French Conseil d’Etat partially annuls the CNIL’s guidelines on cookies and other tracking devices

The background to this decision are guidelines on cookies and other tracking devices, issued by the French supervisory authority (the CNIL), on 4 July 2019. The purpose of these new guidelines was to update cookies guidelines in line with the General Data Protection Regulation (GDPR).

In the guidelines, two things differed from previous guidance issued by the CNIL. First, the CNIL suggested that scrolling down, or swiping through, a website page or application could no longer be viewed as a valid expression of consent to the placing of cookies or access to information stored on a user’s device. Secondly, it suggested that website and tracking device operators must be able to prove that they had obtained a user’s consent.

The CNIL also stated that the consent of an internet user to cookies and other tracking devices can only be valid if the user is able to exercise a choice and not incur any major inconveniences in the absence or upon withdrawal of consent.

In this respect, the CNIL recalled that the European Data Protection Board (EDPB), in its Statement on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of electronic communications (available here) dated 25 May 2018, had considered that the practice of blocking access to a website or mobile application for individuals who do not consent to be tracked (so called “cookie walls”) did not comply with the GDPR and should be prohibited. The CNIL noted that, in this situation, users are not in a position to refuse the use of cookies without suffering negative consequences (i.e. being unable to access to the relevant website or application). In this context, the prohibition of cookie walls was in line with the statement of the EDPB.

The EDPB recently amended its guidelines on consent to specifically address cookie walls. The amended EDPB guidelines state that “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user…”.

The Council was asked by various professional associations, including the French Association of Communication Agencies, to annul the CNIL’s guidelines.

In a decision dated 19 June 2020, the Council ruled that by introducing a general and absolute prohibition the CNIL had exceeded what it could legally do in the context of a so-called “soft law” instrument (Article 8 I-2° of the French Data Protection Act (Loi Informatique et Libertés of 6 January 2018 as modified)).

The Council considered that soft law instruments, such as the guidelines of supervisory authorities, should not create legal rights or obligations for anyone but should instead be limited to influencing the practices of organisations. According to the Council, the CNIL did not have the power to enact a general and absolute prohibition. Moreover, the Council noted that the CNIL’s guidelines did not specify the practical steps by which professionals may obtain valid consents for the use of cookies.

The Council did not take a position on the lawfulness of cookie walls. Consequently, it remains to be seen whether the CNIL will seek to introduce a less comprehensive restriction in updated guidelines. The answer to this question is likely to have substantial impact, keeping in mind the enforcement powers and past practice of the CNIL.

The Council confirmed other aspects of the guidelines (e.g. that individuals should be able to refuse or withdraw consent as easily as they can give it).

What’s next?

In a statement issued on 19 June 2020, the CNIL announced that it will amend its guidelines to comply with the Council’s decision. In addition, the CNIL will adopt a recommendation aimed at providing practical guidance on methods for collecting valid consent. Both documents are expected by October 2020.

In the meantime, even though the CNIL’s “general and absolute” ban on cookie walls was annulled by the Council, the general position of national supervisory authorities throughout the EU seems to be that cookie are incompatible with the GDPR, as confirmed by the EDPB.

Companies should therefore take the requirement for cookie consent seriously, seeking to comply with GDPR requirements for obtaining and demonstrating valid consent. Website and app operators with pan-European reach should assess the lawfulness of implementing cookie walls on a case by case basis. The much anticipated proposed ePrivacy Regulation will hopefully align diverging national transpositions of the ePrivacy Directive in relation to cookie consents and cookie walls in the future.