September 26, 2021

Volume XI, Number 269


September 24, 2021

Subscribe to Latest Legal News and Analysis

September 23, 2021

Subscribe to Latest Legal News and Analysis

French Administrative Supreme Court Endorses Data Protection Authority's Position On Cookies, Prohibits Prohibition On Cookie Walls

On 4 July 2019, the French Data Protection (CNIL) published its Guidelines on Cookies and Other Tracking Technologies (the Guidelines, available in French here). The Guidelines further detailed the nature of the interplay between the General Data Protection Regulation (GDPR which reinforced expectations towards obtaining consent to data processing operations when such consent is required), and the ePrivacy Directive which more specifically addresses the privacy requirements on cookies and other tracking technologies. Indeed, while the ePrivacy Directive was expected to be updated through an ePrivacy Regulation (latest draft proposal available here), on or before GDPR entered into force, it remains under discussion at the European level to this day, and subject to intense lobbying by all stakeholders.

Further to the publication of the Guidelines, several French professional associations in the online marketing, distance selling and online media activities initiated legal action against the CNIL, before the French Administrative Supreme Court (the Conseil d’État), on the grounds that the CNIL acted above and beyond its authority in adopting the Guidelines, notably by (i) generally prohibiting “cookie walls”, (ii) recognizing a right of data subjects to refuse cookies, (iii) requiring the identification of the data controller for the cookies, (iv) mandating an exhaustive and up-to-date information of the data subjects on the cookies, regardless of their involvement in data processing operations, (v) requiring that the users’ agreement must be expressed by a separate action for each of the distinct purposes brought to their knowledge with a view to the storage of information or access to information already stored in their terminal equipment, and (vi) imposing maximum data retention periods for cookies.

The Conseil d’État released its decision on 19 June 20201, by which it confirmed the CNIL’s position on many aspects, except with regard to its position on cookie walls. However, this decision does not mark the end of this case as other judicial and legislative positions are expected. Indeed, this first decision only resulted from one of the many initiatives undertaken by professional associations in order to reverse the CNIL’s position.

Confirmation of most of the Guidelines by the Conseil d’Etat

The Conseil d’Etat confirmed most of the Guidelines and more specifically the following positions of the CNIL:

  • A specific consent for a specific purpose - The Conseil d’État confirmed the Guidelines as regards the position of the CNIL stating that users must “be able to give their consent independently and specifically for each separate purpose” of the data processing.

    • The Conseil d’État relied on Article 82 of the French Data Protection Act2 to approve the position of the CNIL stating that consent of users prior to placing cookies and tracking technologies should relate to each of the purposes of the data processing. While the Conseil d’État did not prohibit the possibility for a global consent to several purposes, provided that it is preceded by information specific to each of the purposes of the data processing.

  • A specific information to be provided to data subjects - Relying on Article 13 GDPR and Article 82 of the French Data Protection Act, the Conseil d’État also confirmed the CNIL’s position requiring the disclosure of the identity of the controller(s) as well as the list of recipients (or categories thereof). The Conseil d’État reminded that publishers placing cookies and tracking technologies, as well as their partners, were considered as “data controllers” and, as such, users must be able to “must identify all the entities using cookies before being able to consent to them” insofar as these entities, which do not include data recipients, were acting as data controllers, joint controllers or co-controllers.

  • Specific mechanisms to facilitate the grant and withdrawal of user’s consent - Relying on the combination of Article 4(11) GDPRArticle 7(3) GDPR and Article 82 of the French Data Protection Act, the Conseil d’Etat confirmed the need for users to be able to refuse or withdraw their consent as easily as they could give it in the first place.

  • Specific and tailored duration for the use and confirmation of information collected through cookies and other tracking technologies - The Conseil d’État finally confirmed the CNIL’s recommendation for indicative durations for the use of cookies and other tracking technologies and for the retention of information collected through such tracking technologies.

The validation by the Conseil d’État of the Guidelines stemmed from the fact that the CNIL only limited itself to recommending best practices through non-binding guidelines, thereby allowing for the periodic re-examinations. However, while non-binding, the Guidelines summarizes the analysis of the CNIL, which will serve as the baseline to enforce GDPR and ePrivacy Directive. As such, all stakeholders are encourage to follow such positions.

Cookie-Walls and The Prohibition of Ex Ante Regulation

In the Guidelines, the CNIL came to the conclusion that cookie walls were incompatible with a valid consent, since cookie walls, by not allowing users any access to the website without prior consent, conditioned such consent and would thus deprive consent from its “freely given” requirement under Article 4(11) GDPR.

Prior to the Conseil d’Etat decision, the European Data Protection Board (EDPB) adopted a similar reasoning its revised Guidelines on Consent published on 4 May 2020 (see our Alert dated 11 May 2020). However, the main difference between these two opinions lies in the fact that the CNIL concluded on a general ban on cookie walls, whereas the EDPB simply reflected on the notion of consent under the GDPR and the fact that, while likely to deprive consent of its “freely given” tenet, cookie walls would need to be assessed on a case by case basis.

The Conseil d’État therefore censored the Guidelines’ general and preemptive ban of cookie wall, on the basis that the CNIL had gone beyond what was legally permissible under guidelines, which are an instrument of “soft law”.

As for the non-binding recommendations from the Guidelines which had been validated by the Conseil d’État, GDPR’s accountability framework will mandate the stakeholders to be able to demonstrate the validity of their consent gathering mechanism and cookie walls, while not expressly banned, will be under close scrutiny.

Next Steps in the European Cookie Framework

Pending the entry into force of the ePrivacy Regulation, the CNIL will therefore have to carry out a case-by-case assessment of the cookie acceptance mechanisms used by professional associations, rather than invoking a general ban on cookie walls.

Moreover, another action by the French professional associations in the online marketing, distance selling and online media activities remains pending before the Court of Justice of the European Union on thirteen preliminary questions concerning the interpretation of the combined provisions of ePrivacy Directive and of GDPR. Such decision will help clarify the regime of cookies and other tracking technologies in the European Union.

In view of the subject matter of these preliminary questions, as well as of the entry into force of the ePrivacy Regulation, it is highly likely that this presumption of illegality will be maintained, forcing operators to implement proper mechanisms according to the above-mentioned principles.

K&L Gates global data protection team (including in each of our European offices) remains available to assist you in ensuring that your cookie and other tracking technologies achieving the compliance mandated by GDPR.

Copyright 2021 K & L GatesNational Law Review, Volume X, Number 205

About this Author

Claude-Étienne Armingaud, KL Gates, Paris, data protection lawyer, commercial contracts attorney

Claude-Etienne Armingaud’s practice focuses on the representation of public and private companies in the area of information technologies and intellectual property law. Mr. Armingaud provides counsel to his clients at all stages of their corporate life cycle and in wide-ranging transactions, including in connection with litigation compliance matters, intellectual property protection and development, data protection strategic operations, and other commercial contracts.

Mr. Armingaud regularly advises start-up companies in matters relating to...


Clara Schmit is an associate in the firm’s Paris office. She is a member of the commercial technology and sourcing practice group.

She advises clients in matters related to information technology, intellectual property and data protection law. Ms. Schmit has expertise in industries of media and telecommunications, e-commerce, advertising, health, online services and luxury.

She advises French and international clients on issues relating to:

  • The compliance with and implementation of the European data protection framework, including the General Data...