The French data protection authority (the CNIL) is not allowed to prohibit cookie walls according to the French Conseil d’Etat, but the CNIL is still allowed to recommend not to use cookie walls. If a cookie wall violates the principles of the GDPR or French Data Protection Act, the CNIL may still sanction the use of such cookie wall. A brief analysis of the judgment.
In July 2019, the CNIL adopted guidelines relating to the application of Article 82 of the Act of 6 January 1978 as amended to read or write operations in a user's terminal (in particular to cookies and other tracers). This article transposes the provisions of the ePrivacy Directive.
The CNIL focused in particular on the free and specific nature of consent in relation to cookies walls, the practice of making access to a website or mobile application conditional on consent to the installation of cookies and trackers on the device used. After recalling the position of the European Data Protection Board (EDPB) on this subject, the CNIL considered that "the global acceptance of general conditions of use cannot be a valid way of collecting consent, insofar as it cannot be given separately for each purpose" (translated from French), and that therefore cookies walls are not an acceptable practice in terms of data protection and do not comply with the GDPR. The CNIL also explained that the acceptance of cookies and tracers globally is acceptable only if it is supplemented by the possibility to give consent specifically for each purpose. The CNIL justified this prohibition on the need to obtain free and specific consent, which by their nature, cookie walls do not allow.
These guidelines were widely criticised, and the Litigation Division of the French Conseil d'Etat was seized primarily with an application for annulment on the grounds that the guidelines had been exceeded. The applicants – large media companies – argued in particular that the contested guidelines infringed the applicable laws and regulations by prohibiting the use of cookie walls, thereby unduly restricting freedom of enterprise and freedom of information.
The interest of the decision of the Conseil d’Etat is, however, not limited to cookie walls. Among the pleas raised, the claimants argued that the CNIL was not competent because it did not have the power to issue guidelines on data of a non-personal nature under any legislative or regulatory provision. The applicants also claimed that the CNIL had exceeded its powers and committed an error of law by basing its guidelines on those of the European Data Protection Board, which are devoid of binding legal force.
The Conseil d’Etat recalls that the CNIL has jurisdiction on the basis of the French Data Protection Act. Article 20 of the Act gives the President of the CNIL the power to take corrective measures in the event of failure to comply with the obligations arising from Regulation (EU) 2016/679 (the GDPR) or its own provisions. However, the French Data Protection Act also transposes the provisions of the e-privacy Directive, which regulates, among other things, cookies. The Conseil d'Etat concludes that it follows from the general scheme of the Data Protection Act that the CNIL is responsible for ensuring the compliance of any data processing falling within its scope, whether or not it involves personal data. Therefore, the CNIL was competent to adopt "guidelines" applicable, in a general way, to "cookies" and other tracers.
According to the Conseil d'Etat, it is not because the CNIL refers to the work of the EDPB that it seeks to give it binding value. Indeed, the reference to the work of the Board is explained by its mission, which is to ensure a uniform application of the GDPR. Thus, in echoing the EDPB’s work, the CNIL refers to an interpretation recognised throughout the European Union. Thus, in its Opinion 5/2019 on the relationship between the ePrivacy Directive and the GDPR and again in its new guidelines on consent of May 2020, the EDPB underlines that the practice of cookie walls is not in line with the ePrivacy Directive, in that it does not allow for free consent within the meaning of the ePrivacy Directive. Both the Dutch data protection authority (Autoriteit Persoonsgegevens) and the EDPB consider that cookie walls do not allow for the expression of free consent, and as such they are not allowed. The Belgian data protection authority (Gegevensbeschermingsautoriteit) is also of the same opinion.
The difficulty here stems from the differences in nature between the EDPB guidelines, which are non-binding recommendations, and those of the CNIL, which are the result of deliberations and have binding force. However, according to the French Conseil d'Etat, "By recalling the EDPB position on [cookie walls], without making it its own, the CNIL, which did not misunderstand the scope of the EDPB's recommendations, did not intend to give them binding force" (translated from French).
The Conseil d’Etat rejected the applicants’ request on all points, except for the general and absolute ban on cookie walls.
Indeed, the CNIL's assertion that consent is only valid if the data subject does not suffer major inconvenience in the event of the absence or withdrawal of his consent, such as the impossibility of accessing a website or application because of a cookie wall, is a general and absolute prohibition. According to the Conseil d’Etat such a prohibition cannot be inferred from the sole requirement of free consent. As such, the CNIL has exceeded its powers under a soft law instrument such as guidelines. The Conseil d'Etat therefore considers that the CNIL exceeded its powers when drafting soft law by deducing a general prohibition from a provision of the GDPR.
The CNIL has stated that it takes note of the decision of the Conseil d’Etat and will adopt its guidelines accordingly.
However, one might observe that even if the CNIL cannot deduce from the text of the GDPR a general and absolute prohibition when drafting soft law, it can, within the framework of guidelines, make recommendations on the implementation of the GDPR and the French Data Protection Act. So if the CNIL cannot prohibit cookies walls, it can on the other hand give recommendations on the implementation of cookies (and cookie walls). It is for this reason that the rest of the deliberation is not null and void. Consequently, any failure noted by the CNIL to comply with the recommendations made in its guidelines may be sanctioned in the end.
In practice, wall cookies are therefore not prohibited, but any operator using cookies and other tracers will have to implement all the other recommendations of the CNIL.
Although the Conseil d'Etat has struck down the CNIL's absolute ban on cookies wall, the fact remains that such a practice is not considered compliant with the GDPR. Moreover, the Conseil d'Etat does not rule on the legality of cookie walls, simply on the fact that the CNIL does not have the competence to prohibit them by means of a soft law instrument.
In fact, even if wall cookies do not comply with the GDPR, they are not prohibited by the CNIL. That said, if the CNIL cannot sanction them as such, the practices that they may lead to, particularly in terms of information and validity of consent, may be sanctioned. It is therefore still recommended to avoid cookie walls.
Do you have any questions related to cookies or cookie walls? Contact Timelex.