21 July 2020 - Post by:Laurie-Anne Ancenys
The Conseil d’Etat, the French Administrative Supreme Court, (the Council) partially annuls the CNIL’s cookies guidelines, on aspects related to cookie walls, for lack of competence.
The background to this decision are guidelines on cookies and other tracking devices, issued by the French supervisory authority (the CNIL), on 4 July 2019. The purpose of these new guidelines was to update cookies guidelines in line with the General Data Protection Regulation (GDPR).
In the guidelines, two things differed from previous guidance issued by the CNIL. First, the CNIL suggested that scrolling down, or swiping through, a website page or application could no longer be viewed as a valid expression of consent to the placing of cookies or access to information stored on a user’s device. Secondly, it suggested that website and tracking device operators must be able to prove that they had obtained a user’s consent.
The CNIL also stated that the consent of an internet user to cookies and other tracking devices can only be valid if the user is able to exercise a choice and not incur any major inconveniences in the absence or upon withdrawal of consent.
The EDPB recently amended its guidelines on consent to specifically address cookie walls. The amended EDPB guidelines state that “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user…”.
The Council was asked by various professional associations, including the French Association of Communication Agencies, to annul the CNIL’s guidelines.
In a decision dated 19 June 2020, the Council ruled that by introducing a general and absolute prohibition the CNIL had exceeded what it could legally do in the context of a so-called “soft law” instrument (Article 8 I-2° of the French Data Protection Act (Loi Informatique et Libertés of 6 January 2018 as modified)).
The Council did not take a position on the lawfulness of cookie walls. Consequently, it remains to be seen whether the CNIL will seek to introduce a less comprehensive restriction in updated guidelines. The answer to this question is likely to have substantial impact, keeping in mind the enforcement powers and past practice of the CNIL.
The Council confirmed other aspects of the guidelines (e.g. that individuals should be able to refuse or withdraw consent as easily as they can give it).
In a statement issued on 19 June 2020, the CNIL announced that it will amend its guidelines to comply with the Council’s decision. In addition, the CNIL will adopt a recommendation aimed at providing practical guidance on methods for collecting valid consent. Both documents are expected by October 2020.
In the meantime, even though the CNIL’s “general and absolute” ban on cookie walls was annulled by the Council, the general position of national supervisory authorities throughout the EU seems to be that cookie are incompatible with the GDPR, as confirmed by the EDPB.
Companies should therefore take the requirement for cookie consent seriously, seeking to comply with GDPR requirements for obtaining and demonstrating valid consent. Website and app operators with pan-European reach should assess the lawfulness of implementing cookie walls on a case by case basis. The much anticipated proposed ePrivacy Regulation will hopefully align diverging national transpositions of the ePrivacy Directive in relation to cookie consents and cookie walls in the future.