## CNIL Fines Condé Nast for Cookie Consent Violations
In a significant move for data protection, France’s data authority, CNIL, has imposed a €750,000 fine on Les Publications Condé Nast for failing to honor user consent regarding cookies on their Vanity Fair website (vanityfair.fr). The ruling stems from complaints originally filed by the privacy advocacy group NOYB, led by activist Max Schrems, six years ago. The latest action reinforces France’s commitment to enforcing cookie consent rules, as outlined in the ePrivacy Directive.
### Background of the Case
NOYB first raised concerns in December 2019 over the handling of cookies on the Vanity Fair France site. An extensive investigation by CNIL led to a compliance order issued in September 2021, but Condé Nast’s subsequent adherence efforts fell short. By July 2022, following a promise to take corrective action, CNIL considered their investigation closed; however, that was not the end of the scrutiny.
### Ongoing Violations
Despite assurances of compliance, CNIL conducted follow-up investigations in July and November 2023, and noted further violations. The authority discovered that tracking technologies were still being placed on user devices without consent as soon as visitors entered the site. This breach directly contravenes the consent requirements mandated in French law, which stipulate that cookie deployment should only occur after explicit user agreement.
### Lack of Clear Communication
Investigators noted additional issues regarding user information clarity. The site misclassified certain cookies as “strictly necessary,” which would exempt them from requiring user consent, yet failed to inform users adequately about their actual purpose. This misguidance could lead users to unwittingly accept cookies when they believed they were rejecting them.
Moreover, even after attempts to refuse cookie placement—by clicking the “Refuse All” button—users continued to experience tracking on their devices. Despite users exercising their right to withdraw consent, Condé Nast’s mechanisms for doing so were ineffective, which further compounded the violations.
### Strengthening Enforcement Actions in France
The €750,000 fine reflects CNIL’s ongoing efforts to hold companies accountable for cookie violations, particularly since Condé Nast had received prior warnings about its practices. The CNIL has ramped up enforcement in recent months, with notable fines against other firms, such as €40 million against Criteo and €325 million against Google. Additionally, Spain’s data protection authority issued a €100,000 fine to Euskaltel in similar NOYB-related actions.
Condé Nast’s acknowledgment of these violations, although attributed to technical errors, underscores their need for improvement. The company pointed fingers at the Internet Advertising Bureau’s Transparency and Consent Framework for providing misleading information, claiming the disputed cookies should be classified under functionality.
### The Bigger Picture: Cookie Consent Challenges
This case illustrates the growing pressure on organizations to comply with the stringent cookie laws outlined in the ePrivacy Directive. Unlike broader data regulations under the GDPR, cookie enforcement is governed by distinct rules that allow CNIL to act against companies for non-compliance directly affecting French users.
The authority has focused particularly on eradicating “dark patterns” that deceive users into accepting cookies, emphasizing that sites must offer equal ease of refusal as they do for accepting cookies. Previous CNIL rulings have established the necessity for two-click policies, disallowing any instance where refusing cookies is more complex than accepting them.
### The Significance of Compliance Timelines
The lengthy timeline from the initial complaint to CNIL’s final sanction—spanning six years—highlights the challenges surrounding privacy enforcement. Many companies continue to exploit loopholes while engaging in non-compliant practices, often garnering advertising revenue through unauthorized tracking. The persistence demanded in such cases emphasizes the ongoing struggle for consumer privacy.
