Jul 102020

French Council of State Partially Annuls CNIL Cookie Guidelines on Use of Cookie Walls

William RM Long, Lauren Cuyvers and Geraldine Scali
, , , ,

On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision partially annulling the Guidelines of the French Data Protection Authority (the “CNIL”) on cookies and other tracking tools (“Guidelines”). The Council of State ruled that the CNIL’s Guidelines could not prohibit the use of ‘cookie walls’, a practice which consists of blocking user access to a website where the user refuses to consent to cookies and other tracking tools. Nevertheless, the Council of State confirms the Guidelines on other key points, such as the requirement to facilitate the right to withdraw consent to cookies, the retention period for cookies and the information requirement for cookies not subject to a consent requirement.

CNIL Guidelines Ban on Cookie Walls. On July 18, 2019, the CNIL published its Guidelines on cookie and other tracking tools as part of its broader action plan on targeted advertising. The purpose of the Guidelines was to reinforce protection for internet users in the use of cookies and other tracking tools, and as such they contain more stringent requirements on consent and transparency. More specifically the Guidelines stipulate that the use of cookie walls is not compliant with the GDPR because this by definition invalidates the user’s consent. The user would feel pressured to give consent since his access to website content may be denied otherwise. In such case, consent is not ‘freely’ given and does not meet the conditions of the General Data Protection Regulation (“GDPR”) on valid consent. Unlike some other EU Member States, the CNIL as such introduced a blanket ban on cookie walls.

Council of State Decision. The Council of State invalidated this part of the CNIL’s guidance. It considered that the CNIL had essentially introduced a blanket prohibition on the use of cookie walls merely on the basis of its own interpretation of what constitutes ‘free’ consent under the GDPR. The Council of State ruled that by introducing such a prohibition in a ‘soft law’ legal instrument such as the Guidelines, which are not legally binding, the CNIL had exceeded its competence. The CNIL argued that it had based its interpretation on the European Data Protection Board’s pan-EU guidelines on consent, which also prevent the use of cookie walls by stipulating that “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user”. The Council of State ruled that this reference to pan-EU guidelines did not warrant the implementation of a blanket ban on cookie walls for websites subject to the CNIL’s supervision.

Other EU Member States Take on Cookie Walls. Interestingly, the position on cookie walls, and the interpretation of valid ‘free’ consent under the GDPR, varies from one EU Member State to another. Despite the current pan-EU guidance on cookie walls from the EDPB, local data protection authorities remain competent to adopt their own position on the interpretation of the GDPR.

Last year, the Dutch Data Protection Authority also took the position that the use of cookie walls is non-compliant with the GDPR for the same reason as provided in the CNIL’s Guidelines. Please refer to our blog post here. The UK ICO takes a more nuanced position, and provides that user access to website content may be restricted if such restriction does not generally cover all website content. Certain website content may be restricted if the user does not consent, if that (partial) cookie wall is implemented for a legitimate purpose, for example when cookies are used to provide a subscription type service explicitly requested by the user.

This position seems to more closely align with the position taken by the Austrian Data Protection Authority in a specific case: it decided that an online newspaper could make use of cookie walls to restrict ‘paid-for’ access to certain website content (i.e., subscription articles). As such, the user would have the choice to either give consent to tracking cookies or pay a subscription fee to gain access to subscription articles on the website. The Austrian authority considered this choice was sufficient in light of ‘free’ consent.

Next Steps. The CNIL will adjust its Guidelines to align them with the Council of State’s decision. As part of its broader action plan, the CNIL had also been working on a recommendation that sets out the specific modalities by which consent may be obtained (please refer to our blog post here). Public consultation for this recommendation is already complete. The amendment of the Guidelines and the adoption of the recommendation are scheduled to take place after September 2020.

William RM Long

London

wlong@sidley.com

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Geraldine Scali

gscali@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.