Skip to main content

The prohibition of cookie walls set out in the French regulator (CNIL) guidelines censored by the French Council of State

On 19 June 2020, the French “Conseil d'Etat” issued a decision in which it annulled a section from guidelines issued by the French data protection regulator (the “CNIL”) regarding the legality of the use of so-called ‘cookie walls’. The impugned section suggested that the practice of blocking the content of a site or application to a person who does not consent to the use of cookies is unlawful. The other provisions of the guidelines were validated by the Conseil d'Etat.

On 4th July 2019, the CNIL adopted deliberation No 2019-093 relating to the use of cookies and other online trackers. The deliberation constitutes formal guidelines and was issued as part of a larger CNIL action plan regarding targeted advertising, which was announced on June 28, 2019. The guidelines provide the CNIL's interpretation of applicable law in this area, recalling that a failure to comply may result in sanctions and it also sets out recommendations of good practice for the operators concerned.

These guidelines were challenged before the Conseil d'Etat by several associations and trade unions, operating in particular in the field of e-commerce and online advertising. Their main arguments asserted that:
  1. The procedure for adopting the guidelines was irregular; 
  2. The guidelines are vitiated by incompetence because the CNIL (i) does not have the power to issue guidelines relating to the processing of non-personal data and (ii) relied on guidelines published by the European Data Protection Board (EDPB), which are not legally binding ;
  3. The CNIL unduly infringed freedom of enterprise and freedom of information by prohibiting cookie walls, and interpreted the conditions of independence and specificity of consent ;
  4. The CNIL has disregarded several regulatory and legislative provisions.
The Conseil d'Etat rejected the claim, with one exception. The court held that the CNIL did not exceed its powers and was entitled to adopt the guidelines, acted within the scope of its statutory powers in doing so and therefore validated all of the provisions, with the exception, however, of the one concerning the prohibition relating to the use of cookie walls.

The CNIL’s guidelines regarding cookie walls are consistent with the EDPB guidance, which indicates that the use of cookie walls is incompatible with the General Data Protection Regulation (GDPR).

In its decision, the Conseil d'Etat noted that the GDPR only requires that data subject consent be ‘freely given’. Therefore, the CNIL over-interpreted the concept of ‘freely given’ consent by indicating in its guidelines that the use of cookie walls would violate the GDPR.

Importantly, however, the Conseil d'Etat did not declare that the use of cookie walls is legal; it only indicated that the CNIL could not impose this prohibition in a soft law instrument (i.e. via its guidelines).

On its website, the CNIL indicated that it took note of the Conseil d'Etat's decision and that it would comply. An adjustment of the guidelines (strictly necessary to comply with the decision) as well as recommendations presenting their concrete modalities of application should be published in the autumn of 2020.

The position on cookie walls is not yet uniform across Europe - for example, the Dutch regulator has banned their use- and may well have to evolve as the issue of their prohibition is being considered in the context of discussions relating to the proposed ePrivacy Regulation.


Popular posts from this blog

Proposition de règlement sur les marchés numériques ou Digital Markets Act (« DMA ») et Proposition de règlement sur les services numériques ou Digital Services Act (« DSA ») : principales dispositions

La publication des propositions de règlements DMA et DSA intervenue le 15 décembre 2020 constitue une étape importante de l’ambitieuse réforme de l'espace numérique envisagée par la Commission européenne. Dans le cadre du processus législatif européen, ces propositions doivent maintenant être soumises à l’approbation du Parlement et du Conseil qui leur apporteront probablement des amendements. Le délai moyen pour l’adoption d'un règlement est de 18 mois mais peut être significativement allongé pour des textes très discutés ou controversés ce qui sera vraisemblablement le cas du DMA et du DSA, compte tenu de leur vaste champ d’application, de l’importance des acteurs concernés ainsi que des pouvoirs conséquents qu’ils prévoient de conférer à la Commission.  La présente note donne un aperçu de la structure et des principales obligations applicables aux " gatekeepers ", dans le cas de la DMA (Partie I) et aux fournisseurs de " intermediary services " en ligne,

CNIL’s sanctions against Google LLC and Google Ireland Limited and against Amazon Europe Core: summary and main findings

 On 10 December 2020, the CNIL made public two decisions regarding the use of cookies in breach of Article 82 of the French Loi Informatique et Libertés (the “LIL”), which transposes the ePrivacy Directive 2002/58/EC (“ePrivacy Directive”). The first sanction, against a Google LLC and Google Ireland Limited (together “ Google ”) was for a total amount of €100 million (€60m for Google LLC and €40m for Google Ireland Limited, or “GIL”). The other sanction was imposed on Amazon Europe Core (“ Amazon ”) for €35m.  Set out below is a summary of both decisions, with a specific focus on the arguments and reasoning relating to the CNIL’s competence to enforce the provisions of the LIL against Google and Amazon, which is the subject of substantial and interesting developments. The two decisions have a number of points in common, although some of the interesting nuances are noted in our summary.  1. Background In relation to Google, the CNIL conducted an online audit of on 16 March 20

CNIL’s decision against Google relating to the use of cookies: result of the appeal before the French Conseil d’Etat

On 4 March 2021, the French Conseil d’Etat rendered its decision in the Google vs CNIL case. As a reminder, on 7 December 2020, the CNIL imposed a sanction on Google LLC and Google Ireland Limited (together “ Google ”) for a total amount of 100 million euros for breach of Article 82 of the French Loi Informatique et Libertés (the “ LIL ”) relating to the use of cookies and other tracking technologies (Article 82 transposes Article 5.3 of the ePrivacy Directive). The CNIL found in particular that Google failed to obtain proper consent from data subjects, breached its information obligation and did not provide an efficient objection mechanism, in relation to the use of cookies. The CNIL also issued an injunction ordering Google to comply with article 82 of the LIL within three months, the CNIL being able to impose a €100 000 daily fine in case of non-compliance with such injunction. Google appealed the CNIL’s decision, by way of interim proceedings, in order to obtain the suspension