‘Cookie walls’: The French administrative supreme court partly quashes the CNIL’s guidance

Following a claim brought by professional associations from the media, communications and digital marketing sectors, the Conseil d’Etat has quashed the guidance published by the French data protection authority (CNIL) related to the use of ‘cookies walls’. This practice is used by certain digital service publishers to prevent users who do not consent to the installation of cookies from accessing their website.

Assimilating ‘cookie walls’ to a significant inconvenience which breached people’s free consent, the CNIL considered that this practice was illegal and should therefore be prohibited, but the Conseil d’Etat held that by setting out such a general and absolute prohibition of ‘cookie walls’, ‘the CNIL went beyond what it can legally do, within the framework of a soft law instrument’.

The Conseil d’Etat therefore quashed the fourth sub-paragraph of article 2 of the CNIL's deliberation. Other parts of the guidance which professional associations contested were approved, in particular regarding the transparency objective set by the CNIL and the maximum retention period of cookies exempt from consent.

However, this judgment does not rule on the lawfulness of ‘cookie walls’. It simply specifies that the CNIL could not deduce from the requirement of free consent a general and absolute prohibition of said ‘cookie walls’.

Thus, in the current state of legislation, sectoral stakeholders remain uncertain as to the legality of these practices. Directive (EU) 2019/770 of 20 May 2019 on digital content and digital services seems to allow this practice, since it provides that digital services can be supplied in exchange for a price or data. However, this Directive is without prejudice to the General Data Protection Regulation (GDPR) and the latter's provisions prevail in the event of a conflict. The question is therefore whether the GDPR prohibits the use of ‘cookie walls’. Although it does not explicitly mention ‘cookie walls’, the GDPR seems to prohibit them since it provides that consent must be free and that ‘when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract’.

If, like the CNIL, certain national data protection authorities of EU Member States and the European Data Protection Board (EDPB) consider that ‘cookie walls’ infringe freedom of consent, the CJEU has not yet had to rule on the matter. In any event, the use of ‘cookie walls’ when providing digital services is at risk of enforcement by the CNIL when it exercises its supervisory power.

Behring, Anne-Solène Gay, Juris Initiative, personal data, CNIL, Cookie Walls, GDPR, EDPB, consent, cookies

Autres news