French and European context
Following the entry into force of the GDPR and the publication on April 10, 2018 of the guidelines on consent from the European Data Protection Board (EDPB), the CNIL has published its own guide on cookies and other tracking devices. . As Latham previously pointed out, the Guide asserts that organizations should not place cookies unless users have positively agreed to their placement in a free, specific, informed and unambiguous manner. Although the Guide provides useful information on how to obtain valid consent, it is not intended to create additional rights for users and does not impose new constraints on data controllers.
On January 14, 2020, the CNIL shared a draft additional guidance (the draft recommendation) providing examples of practical procedures for obtaining valid consent, as well as a question-and-answer session on the draft recommendation. and related topics. A public consultation on the draft recommendation was open until February 25, 2020, and the CNIL planned to publish its final recommendation in spring 2020. However, in view of the COVID-19 crisis, the data protection authority has deferred adoption of the final version of its recommendation to a later date.
Both the Guide and the future recommendation are non-binding instruments and, as such, they are not legally binding. Their main objective is to deliver the interpretation by the CNIL of the applicable law, and to provide practical advice on how to translate these legal requirements into compliant user interface diagrams.
Decision of the Council of State
On September 18, 2019, nine professional associations and unions representing the digital communication and marketing ecosystem filed an appeal with the Council of State to request the cancellation of the Guide, on the grounds that the CNIL went beyond this required by the GDPR and the Online Privacy Directive.
The applicants’ other arguments were all rejected.
The rest of the Guide remains fully applicable, including all of the following:
- Cookies can only be placed, stored or viewed if users have received transparent and complete information; therefore, users should have access to a comprehensive and regularly updated list of data controllers who install cookies on their devices
- Users should be provided with information about all the purposes of a cookie before consenting, even though the user has the option of giving general consent for all purposes.
- Withdrawing and refusing consent should be as easy as giving consent to cookies
- Controllers must be able to demonstrate (at all times) that they have obtained valid consent from the user before placing cookies
- The CNIL may issue non-binding recommendations on the duration of users’ consent to cookies, on the retention period of data collected via cookies, or on the information to be provided to users concerning cookies for which their consent is not required. .
Compliance with the recent ECJ decision on cookies required
On October 1, 2019, the European Court of Justice (ECJ) issued a decision on cookies in which it confirmed that the conditions for obtaining valid consent in accordance with the GDPR are applicable to the collection of users’ consent to reading and writing cookies. , regardless of whether the information stored or consulted in the users’ terminal equipment includes personal data.
The ECJ has also highlighted the idea that consent to the placement of cookies is not valid if obtained through a default checkbox that users must uncheck to refuse to give consent.
Lack of consensus on wall cookies at European level
The ECJ has not yet provided an analysis of the validity of wall cookies; there is therefore no binding interpretation of the e-Privacy directive and the GDPR on this point.
On May 4, 2020, the EDPB adopted updated consent guidelines that included the issue of the validity of consent provided by data subjects when interacting with cookie walls. The EDPB specified that, “for consent to be freely given, access to services and features should not be made conditional on a user’s consent to the storage of information, or to access to information already stored. , in a user’s equipment terminal (so-called wall cookies) ”(see §39). Although the role of the EDPB is to ensure the consistent application of the GDPR, and although it can “issue guidelines, recommendations and best practices in order to encourage a consistent application of the [the GDPR]”(Article 70.1. (E) of the GDPR), these directives are only a non-binding legal instrument and are not legally binding.
Data protection authorities in Member States can therefore maintain their divergent assessments of the validity of wall cookies, until a legally binding interpretation is provided:
- As mentioned above, the CNIL considers wall cookies illegal to the extent that users experience significant inconvenience in refusing or withdrawing their consent to cookies and, therefore, a user’s consent may never be free. The Council of State did not invalidate this position but ruled that the CNIL was not competent to pronounce an absolute ban on cookies by a soft law instrument.
- The Dutch data protection agency shared a similar analysis with the CNIL in a communication dated March 7, 2019.
- The Association of German Data Protection Agencies published a position paper in March 2019, in which it claimed that access to a website could not be made conditional on the user’s consent to non-essential cookies.
- The Irish Data Protection Commission report and guidance (dated 6 April 2020) is less explicit in this regard. Yet, although the guidelines do not expressly cover cookie walls, they suggest that such a practice is not permitted (“We are of the opinion that users should not be harmed when they reject cookies or other tracking technologies other than to the extent that certain functionality of the websites may be affected by the rejection. ”).
- The approach of the British Information Commissioner’s Office (ICO) is more nuanced. In its guidance on the Online Privacy Directive, last updated on July 3, 2019, the ICO asserts that individuals should be given true free choice: therefore, consent to non-essential cookies does not should not be grouped together as a condition of the service, unless consent is required for that service. Quoting recital 25 of the ePrivacy Directive, according to which “[a]Access to specific website content may be made conditional on informed acceptance of a cookie or similar device, if used for legitimate purposes, ”the ICO explains that data controllers may limit access to certain content if the user does not consent to non-essential cookies, provided that these cookies facilitate the provision of a service that the user has explicitly requested. In this context, the OIC recalled that the right to the protection of personal data must be weighed against other rights, including the freedom to conduct a business.
- The Austrian Data Protection Authority ruled on November 30, 2018 that a website offering users the choice between consenting to cookies or paying a monthly subscription to have full access to website content did not violate the requirement of freely given consent.
- Finally, the Spanish Data Protection Agency published a guide in November 2019 stating that cookie walls are valid as long as users are given appropriate information for this purpose. Such a practice would, however, be illegal if access to a specific website is the only way to exercise a legal right and if a user’s refusal to consent to cookies prevents them from exercising that right.
On June 19, 2020, the CNIL ad that it would adapt its Guidelines and its future recommendation to strictly comply with the decision of the Council of State, but that the updated documents would not be published before September 2020.
In July 2019, during the first publication of its Guide, the CNIL announced that it would grant a grace period of six months after the publication of its final recommendation to organizations to update their cookie practices. The Council of State approved this grace period in a decision of October 16, 2019. According to the Council of State, this flexibility will not prevent the CNIL from continuing to monitor compliance with the rules of consent, nor will it prevent CNIL to use its repressive power in the event of a particularly serious violation. Therefore, Latham expects the CNIL to adopt a similar grace period when publishing its amended guidance and recommendations.