Re: cookies irrelevant
"I doubt whether a plea of "they said their app was compliant and I took them at their word" would get them off the hook."
The CNIL specifically states that "bon volonté" ("but they said...") is an unacceptable excuse. A Data Controller is obliged to audit Data Processors that manage data on their behalf.
This was written in the context of, say, your employer outsourcing their HR or whatever. However it would be interesting to determine if visiting a website causes personal information to be collected (even if by a third party), since it's the visitation that triggers this, does that make the site owners the Data Controller (and, therefore, the responsible party)?
I'd Google, but far too much "check your site is compliant" spam for a Friday evening.
Biting the hand that feeds IT
