The French Council of State has partially struck down the new cookie guidelines issued by the French data protection authority (CNIL). Specifically, the decision annuls the guidelines’ ban on ‘cookie walls’, a practice that restricts access to a website unless the user consents to the placement of cookies. The Council of State found that a general and absolute ban is outside of the CNIL’s powers and is therefore invalid.
Between September 2019 and May 2020, a number of adtech, media, and ecommerce associations challenged the CNIL’s updated cookie guidelines before the French Council of State, the highest administrative court of France. The associations argued that the CNIL had exceeded its powers in a number of ways. First, they claimed that the CNIL could not issue cookie guidelines at all, as the CNIL’s powers are limited to matters where personal information is involved (recalling that cookies do not always involve the processing of personal information). Second, the associations challenged the guidelines on substantive issues, including that the guidelines contain a ban on the use of cookie walls altogether.
Second, the Council of State upheld the cookie guidelines issued by the CNIL where they regard:
The only point where the Council of State clearly did follow the associations’ argument was in respect of the cookie wall ban. The Council of State agreed with the associations that Article 2 seemed to contain a blanket ban on cookie walls based solely on the GDPR’s requirement that consent needs to be freely given. According to the Council of State, proclaiming through guidelines a general and absolute ban on cookie walls altogether based solely on freely-given consent exceeds the powers of the CNIL, which can only provide for guidelines within the confines of the law. Since neither the GDPR nor the French Data Protection Act contain an explicit ban on cookie walls, it is not for the CNIL to formulate such a ban through guidelines (especially not by deriving such a ban solely from the GDPR’s freely-given consent requirement and an EDPB statement).
In that respect, it is worth recalling that EDPB statements are in fact non-binding. They do not have the status of law, and data protection authorities (“DPAs”) are not bound to follow them. In this case, the Council of State made it implicit that the CNIL in fact cannot follow the EDBP (at least not on the point of cookie walls). The only way for a cookie wall prohibition to be legitimate in France is when this is included in national or European Union law.
The CNIL already indicated that it will adapt its new cookie guidelines ‘to the strictest extent needed’ to account for the Council of State’s decision, as well as adopt its upcoming operational guidelines on how to implement cookie consent (which have been delayed due to COVID-19), when it reconvenes in September 2020. The CNIL has not yet indicated how it will adapt its cookie guidelines specifically to the Council of State’s decision and what that could entail for the industry.
This is not to say that the CNIL will retract its disapproval of cookie walls altogether. One option would be for the CNIL to simply tone down the language in the revised cookie guidelines by recalling that in order for consent to be valid, it needs to be freely given (which is provided for under the GDPR) and that cookie walls, if used, should not interfere with consent being freely given. The CNIL can then put the onus on website operators to demonstrate that consent is validly obtained despite a cookie wall. In fact, DPAs in other countries have adopted a similar approach. In Austria, the DPA has come forward to allow the use of cookie walls where users can opt for a paid version of the service which enables them to reject cookies. In Spain, the DPA has opined that cookie walls are permissible as long as users are appropriately informed, except where the access restriction prevents the user from exercising a legal right. In the Netherlands, where the DPA came out with strong language suggesting a prohibition of cookie walls, its FAQs do suggest that providing a paid alternative may be acceptable for using a cookie wall.
At the same time, as earlier proposals of the upcoming e-Privacy Regulation have contained a proposed ban on cookie walls, it is very well possible that such a ban will ultimately find its way into law via that route. Until such time, the CNIL has the next move. Whichever direction the CNIL decides to follow, it is clear that its steps do not go unchecked.
Visit our Privacy + Data Security page for links to our privacy library and resource centers on the CCPA, the GDPR, and cybersecurity. Be sure to bookmark and visit regularly, as new insights will be added frequently.