Cookies and other tracking devices: the Council of State issues its decision on the CNIL guidelines
In its decision of 19 June 2020, the Council of State (Conseil d'État) essentially validated the guidelines on cookies and tracking devices adopted by the CNIL on 4 July 2019. The purpose of these guidelines was to clarify the enhanced legal protection for Internet users with regard to cookies since the entry into force of the GDPR. However, the Council of State overturned the provision of the guidelines prohibiting in a general and absolute manner the practice of "cookie walls", ruling that such a prohibition could not be included in an act of soft law. The CNIL takes note of this decision and will adjust its guidelines and future recommendation to comply with it accordingly.
On July 4th, 2019, as part of its action plan on targeted advertising and following consultation with professionals and civil society, the CNIL adopted guidelines on cookies and other tracking devices in order to clarify the applicable rules and best practices in this area since the entry into force of the General Data Protection Regulation (GDPR).
The purpose of these guidelines is to clarify the conditions under which the GDPR reinforces the rights of Internet users, in order to enable them to maintain control over their personal data against cookies and tracking devices that are frequently used, in particular when browsing websites.
These guidelines were challenged by several professional associations and unions in the online advertising, e-commerce and media sectors.
The scope of the guidelines validated by the Council of State
The guidelines explain the requirements derived from the GDPR regarding the collection of consent for cookies. They also provide a number of recommendations. The protection of the user's personal data is reinforced.
The Council of State validated most of the interpretations or recommendations provided in the guidelines:
- Individuals should be able to decline to give consent as easily as to give consent;
- Individuals must be able to withdraw their consent as easily as they gave it;
- User consent should be given for each purpose, which implies specific information;
- Individuals must be informed of the identity of the controllers depositing cookies; the list containing the identity of the controllers must be made available to them at the time consent is obtained and must be regularly updated;
- Data controllers must be able to demonstrate that they have obtained valid consent to the CNIL.
The Council of State's position on cookie walls
However, in its decision of 19 June 2020, the Council of State suppressed a paragraph in which the CNIL considered that the Internet user should not suffer major inconvenience in the event of the absence or withdrawal of consent. The CNIL considered in particular that access to a website could never be subject to the acceptance of cookies ("cookie walls").
The CNIL had followed the doctrine of the European Data Protection Board (EDPB), which brings together all the European Data Protection Authorities, which had considered, until recently, that “In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls) (Guidelines 05/2020 on consent under GDPR of 4 May 2020).
The Council of State considered that by deducting this general prohibition from the GDPR, the CNIL had gone beyond what is legally possible with guidelines, which are an instrument of "soft law".
The Commission takes note of the Council of State's decision and will comply strictly with it.
The guidelines will be adjusted to the strict extent necessary to draw the consequences of the decision of the Council of State.
Furthermore, as expressed by the Council of State, the guidelines do not specify the concrete modalities by which professionals are recommended to obtain consent for cookies. These modalities are to be specified in a future Commission’s recommendation, which has been the subject of a public consultation.
The adjustment of the guidelines and the adoption of this recommendation should take place after September 2020, according to a timetable which remains to be defined.
The CNIL will thus be in a position to pursue the cookies action plan on targeted advertising, which aims to guarantee Internet users a higher degree of protection, with the GDPR reinforcing the consent requirements.