Court’s decision struck down blanket prohibition on so-called “cookie walls” that prevent users from accessing a website or an application.
French and European context
Following the GDPR’s entry into application and the publication on 10 April 2018 of the guidelines on consent of the European Data Protection Board (the EDPB), the CNIL issued its own Guidance on cookies and other tracking devices. As Latham previously highlighted, the Guidance asserts that organizations shall not place cookies unless users have previously positively accepted their placement in a free, specific, informed, and unambiguous manner. Although the Guidance provides useful insights on the means of obtaining valid consent, it is not meant to create additional rights for users, nor does it impose new constraints on the data controllers.
On 14 January 2020, the CNIL shared draft supplemental guidance (the Draft Recommendation) providing examples of practical arrangements for obtaining valid consent, as well as a Q&A on the Draft Recommendation and related topics. A public consultation on the Draft Recommendation was open until 25 February 2020, and the CNIL expected to publish its final recommendation in Spring 2020. However, in light of the COVID-19 crisis, the data protection authority postponed the adoption of the final version of its recommendation to a later date.
Both the Guidance and the future recommendation are soft law instruments and, as such, they are not legally binding. Their main purpose is to deliver the CNIL’s interpretation of the applicable law, and to provide practical advice on the means of translating these legal requirements into compliant user interface layouts.
Decision of the Conseil d’Etat
On 18 September 2019, nine professional associations and trade unions representing the digital communication and marketing ecosystem brought an action before the Conseil d’Etat to seek the annulment of the Guidance, on the grounds that the CNIL went beyond what is required by the GDPR and the e-Privacy Directive.
The applicants’ other arguments were all rejected.
The rest of the Guidance remains fully applicable, including all of the following provisions:
- Cookies may not be placed, stored, or accessed unless users have received transparent and complete information; therefore, users must have access to a regularly updated and comprehensive list of the data controllers that set cookies on their devices
- Users must receive information on all the purposes of a cookie before consenting, even if the user is given the option to give general consent for all purposes
- Withdrawing and refusing consent must be as easy as giving consent to cookies
- Data controllers must be able to demonstrate (at any time) that they collected the user’s valid consent before placing cookies
- The CNIL may provide non-binding recommendations on the duration of users’ consent to cookies, on the retention period of the data collected through cookies, or on the information that should be provided to users regarding cookies for which their consent is not required
Necessary compliance with the ECJ’s recent decision on cookies
On 1 October 2019, the European Court of Justice (the ECJ) issued a decision on cookies in which it confirmed that the conditions for obtaining valid consent pursuant to the GDPR are applicable to the collection of users’ consent to the reading and writing of cookies, regardless of whether the information stored or accessed in users’ terminal equipment comprises personal data.
The ECJ also emphasized the idea that consent to the placement of cookies is not valid if obtained by means of a default checkbox that users must uncheck in order to refuse to consent.
Absence of a consensus on cookie walls at the European level
The ECJ has not yet provided an analysis of the validity of cookie walls; hence, there is no binding interpretation of the e-Privacy Directive and GDPR on this point.
On 4 May 2020, the EDPB adopted updated guidelines on consent that included the question of the validity of consent provided by data subjects when interacting with cookie walls. The EDPB made clear that, “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called cookie walls)” (see §39). Although the role of the EDPB is to ensure the consistent application of the GDPR, and although it may “issue guidelines, recommendations and best practices in order to encourage consistent application of [the GDPR]” (Article 70.1.(e) of the GDPR), such guidelines are only a soft law instrument, and are not legally binding.
Data protection authorities in Member States may therefore maintain their differing assessments of the validity of cookie walls, until a legally binding interpretation is provided:
- As mentioned above, the CNIL considers cookie walls to be unlawful insofar as users suffer significant disadvantages for refusing or withdrawing consent to cookies, and, therefore, a user’s consent may never be free. The Conseil d’Etat did not invalidate this position but ruled that the CNIL is not competent to pronounce an absolute ban on cookie walls through a soft law instrument.
- The Dutch Data Protection Agency shared a similar analysis to the CNIL in a communication dated 7 March 2019.
- The association of German data protection agencies published a position paper in March 2019, in which it asserted that access to a website may not be conditional on the user’s consent to non-essential cookies.
- The Irish Data Protection Commission’s report and guidance (dated 6 April 2020) are less explicit in this respect. Yet, while the guidance does not expressly cover cookie walls, it does suggest that such a practice is not permissible (“We are of the view that users should not suffer any detriment where they reject cookies or other tracking technologies other than to the degree that certain functionality on the websites may be impacted by the rejection.”).
- The British Information Commissioner’s Office’s (ICO) approach is more nuanced. In its guidance on the e-Privacy Directive, last updated on 3 July 2019, the ICO asserts that individuals must be provided with a genuine free choice: therefore consent to non-essential cookies should not be bundled up as a condition of the service, unless the consent is necessary for that service. Citing Recital 25 of the ePrivacy Directive, according to which “[a]ccess to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose”, the ICO explains that data controllers may limit access to certain content if the user does not consent to non-essential cookies, provided that these cookies facilitate the provision of a service that the user explicitly requested. In this context, the ICO reiterated that the right to the protection of personal data must be balanced against other rights, including the freedom to conduct a business.
- The Austrian Data Protection Authority decided on 30 November 2018 that a website offering users a choice between consenting to cookies or paying a monthly subscription to receive full access to the website’s content did not violate the requirement of a freely given consent.
- Finally, the Spanish Agency for the Protection of Data published guidance in November 2019 stating that cookie walls are valid as long as users receive proper information to that effect. Such practice would, however, be unlawful if access to a specific website is the only means of exercising a legal right, and a user’s refusal to consent to cookies prevents the user from exercising the said right.
On 19 June 2020, the CNIL announced that it would adjust its Guidance and future recommendation to strictly comply with the Conseil d’Etat’s decision, but that the updated documents would not be published before September 2020.
In July 2019, when the CNIL originally published its Guidance, it had announced that it would provide a six-month grace period after the publication of its final recommendation for organizations to update their cookie practices. The Conseil d’Etat approved this grace period in a decision issued on 16 October 2019. According to the Conseil d’Etat, this flexibility will not prevent the CNIL from continuing to monitor compliance with the rules on consent, or prevent the CNIL from using its repressive power in the event of a particularly serious violation. Therefore, Latham expects that the CNIL will adopt a similar grace period upon publishing its amended guidance and recommendation.