Privacy & Information Security Law Blog

On June 19, 2020, France’s Highest Administrative Court (the “Conseil d’Etat”) issued a decision partially annulling the guidelines of the French Data Protection Authority (the “CNIL”) on cookies and similar technologies (the “Guidelines”). The Conseil d’Etat annulled the provision of the Guidelines imposing a general and absolute ban on ‘cookie walls’ that prevent users who do not consent to the use of cookies from accessing a site or mobile app. However, the Conseil d’Etat upheld the main part of the Guidelines. On the day of the Conseil d’Etat’s decision, the CNIL published a statement (the “Statement”) announcing that they took note of the decision and will strictly comply with it.

Background

On July 18, 2019, the CNIL published the Guidelines to specify the rules applicable to the use of cookies and similar technologies in France in light of the strengthened consent requirements of the EU General Data Protection Regulation (“GDPR”). The Guidelines also provide a number of recommendations. The Guidelines were to be complemented by specific recommendations on the practical modalities to obtain users’ consent for the use of non-essential cookies (the “Recommendations”). On January 14, 2020, the CNIL published the draft Recommendations, which were open to public consultation. The final version of the Recommendations still needs to be submitted for adoption to the CNIL’s members during a plenary session.

Although the Guidelines are not binding, they provide the CNIL’s interpretation of the cookie rules, and non-compliance with the Guidelines may give rise to sanctions. The CNIL announced that it will carry out inspections to enforce the Guidelines after a period of six months following the adoption of the Recommendations.

Against that background, several professional associations and trade unions brought an action before the Conseil d’Etat to seek annulment of the Guidelines.

Conseil d’Etat’s Decision

The applicants challenged, among others, the blanket prohibition of ‘cookie walls’ in the Guidelines. The Guidelines stated that users should not suffer significant disadvantages in the event they do not consent or withdraw consent to the use of cookies. According to the CNIL, this meant that access to a site should never be made conditional upon the acceptance of cookies. In its Statement, the CNIL explained that the Guidelines aligned with the position of the European Data Protection Board (“EDPB”), explaining that, “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)” (see EDPB’s Guidelines 5/2020 of May 4, 2020 on consent under the GDPR).

In its decision, the Conseil d’Etat did not take a position on whether ‘cookie walls’ are lawful, but considered that the CNIL could not set out a general and absolute ban on ‘cookie walls’ in a soft law instrument like the Guidelines. The Conseil d’Etat therefore annulled this provision of the Guidelines.

The Conseil d’Etat rejected all other arguments of the applicants and upheld most of the CNIL’s interpretations and recommendations included in the Guidelines, including the following:

• Users must be able to refuse consent or withdraw consent as easily as it was given.
• Users must give consent for each purpose of processing the data collected through cookies, which implies that users must receive specific information on each of the purposes of the cookies before giving consent.
• Users must be informed of the identity of the data controllers that set cookies on their devices. A list that includes these identities must be made available to users when seeking their consent and must be updated regularly.

Next Steps

In its Statement, the CNIL announced that it will publish a revised version of the Guidelines and the final version of the Recommendations after September 2020.