to the extent allowed by their particular circumstances and to protect their employees, customers...more
On April 7, 2020, the French Data Protection Authority (the CNIL) published on its website a Q&A on the right to de-listing. The right to de-listing enables a data subject to request from a search engine to remove one or...more
As the coronavirus has spread worldwide to reach pandemic level, employers are putting into place measures group-wide to limit risks of contagion within the work place. Some of these measures have led companies to question...more