In a decision of 19 June 2020, the Conseil d’État (i.e. the French Supreme Administrative Court) ruled, as part of a judicial review, that the CNIL could not legally prohibit the use of “cookie walls” in its recommendation on cookies and other trackers adopted in July 2019.
However, the Conseil d’Etat did not take a position as to whether this practice, which consists of blocking access to the content of a website if cookies are refused, was GDPR compliant. It only ruled that the CNIL was not entitled to enact such a ban in “soft law” guidelines.
However, the supreme administrative court confirmed the legality of the other points disputed by the professional associations, which had brought a motion before the Conseil d’Etat to strike out these recommendations, in particular the points relating to the collection of Internet users’ consent to cookies and other trackers (i.e. “cookie walls”).
This ruling, which is somewhat disappointing as it does not address the issue relating to the validity of cookie wall and lacks clarity in some respects, will give the CNIL some difficulties in drafting future recommendations.
1. The Context
Professional associations had brought a motion before the Conseil d’Etat in order to strike out the CNIL’s recommendation on “cookies” and other trackers adopted in July 2019.
The associations mainly raised irregularities concerning, in particular, the points relating to the prohibition of “cookie walls” and the obligation to obtain specific consent per purpose.
2. The Conseil d’Etat strike out the CNIL’s recommendation on “cookie walls” but do not validate the practice
2.1. The CNIL is not entitled to prohibit the practice of “cookie walls” in so-called “soft law” guidelines
The professional associations contested the ban on the use of “cookie walls” by which website publishers block access to the content of their websites when Internet users do not consent to advertising cookies.
The General Advocate had indicated that “cookie walls” was compliant with the GDPR since the Internet user could browse other websites offering similar content without requiring the acceptance of advertising cookies.
We expressed our surprise at the arguments raised by the General Advocate (see here) and predicted that the Conseil d’Etat would not follow his position.
The French administrative court preferred to circumvent the issue by taking a position on whether the CNIL was entitled to make such recommendations and ruled that by making such a general and absolute prohibition on the sole basis that user’s free given consent to the deposit of advertising cookies is a GDPR requirement, the CNIL had exceeded what it could legally dictate in the context of a so-called “soft law” act.
2.2. The Conseil d’Etat does not, however, validate the practice of “cookie walls”
The Conseil d’Etat did not rule on whether the practice of “cookie walls” was lawful, but on whether the CNIL had the right to prohibit them in its guidelines.
Thus, by considering the recommendation relating to “cookie walls” as void, it does not necessarily validate this practice and it will, therefore, still be necessary for controllers to demonstrate that consent was freely given if cookie walls were used by a website publisher.
Consequently, the use of “cookie walls” is not recommended insofar as, although the prohibition of the use of “cookie walls” can no longer be included in the CNIL public opinion, the latter can still decide to sanction this practice as part of a sanction procedure.
3. Bundle consent is possible if the user is provided with specific information for each data processing purpose and is given the possibility to consent to each of them distinctively
The professional associations also wanted to overturn the recommendations stating that users must “be able to give distinct and specific consent for each purpose of the processing”.
The Conseil d’Etat recalls that, according to the French Data Protection Act, the user’s consent to cookies must relate to each of the purposes of the processing. This implies that, when the consent is given globally, it must be preceded by an informative note.
The Conseil d’État validates the disputed provisions of the guidelines by stating that the CNIL merely reiterates the foregoing statutory requirements, without imposing on operators any particular technical modalities (bundle consent or purpose by purpose) for the collection of consent.
However, the CNIL authorised bundle consent provided that the user is given the opportunity to consent specifically and distinctively to each purpose of the processing as well. This recommendation, although not mentioned by the Conseil d’Etat, has not been struck out. It, therefore, remains applicable.