France’s top administrative court has overruled the country’s data authority regarding “cookie walls”, stating that as an agency that only offers guidelines – so-called flexible laws – the authority cannot prohibit their use.
Cookie walls prevent internet users from accessing websites unless they consent to the use of tracking cookies, which often gather data used by advertisers.
The French data authority, known as CNIL, issued guidance last July that said access to a website could never be subject to the acceptance of cookies.
But the Council of State ruled last Friday that with its interpretation of the GDPR regarding consent, CNIL had gone beyond what is “legally possible” through the use of guidelines, which are an instrument of “flexible law”.
Nonetheless, the Council of State’s decision “essentially validated” the bulk of the cookie guidelines adopted by the French data authority last year, CNIL said. These guidelines are intended to improve legal protections for internet users and include giving individuals the option to refuse and withdraw their consent for data processing. People must also be informed of the identity of the data controllers which use cookies and the data controllers must be able to demonstrate to CNIL that they have obtained valid consent.
The French data authority said in a statement that it has “take[n] note of this decision and will adjust its guidelines and its future recommendations accordingly to comply with it”. The adjusted guidelines should come into effect after September 2020, CNIL said.
The ePrivacy Directive has always required consent for cookies as they are considered communications with a terminal – the device from which users view a website – but the GDPR’s updated definition of consent meant that it has become a more prominent issue since 2018.
Last Friday’s decision followed an appeal against the guidelines by a host of adtech and e-commerce bodies, which objected to the regulator’s strict stance. On 12 June an advisor to the Council of State said in a non-binding opinion that the country’s data watchdog was wrong to ban the use of cookie walls.
Claude Armingaud, a partner at K&L Gates in Paris, told GDR that the decision is a “victory for the claimants” – although the bulk of the authority’s cookie guidelines remain in force.
Armingaud said that while these professional bodies used “all the [tools] at their disposal” to reverse CNIL’s position, they are only at the beginning of their “stand-off with the data protection regulator”. Armingaud said it is unlikely that they will refrain from implementing cookie walls, and will likely wait for CNIL to investigate the sector and increase their lobbying efforts on the ePrivacy Regulation.
Armingaud said the European Data Protection Board’s (EDPB) updated guidelines on consent, published on 4 May, explain how cookie walls divorce consent from its “freely given” requirement. “The rationale behind the EDPB’s position bears not only an authoritative value, but it is also a question of principle as to what the data protection framework in Europe ought to be,” Armingaud said.
CNIL’s guidelines, which were published prior to the EDPB’s, came to the same conclusion, Armingaud said, but went a step further in its general prohibition of cookie walls. The Council of State’s decision “was not that cookie walls were legal or not, but only that the CNIL could not generally prohibit their use”, Armingaud said.
This is, therefore, a “very mitigated success for the professional associations”, Armingaud said – adding that the consequence of the ruling will, therefore, be “fairly limited”. And last month’s EDPB guidelines “serve as a strong warning which, while not binding, will orient the reflection of the EU member state regulators,” Armingaud said.
Armingaud said that in the absence of an adopted ePrivacy Directive, “more investigations, possibly more fines and definitely more litigation are to be expected”.
First published: Global Data Review, with Alex Pugh