On 19 June 2020, the Conseil d’État (‘the Council of State’), France’s supreme administrative court, issued a decision (in French) partially annulling the guidelines on cookies and other trackers (in French) (‘cookie guidelines’) issued by the French data protection authority (‘the CNIL’).
The CNIL had adopted the cookie guidelines on 4 July 2019 as part of its action plan on targeted advertising and following consultation with stakeholders to clarify the applicable rules and best practice under the EU general data protection regulation (GDPR). In particular, the cookie guidelines specify the conditions under which the GDPR strengthens the rights of internet users so that they can keep control over their personal data when dealing with cookies and other trackers.
The Council of State's ruling was rendered further to recourses lodged against the cookie guidelines by nine professional associations of online sellers, advertisers and agencies.
The Council of State validated most of the interpretations or recommendations contained in the guidelines, but annulled the CNIL’s ban on so-called ‘cookie walls’.
Confirming the CNIL’s approach, the Council of State considered that:
- although cookies are not personal data, they should follow the same consent rules as personal data since they are written in a user’s personal device, as interpreted in the ECJ ruling C-673/17 of 1st October 2019
- users must be informed of the identity of the data controller who serves the cookies;
- the list containing the identity of data controllers must be made available to users when they give consent and must be updated regularly;
- the user’s consent must relate to each of the processing purposes;
- a data controller must be able to show that they have obtained valid consent; and
- users must be able to withdraw consent as easily as they have given it.
The Council of State also judged that the cookie guidelines could not impose a ban on cookie walls. Indeed, the Council of State considered that, by deducting such a general and absolute interdiction from the sole requirement of free consent laid out in the GDPR, the CNIL exceeded what it can legally do within the framework of soft law, which includes instruments such as guidelines that do not create any legal rights or obligations for anyone but strongly influence the practices of economic operators.
It’s interesting to note that the Council of State did not invalidate the ban itself (it remained silent on this point) but the legal instrument used to impose such a ban. This makes the topic even more difficult, particularly in light of recent European Data Protection Board guidelines (PDF), which state (in para.39) that ‘in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stores, in the terminal equipment of a user (so-called cookie walls)’. It, therefore, remains to be seen how the situation regarding cookie walls further develops.
Finally, the Council of State decided that, although this had been requested by the claimants, there was no need to refer these questions to the ECJ for a preliminary ruling.
The CNIL has already declared (in French) that it has noted the Council of State’s decision and plans to adjust its guidelines ‘to the extent strictly necessary’ in September 2020, when the CNIL (as outlined by the Council of State) has said it will also define the concrete modalities for obtaining valid consent.