On 4 July 2019, the French Data Protection Authority (CNIL) published its updated guidelines on cookies, (the “Guidelines”), marking the first step aimed at regulating the use of Cookies and Cookie Walls.
Soon after, in January 2020, the CNIL adopted practical guidance on how to obtain valid consent to cookies (the “Practical Guidance”). These Guidelines aim at “reiterating the applicable law” on cookies including the definition of “consent” as enshrined in the GDPR and the implementation of article 5(3) of the ePrivacy Directive on the use of cookies and similar trackers under French law.
On 19 June 2020, the State Council held that the CNIL had abused its power by stating in its Guidelines that cookies walls were not permitted, and as a result, it struck through this provision in the Guidelines. However, the State Council upheld the rest of the Guidelines by reaffirming the limited role of soft law and also chose not to refer any preliminary questions to the CJEU.
As a regulator, the CNIL can adopt soft law, such as guidelines, recommendations or reference frameworks, to ensure compliance with the French Data Protection Act. The CNIL has been using soft law extensively over the years to assist companies’ with GDPR compliance. While not legally binding, organizations have an incentive to follow these guidelines strictly by fear of being sanctioned by the CNIL if they fail to do so. Since 2016, however, it is possible to challenge the CNIL’s soft-law guidance before the State Council.
In its Guidelines, the CNIL recalls the general principle under the GDPR according to which consent must be “freely” given. Specifically, the Guidelines state: “consent can only be valid if the data subject is able to exercise his or her choice validly and does not suffer from major disadvantages in the event of absence or withdrawal of consent”. The CNIL’s position on consent in the context of cookies and other tracking technology is based on a previous Statement of the European Data Protection Board (EDPB) on the ePrivacy Regulation issued in May 2018, which states: “In order for consent to be freely given as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited”.
In its decision, the French Council considered that the CNIL had simply recalled the position of the EDPB on cookie walls (i.e. that they are not valid under the GDPR) without making it its own position, and thus, it had not given legally binding force to the EDPB’s position on cookie walls. While confirming that the CNIL is the competent regulatory body to adopt guidelines on cookies and other tracking technologies, the State Council’s ruling nonetheless repeals the CNIL’s position specifically on cookie walls on the ground that a “general and absolute prohibition” to implement cookie walls cannot be inferred from the sole requirement to obtain “free” consent under the GDPR. By adopting Guidelines which stated that cookie walls were not permitted, the CNIL had thus abused its power to issue soft law in that regard.
At the same time, the State Council validated all the other points in the Guidelines that were challenged by the plaintiffs, for example, how to inform users about cookies that are exempt from consent, the conditions that apply to analytics cookies, the lifespan of analytics cookies and the period of retention that applies to data that is collected via these cookies. Indeed, the State Council reaffirms that these are all non-binding recommendations and says that the CNIL did not abuse its power when interpreting applicable law. Hence, the State Council appears to have purposefully singled out the CNIL’s position on cookie walls while upholding the rest of the CNIL’s Guidelines.
The least we can say is that the State Council’s decision does create some confusion. This decision comes several weeks after the EDPB’s recently issued its updated Guidelines on Consent (released on 4 May 2020), which reaffirm that cookie walls are not valid under the GDPR since they do not allow for free consent. The difficulty in this case is that the State Council did not rule on the merits of the case (i.e. whether cookie walls are valid under the GDPR) and did not pronounce itself on the EDPB’s position regarding cookie walls. As a result, this leaves website owners in France in a state of limbo, not knowing precisely whether cookie walls are permitted or not.
The State Council’s decision also raises some questions that will need to be answered. Is the CNIL prohibited from pronouncing any sanctions against organizations that use cookie walls? Must there be a law in France that explicitly prohibits cookie walls in order for the CNIL to enforce such rules? Will the EDPB have to revisit its position on cookie walls?
It is worth reminding that, despite some minor divergences between data protection authorities in the EU, overall they have similar positions on cookie compliance. The EDPB’s guidelines are of a higher authority than national guidance in that they reflect the common position of the 27 EU Member States. Therefore, there seems to be a conflict now between the State Council’s ruling and position of the EDPB on cookie walls. As a permanent member of the EDPB, this also puts the CNIL in a difficult position.
What impact will the State Council’s ruling have?
As a result, the State Council’s decision is likely to delay enforcement against the use of cookie walls. Recently the CNIL announced that cookie compliance would be one of its top priorities under its enforcement strategy for 2020. However, upon reacting to the State Council’s decision, the CNIL reported that it will amend its Guidelines, along with its Practical Guidance. Both are expected to be published in September 2020 at the earliest.
The CNIL had already announced that it would only start enforcing its Guidelines after a six-month grace period once the final version of the Practical Guidance was adopted. Until then, enforcement would be limited to the unchanged provisions of its 2013 guidelines. It is worth noting that already under its previous cookie guidelines of 2013 the CNIL prohibited cookie walls on the ground that users who refused the use of cookies should continue to benefit from the given service, i.e. access to a website. Now that the ban on cookie walls has been removed from the CNIL’s Guidelines, it remains to be seen if and whether the CNIL will be able to pronounce sanctions against companies who implement cookie walls.