French court ruling on 'cookie walls' leaves ad tech sector in state of limbo
Locations
On 4 July 2019, the French Data Protection Authority (CNIL) published its updated guidelines on cookies, (the "Guidelines"), marking the first step in a two-step programme aimed at regulating the adtech sector.
Soon after, in January 2020, the CNIL adopted practical guidance on how to obtain valid consent to cookies (the "Practical Guidance"). These Guidelines aim at "reiterating the applicable law" on cookies including the definition of "consent" as enshrined in the GDPR and the implementation of article 5(3) of the ePrivacy Directive on the use of cookies and similar trackers under French law.
Summary of the ruling
Soon after they were adopted in 2019, several industry associations representing the media, e-commerce, publishing and advertising sectors challenged the CNIL's Guidelines before the 'Conseil d'Etat', i.e. the highest administrative court in France (the "State Council") with the purpose of obtaining the annulment of these Guidelines on the grounds that the CNIL had abused its powers by going beyond what was provided for under the French Data Protection Act. They also asked the State Council to refer no less than 13 preliminary ruling questions to the Court of Justice of the European Union (CJEU) in order to obtain an interpretation on the interplay between the ePrivacy Directive and the GDPR, and a clarification on the legal regime applicable to cookies.
On 19 June 2020, the State Council held that the CNIL had abused its power by stating in its Guidelines that cookies walls were not permitted, and as a result, it struck through this provision in the Guidelines. However, the State Council upheld the rest of the Guidelines by reaffirming the limited role of soft law and also chose not to refer any preliminary questions to the CJEU.
Soft law cannot prohibit cookie walls
As a regulator, the CNIL can adopt soft law, such as guidelines, recommendations or reference frameworks, to ensure compliance with the French Data Protection Act. The CNIL has been using soft law extensively over the years to assist companies' with GDPR compliance. While not legally binding, organizations have an incentive to follow these guidelines strictly by fear of being sanctioned by the CNIL if they fail to do so. Since 2016, however, it is possible to challenge the CNIL's soft-law guidance before the State Council.
In its Guidelines, the CNIL recalls the general principle under the GDPR according to which consent must be "freely" given. Specifically, the Guidelines state: "consent can only be valid if the data subject is able to exercise his or her choice validly and does not suffer from major disadvantages in the event of absence or withdrawal of consent". The CNIL's position on consent in the context of cookies and other tracking technology is based on a previous Statement of the European Data Protection Board (EDPB) on the ePrivacy Regulation issued in May 2018, which states: "In order for consent to be freely given as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited".
In its decision, the French Council considered that the CNIL had simply recalled the position of the EDPB on cookie walls (i.e. that they are not valid under the GDPR) without making it its own position, and thus, it had not given legally binding force to the EDPB's position on cookie walls. While confirming that the CNIL is the competent regulatory body to adopt guidelines on cookies and other tracking technologies, the State Council's ruling nonetheless repeals the CNIL's position specifically on cookie walls on the ground that a "general and absolute prohibition" to implement cookie walls cannot be inferred from the sole requirement to obtain "free" consent under the GDPR. By adopting Guidelines which stated that cookie walls were not permitted, the CNIL had thus abused its power to issue soft law in that regard.
At the same time, the State Council validated all the other points in the Guidelines that were challenged by the plaintiffs, for example, how to inform users about cookies that are exempt from consent, the conditions that apply to analytics cookies, the lifespan of analytics cookies and the period of retention that applies to data that is collected via these cookies. Indeed, the State Council reaffirms that these are all non-binding recommendations and says that the CNIL did not abuse its power when interpreting applicable law. Hence, the State Council appears to have purposefully singled out the CNIL's position on cookie walls while upholding the rest of the CNIL's Guidelines.
So, are cookie walls allowed or not?
The least we can say is that the State Council's decision does create some confusion. This decision comes several weeks after the EDPB's recently issued its updated Guidelines on Consent (released on 4 May 2020), which reaffirm that cookie walls are not valid under the GDPR since they do not allow for free consent[1]. The difficulty in this case is that the State Council did not rule on the merits of the case (i.e. whether cookie walls are valid under the GDPR) and did not pronounce itself on the EDPB's position regarding cookie walls. As a result, this leaves the ad tech sector in France in a state of limbo, not knowing precisely whether cookie walls are permitted or not.
The State Council's decision also raises some questions that will need to be answered. Is the CNIL prohibited from pronouncing any sanctions against organizations that use cookie walls? Must there be a law in France that explicitly prohibits cookie walls in order for the CNIL to enforce such rules? Will the EDPB have to revisit its position on cookie walls?
It is worth reminding that, despite some minor divergences between data protection authorities in the EU, overall they have similar positions on cookie compliance. The EDPB's guidelines are of a higher authority than national guidance in that they reflect the common position of the 27 EU Member States. Therefore, there seems to be a conflict now between the State Council's ruling and position of the EDPB on cookie walls. As a permanent member of the EDPB, this also puts the CNIL in a difficult position.
Ad tech companies in France now find themselves between the rock and a hard place, with the EDPB's position and the State Council's ruling conflicting one another.
What impact will the State Council's ruling have on enforcement against the adtech sector?
As a result, the State Council's decision is likely to delay enforcement against the adtech sector in France. As recalled recently, the CNIL announced that cookie compliance would be one of its top priorities under its enforcement strategy for 2020. However, upon reacting to the State Council's decision, the CNIL reported that it will amend its Guidelines, along with its Practical Guidance. Both are expected to be published in September 2020 at the earliest.
The CNIL had already announced that it would only start enforcing its Guidelines after a six-month grace period, once the final version of the Practical Guidance was adopted. Until then, enforcement would be limited to the unchanged provisions of its 2013 guidelines. It is worth noting that already under its previous cookies guidelines of 2013 the CNIL prohibited cookie walls on the ground that users who refused the use of cookies should continue to benefit from the given service, i.e. access to a website. Now that the ban on cookie walls has been removed from the CNIL's Guidelines, it remains to be seen if and whether the CNIL will be able to pronounce sanctions against companies who implement cookie walls.