Fresh From the Oven: The CNIL’s Criteria for Allowing Cookie Walls in France
On 16 May 2022, the French data protection authority published preliminary criteria for the validity of cookies walls.
What are cookie walls?
“Cookie walls” are used by websites that require the internet user to accept cookies or other tracking devices if he/she wants to access the content of the website. Generally, there is an alternative option in the form of a subscription fee (also referred to as “pay wall”) to compensation for the loss of advertising revenue (such revenue is tied with cookie technology).
The CNIL has published guidelines on “cookies and other tracers” (for the ease of reading we will only refer to “cookies”). In its initial version, these guidelines prohibited cookie walls as this would violate the principle of “free consent” for cookies. The French Council of State ruled on 19 June 2020, that the CNIL did not have the legal power to interpret, on its own, the requirement of free consent under GDPR to ban all types of cookie walls per say. The assessment of the legality of cookie walls has to be more granular, on a case-by-case basis.
The issue of consent for cookies and other tracers is an issue that the long delayed and vividly debated future, ePrivacy regulation, is intended to clarify. Whilst we wait for upcoming legislation or a position from the Court of Justice of the European Union, the CNIL deemed it necessary to publish criteria to assess the legality of such practices.
New (preliminary) criteria
The legality of cookie walls must be assessed taking into account in particular the existence of real and satisfactory alternative(s) offered in the event of refusal by the tracers. The CNIL’s criteria focuses on the most commonly observed practices: they must be used as part of a case-by-case analysis.
That the publisher offers a real and fair alternative allowing access to the site and which does not does not imply having to consent to the use of their data.
Failing this, the publisher must be able to demonstrate that the same information is accessible on another publisher that provides its content without a cookie wall.
The publisher has to avoid creating an imbalance to the detriment of the internet user, and to this effect, ensure the ease of access for the user to this alternative.
Imbalance could exist, for example:
Where the published has exclusivity on the relevant content/service. For example, this would be the case for online public services that provide information or allow for online formalities.
2) Access fee alternative: is the price reasonable?
The CNIL recognizes the legality of offering access for a fee as an alternative to acceptance of cookies. However, the fee must not be such as to deprive Internet users of a real choice.
Determination of what constitutes a reasonable fee should made case-by-case basis by the publisher and the CNIL encourages publishers to make their analysis public.
The publishers should tailor the payment to the nature of the service – in some cases, rather than a subscription fee involving registration of a payment card data, micropayments on an ad hoc basis using virtual wallets will be more suited.
Where the user has to set up an account with the website, the purpose of such account has to be specific and transparent. An account could for instance allow the user to benefit from its subscription on various devices. The publisher has to abide by the principles of lawfulness, fairness and transparency, data minimization and purpose limitation (in particular with respect to further processing).
3) Can the cookie wall cover “all” cookies indiscriminately?
The publisher must demonstrate that its cookie wall is limited to the purposes that allow fair remuneration for the service offered. For example, if a publisher considers that the remuneration for its service depends on the income it could obtain from targeted advertising, the cookie wall should only be for advertising cookies and other cookie should remain optional (such as for instance personalization of editorial content, etc.). The publisher must clearly inform Internet users of purpose of the cookie wall.
4) The user chooses paid access without consenting to cookies: in what (limited) cases can cookies still be deposited?
In principle, except for cookies that are essential for a website to function correctly, no cookies should be placed where the user has opted for paid access.
The publisher may however request, on a case-by-case basis, the Internet user’s consent to cookies when such cookies are required to access content hosted on a third-party site (for example, to view a video hosted by a third-party site ), or a service requested by the user (for example, to provide access to sharing buttons on social networks).
The user’s consent could be collected, for example, within a dedicated window displayed when the Internet user wishes to activate the content, with clear information on:
The possibility of easily withdrawing consent at any time; and
The consequences of refusing or withdrawing of consent, including the impossibility of accessing third party content.
In any event, the Internet user must always have the possibility of personally accessing the settings of the site, to consent to certain uses (for example, the personalization of editorial content).
Compliance with GDPR
Finally, the fundamental GDPR principles still remain applicable to such cookies, including having a legal basis (can it still be consent?), limited retention periods, and proper safeguards in case of international transfers.
Cookie walls are not prohibited in France, but their implementation requires a careful prior assessment.
However, it is uncertain if the CNIL “preliminary” criteria will provide real flexibility for websites wanting to implement cookie walls. Some of them will require additional interpretation, such as the notion of “fair price” or which websites can be considered as “dominant or essential service providers”.