French Administrative Supreme Court Endorses Data Protection Authority's Position On Cookies, Prohibits Prohibition On Cookie Walls
On 4 July 2019, the French Data Protection (CNIL) published its Guidelines on Cookies and Other Tracking Technologies (the Guidelines, available in French here). The Guidelines further detailed the nature of the interplay between the General Data Protection Regulation (GDPR which reinforced expectations towards obtaining consent to data processing operations when such consent is required), and the ePrivacy Directive which more specifically addresses the privacy requirements on cookies and other tracking technologies. Indeed, while the ePrivacy Directive was expected to be updated through an ePrivacy Regulation (latest draft proposal available here), on or before GDPR entered into force, it remains under discussion at the European level to this day, and subject to intense lobbying by all stakeholders.
The Conseil d’État released its decision on 19 June 20201, by which it confirmed the CNIL’s position on many aspects, except with regard to its position on cookie walls. However, this decision does not mark the end of this case as other judicial and legislative positions are expected. Indeed, this first decision only resulted from one of the many initiatives undertaken by professional associations in order to reverse the CNIL’s position.
Confirmation of most of the Guidelines by the Conseil d’Etat
The Conseil d’Etat confirmed most of the Guidelines and more specifically the following positions of the CNIL:
A specific consent for a specific purpose - The Conseil d’État confirmed the Guidelines as regards the position of the CNIL stating that users must “be able to give their consent independently and specifically for each separate purpose” of the data processing.
The Conseil d’État relied on Article 82 of the French Data Protection Act2 to approve the position of the CNIL stating that consent of users prior to placing cookies and tracking technologies should relate to each of the purposes of the data processing. While the Conseil d’État did not prohibit the possibility for a global consent to several purposes, provided that it is preceded by information specific to each of the purposes of the data processing.
A specific information to be provided to data subjects - Relying on Article 13 GDPR and Article 82 of the French Data Protection Act, the Conseil d’État also confirmed the CNIL’s position requiring the disclosure of the identity of the controller(s) as well as the list of recipients (or categories thereof). The Conseil d’État reminded that publishers placing cookies and tracking technologies, as well as their partners, were considered as “data controllers” and, as such, users must be able to “must identify all the entities using cookies before being able to consent to them” insofar as these entities, which do not include data recipients, were acting as data controllers, joint controllers or co-controllers.
Specific mechanisms to facilitate the grant and withdrawal of user’s consent - Relying on the combination of Article 4(11) GDPR, Article 7(3) GDPR and Article 82 of the French Data Protection Act, the Conseil d’Etat confirmed the need for users to be able to refuse or withdraw their consent as easily as they could give it in the first place.
The validation by the Conseil d’État of the Guidelines stemmed from the fact that the CNIL only limited itself to recommending best practices through non-binding guidelines, thereby allowing for the periodic re-examinations. However, while non-binding, the Guidelines summarizes the analysis of the CNIL, which will serve as the baseline to enforce GDPR and ePrivacy Directive. As such, all stakeholders are encourage to follow such positions.
Cookie-Walls and The Prohibition of Ex Ante Regulation
In the Guidelines, the CNIL came to the conclusion that cookie walls were incompatible with a valid consent, since cookie walls, by not allowing users any access to the website without prior consent, conditioned such consent and would thus deprive consent from its “freely given” requirement under Article 4(11) GDPR.
Prior to the Conseil d’Etat decision, the European Data Protection Board (EDPB) adopted a similar reasoning its revised Guidelines on Consent published on 4 May 2020 (see our Alert dated 11 May 2020). However, the main difference between these two opinions lies in the fact that the CNIL concluded on a general ban on cookie walls, whereas the EDPB simply reflected on the notion of consent under the GDPR and the fact that, while likely to deprive consent of its “freely given” tenet, cookie walls would need to be assessed on a case by case basis.
The Conseil d’État therefore censored the Guidelines’ general and preemptive ban of cookie wall, on the basis that the CNIL had gone beyond what was legally permissible under guidelines, which are an instrument of “soft law”.
As for the non-binding recommendations from the Guidelines which had been validated by the Conseil d’État, GDPR’s accountability framework will mandate the stakeholders to be able to demonstrate the validity of their consent gathering mechanism and cookie walls, while not expressly banned, will be under close scrutiny.
Next Steps in the European Cookie Framework
Pending the entry into force of the ePrivacy Regulation, the CNIL will therefore have to carry out a case-by-case assessment of the cookie acceptance mechanisms used by professional associations, rather than invoking a general ban on cookie walls.
Moreover, another action by the French professional associations in the online marketing, distance selling and online media activities remains pending before the Court of Justice of the European Union on thirteen preliminary questions concerning the interpretation of the combined provisions of ePrivacy Directive and of GDPR. Such decision will help clarify the regime of cookies and other tracking technologies in the European Union.
In view of the subject matter of these preliminary questions, as well as of the entry into force of the ePrivacy Regulation, it is highly likely that this presumption of illegality will be maintained, forcing operators to implement proper mechanisms according to the above-mentioned principles.
K&L Gates global data protection team (including in each of our European offices) remains available to assist you in ensuring that your cookie and other tracking technologies achieving the compliance mandated by GDPR.