The Cookie Wall Must Come Down. Or Not?

The French Council of State has partially struck down the new cookie guidelines issued by the French data protection authority (CNIL). Specifically, the decision annuls the guidelines’ ban on ‘cookie walls’, a practice that restricts access to a website unless the user consents to the placement of cookies. The Council of State found that a general and absolute ban is outside of the CNIL’s powers and is therefore invalid.

The Updated Cookie Guidelines and How Industry Challenged Them

The CNIL issued its updated cookie guidelines in July 2019, repealing its prior cookie recommendation. The updated guidelines outline the various rules applicable to the use of cookies, including requirements for obtaining valid cookie consent, disclosures about third-party recipients who have access to cookies, proof of consent, use of browser settings, exemptions for audience measurement cookies, and notice requirements for cookies exempted from consent (essential cookies).

In particular, the CNIL’s cookie guidelines (Article 2) provided that in order for consent to be valid, individuals must not suffer any ‘major inconveniences’ if they refuse to consent or withdraw their consent to the use of cookies. In that respect, the guidelines refer to a statement by the European Data Protection Board (“EDPB”) of May 2018 on the reform of e-Privacy, indicating, according to the CNIL, that the use of cookie walls does not comply with the General Data Protection Regulation (“GDPR”). In doing so, the cookie guidelines suggested that the use of cookie walls are never capable of being deployed in a compliant way under the GDPR, thereby essentially putting forward a ban on the use of cookie walls.

Between September 2019 and May 2020, a number of adtech, media, and ecommerce associations challenged the CNIL’s updated cookie guidelines before the French Council of State, the highest administrative court of France. The associations argued that the CNIL had exceeded its powers in a number of ways. First, they claimed that the CNIL could not issue cookie guidelines at all, as the CNIL’s powers are limited to matters where personal information is involved (recalling that cookies do not always involve the processing of personal information). Second, the associations challenged the guidelines on substantive issues, including that the guidelines contain a ban on the use of cookie walls altogether.

Verdict – a Win for Adtech?

First, the Council of State confirmed the CNIL’s power to issue guidelines in relation to cookies, holding that the CNIL officially oversees the processing of data in the context of the GDPR and the French Privacy Act (which contains the rules on the use of cookies). The fact that the cookie rules are not limited to personal information means that the CNIL’s powers are not limited in that respect either.

Second, the Council of State upheld the cookie guidelines issued by the CNIL where they regard:

• Disclosing all third-party recipients prior to obtaining consent, and keeping this list updated and complete (which can be challenging in an adtech context);
• Proof of consent;
• Allowing independent and specific consent per purpose;
• Ensuring that consent is as easy to give as it is to withdraw;
• Limiting the lifespan of audience measuring cookies to 13 months and information collected through cookies to 25 months; and
• Informing users about cookies for which consent is not required (essential cookies).

The only point where the Council of State clearly did follow the associations’ argument was in respect of the cookie wall ban. The Council of State agreed with the associations that Article 2 seemed to contain a blanket ban on cookie walls based solely on the GDPR’s requirement that consent needs to be freely given. According to the Council of State, proclaiming through guidelines a general and absolute ban on cookie walls altogether based solely on freely-given consent exceeds the powers of the CNIL, which can only provide for guidelines within the confines of the law. Since neither the GDPR nor the French Data Protection Act contain an explicit ban on cookie walls, it is not for the CNIL to formulate such a ban through guidelines (especially not by deriving such a ban solely from the GDPR’s freely-given consent requirement and an EDPB statement).

In that respect, it is worth recalling that EDPB statements are in fact non-binding. They do not have the status of law, and data protection authorities (“DPAs”) are not bound to follow them. In this case, the Council of State made it implicit that the CNIL in fact cannot follow the EDBP (at least not on the point of cookie walls). The only way for a cookie wall prohibition to be legitimate in France is when this is included in national or European Union law.

What’s Next?

The CNIL already indicated that it will adapt its new cookie guidelines ‘to the strictest extent needed’ to account for the Council of State’s decision, as well as adopt its upcoming operational guidelines on how to implement cookie consent (which have been delayed due to COVID-19), when it reconvenes in September 2020. The CNIL has not yet indicated how it will adapt its cookie guidelines specifically to the Council of State’s decision and what that could entail for the industry.

This is not to say that the CNIL will retract its disapproval of cookie walls altogether. One option would be for the CNIL to simply tone down the language in the revised cookie guidelines by recalling that in order for consent to be valid, it needs to be freely given (which is provided for under the GDPR) and that cookie walls, if used, should not interfere with consent being freely given. The CNIL can then put the onus on website operators to demonstrate that consent is validly obtained despite a cookie wall. In fact, DPAs in other countries have adopted a similar approach. In Austria, the DPA has come forward to allow the use of cookie walls where users can opt for a paid version of the service which enables them to reject cookies. In Spain, the DPA has opined that cookie walls are permissible as long as users are appropriately informed, except where the access restriction prevents the user from exercising a legal right. In the Netherlands, where the DPA came out with strong language suggesting a prohibition of cookie walls, its FAQs do suggest that providing a paid alternative may be acceptable for using a cookie wall.

At the same time, as earlier proposals of the upcoming e-Privacy Regulation have contained a proposed ban on cookie walls, it is very well possible that such a ban will ultimately find its way into law via that route. Until such time, the CNIL has the next move. Whichever direction the CNIL decides to follow, it is clear that its steps do not go unchecked.

Visit our Privacy + Data Security page for links to our privacy library and resource centers on the CCPA, the GDPR, and cybersecurity. Be sure to bookmark and visit regularly, as new insights will be added frequently.