CNIL, Europe’s strictest Data Protection Authority, is not invincible after all

The French Commission Nationale de l’informatique et des Libertés (CNIL), known for its strict interpretation and zealous enforcement of the General Data Protection Regulation (who can forget the €50 million fine it imposed on Google?), must now partially change its draft guidelines on cookies and other trackers after a ruling of the Conseil d’État.  

The CNIL published new guidelines on cookies and other tracking devices in July 2019, as part of its action plan on targeted advertising. Amongst others, the CNIL introduced a ban on cookie walls (i.e. a pop-up notice that restricts access to a website or a mobile app until the user consents to the use of cookies and other trackers). The CNIL’s approach is similar to that taken by the European Data Protection Board in its guidelines on consent under the GDPR, as well as by the Dutch DPA. These regulatory authorities consider that, when faced with a cookie wall, a user does not have a real choice to accept or reject cookies; she must either accept tracking or leave the website altogether. Such a take-it or leave-it approach, these authorities argue, does not sit well with the GDPR requirement that consent be freely given.   

However, the French Conseil d’État recently ruled that this outright ban on cookie walls cannot legally be included in the CNIL guidelines. By deducing such a general and absolute prohibition from the GDPR principle of free consent, the CNIL exceeded its legal powers in the context of enacting a soft law instrument, the Council of State found. The CNIL issued a statement confirming that it will amend its guidelines on cookies and other trackers to reflect this decision.   

This win is significant for publishers and ad tech companies, which will be able to continue offering free content in exchange for advertising, said the president of IAB France and VP of the Mobile Marketing Association in France. As long as consumers are presented with alternative options for accessing content (e.g. the choice between cookie tracking, paywall or registering for free with an email), consent can be deemed to be valid.

While ad tech actors falling under the supervision of the strict French DPA may have heaved a sigh of relief, the ruling does not curb the CNIL’s strict interpretation of other GDPR requirements. For example, in its draft recommendation on cookies and other trackers, the CNIL has interpreted the requirement that consent be freely given as necessitating data collectors to allow users to have a clear choice between to “accept” and to “refuse” or to “consent” and to “not consent”. This goes beyond the interpretation of this requirement by other DPAs, which require data collectors using an “accept” button to give equal prominence to a “reject” button or to a “manage cookies” button, bringing data subjects to another layer of information in order to allow them to manage cookies, by cookie type and purpose (you can read about the diverse interpretations of the GDPR and the effect they have on ad tech actors in the paper I have co-authored with Damien and Dimitrios).

All in all, while providing some clarity as to the use of cookie walls in France (and acting as a reminder that the CNIL’s powers are not infinite), the Conseil d’État’s decision also highlights the failure of the GDPR to harmonise the EU data protection framework. As long as DPAs across the EU are free to adopt divergent interpretations of GDPR provisions (and national courts are competent to rule on these interpretations), the dream of achieving true harmonisation will not become a reality. Cookie walls are just an example.

One thought on “CNIL, Europe’s strictest Data Protection Authority, is not invincible after all

Leave a Reply