Who: The French Conseil d’État and the French Data Protection Authority (‘CNIL‘)
When: 19 June 2020
On 4 July 2019, the CNIL adopted new guidelines on cookies and other tracking technologies in order to specify the applicable rules and best practices. This was to reflect the fact that the entry into force of the General Regulation on Data Protection (GDPR) has strengthened the requirements to obtain valid consent from data subjects.
In its decision dated 19 June 2020, the Conseil d’État validated most of the recommendations contained in the guidelines:
- Individuals should be able to decline to give consent as easily as to grant it;
- Individuals should be able to withdraw their consent as easily as they have given it;
- User consent should be given for each purpose, which implies specific information;
- Individuals must be informed of the identity of the controllers placing cookies; the list containing the identity of the controllers must be made available to them at the time of consent and must be updated regularly;
- Data controllers must be able to demonstrate to the CNIL that they have obtained valid consent.
However, the Conseil d’État quashed a paragraph of the guidelines in which the CNIL considered that access to a website could never be made conditional on the acceptance of cookies (“cookie walls”). Cookie walls enable website publishers to block access to the content of their sites unless the user first clicks on “Accept cookies”.
The Conseil d’État ruled that by inferring such a prohibition simply from the requirement that the user must give their consent freely to the placing of cookies and similar technologies, laid down in the GDPR, the CNIL had exceeded its legal powers in the context of a so-called “soft law” act. The Conseil d’État ruled that the CNIL acted outside its powers in seeking to impose such a general and unconditional prohibition – however, the Conseil d’État did not rule on the merits of such a prohibition.
Why this matters:
The CNIL plans to publish the updated guidelines and the new recommendation after September 2020 (timetable to be determined and confirmed). The CNIL will thus pursue its action plan on cookies used for targeted advertising, which is intended to ensure a higher degree of protection for Internet users, in line with the GDPR’s reinforcement of consent requirements.
Six months after the publication of the final recommendation, further reviews will be carried out by the CNIL with a particular focus on operators/businesses having a significant impact on the day-to-day activities of individuals and which practices raise serious concerns about compliance.
In the future, this decision is a reminder to the CNIL to remain within the limits of its authority when producing soft law. Indeed, this decision specifies its regulatory power and highlights the limit of the binding nature of its interpretation of the law.
However, overall, we anticipate little to no practical impact of this decision as, on the merits, the guidelines of the European Data Protection Board updated on 4 May 2019 clearly stated that consent cannot be validly obtained via so-called “cookie walls” and the CNIL will be able to rely on this on a case-by-case basis when auditing websites to rule on the lack of sufficient consent in the presence of cookie walls.