Cookie Walls can’t be legally forbidden French CNIL says

On 19 June 2020, in response to complaints filed, the Conseil d’État (‘the French Council’ and highest administrative court) ruled that the French Data Protection Authority (‘CNIL’) could not legally prohibit “cookie walls” for websites and mobile apps in its official guidelines.

A cookie wall is a barrier that puts the user in a “take it or leave it” situation. If the user wants to access the information on the website he or she is forced to accept cookies to continue using the website (opt-in). If the user refuses to opt-in he or she is  denied access to the website.

On the other hand, the French Council did not accept the applicants complaints on the fact the Guidelines imposed specific procedures for companies to obtain consent.

The provision stating companies should give users specific information on the purpose of processing was maintained as it is based on preexisting legal requirements: companies are still responsible to comply with all provisions in the GDPR, including needing legitimate interest or consent to process data. Thus the CNIL has not imposed a new information obligation unjustified in law.

Also, applicants try to argue on the ability to bundle several consent together which was also not approved by the Council (granularity required still maintained) as, following the first point, acceptance has to be specific to the purpose of the processing. However, it is important to remember companies are still allowed to offer the option to users of providing one consent for all purposes.

Users have to have a choice. As long as users have several options to accept or withdraw consent, having the possibility to grant the company consent in a granular way, consent is considered appropriate and in line with GDPR.

The French Council stated that the CNIL exceeded its legal powers (based on ‘soft-law’ i.e. mare recommendations) by placing a ban based on the unique requirement of free user consent to the placement of cookies and similar trackers, set out in the General Regulation on Data Protection (GDPR).

The result of the decision was the annulment of paragraph four in Article 2 of the CNIL’s decision approving the Guidelines (4 July 2019) and CNIL having to pay the applicants €3,000 under the Code de justice administrative – Article L761-1.

All things considered, the CNIL published a statement in response to the French Council’s decision accepting to modify the Guidelines with the clarification on the cookie wall ban.

On top of that, after September 2020, the Guidelines will endorse suggestions on the ways of collecting consent to cookies. They will be in force in March 2021, following a six month transition period to give companies the opportunity to adapt their cookie settings.

• Press release
• Decision
• CNIL Statement

If you want to learn more about cookies and their different functions, click here.

Also, further explanations about cookies and their regulations within the GDPR can be found in our interview series with the qualified attorneys of law firm Reed Smith. Watch the videos here:

Are cookies personal data?

Do I need a user’s consent for cookies?

DISCLAIMER The decision to implement a data protection-compliant CMP is ultimately at the discretion of the data protection officer and/or the legal department.
These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation with respect to the implementation of a CMP solution. Please consult a qualified lawyer should you have any legal questions.