Cookie Walls can’t be legally forbidden French CNIL says

Show more Show less

On 19 June 2020, in response to complaints filed, the Conseil d’État (‘the French Council’ and highest administrative court) ruled that the French Data Protection Authority (‘CNIL’) could not legally prohibit “cookie walls” for websites and mobile apps in its official guidelines.

The French Council stated that the CNIL exceeded its legal powers (based on ‘soft-law’ i.e. mare recommendations) by placing a ban based on the unique requirement of free user consent to the placement of cookies and similar trackers, set out in the General Regulation on Data Protection (GDPR).

The result of the decision was the annulment of paragraph four in Article 2 of the CNIL’s decision approving the Guidelines (4 July 2019) and CNIL having to pay the applicants €3,000 under the Code de justice administrative – Article L761-1.

A cookie wall is a barrier that puts the user in a “take it or leave it” situation. If the user wants to access the information on the website he or she is forced to accept cookies to continue using the website (opt-in). If the user refuses to opt-in he or she is denied access to the website.

On the other hand, the French Council did not accept the applicants complaints on the fact the Guidelines imposed specific procedures for companies to obtain consent.

The provision stating companies should give users specific information on the purpose of processing was maintained as it is based on preexisting legal requirements: companies are still responsible to comply with all provisions in the GDPR, including needing legitimate interest or consent to process data. Thus the CNIL has not imposed a new information obligation unjustified in law.

Also, applicants try to argue on the ability to bundle several consent together which was also not approved by the Council (granularity required still maintained) as, following the first point, acceptance has to be specific to the purpose of the processing. However, it is important to remember companies are still allowed to offer the option to users of providing one consent for all purposes.

Users have to have a choice. As long as users have several options to accept or withdraw consent, having the possibility to grant the company consent in a granular way, consent is considered appropriate and in line with GDPR.

Next steps

All things considered, the CNIL published a statement in response to the French Council’s decision accepting to modify the Guidelines with the clarification on the cookie wall ban.

On top of that, after September 2020, the Guidelines will endorse suggestions on the ways of collecting consent to cookies. They will be in force in March 2021, following a six month transition period to give companies the opportunity to adapt their cookie settings.

Official Links to full decision (only available in French):