CNIL takes stand against 'cookie walls'

Out-Law News | 29 Jul 2019 | 3:56 pm | 1 min. read

Website operators cannot cut consumers off from their services when those consumers do not consent to the use of 'cookies', France's data protection authority has said.

Cookies are small text files that record internet users' online activity. Some businesses require internet users to consent to the use of cookies to gain access to their web services. However, these so-called 'cookie walls' have proven controversial and have attracted substantial scrutiny. The Commission nationale de l'informatique et des libertés (CNIL) has now confirmed its opposition to their use.

CNIL confirmed its position in new cookies guidance it has published. It said website operators must "leave the possibility to users to access the service even in case of refusal to consent".

EU rules set out in the Privacy and Electronic Communications (e-Privacy) Directive state that storing and accessing information on users' computers is, generally, only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".

An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user.

CNIL decided to repeal and replace its previous cookies guidance in light of the fact that the General Data Protection Regulation (GDPR), which took effect last year, has altered the standard of consent that needs to be obtained for the use of cookies. This stems from the fact that the concept of consent under the e-Privacy regime takes its lead from EU data protection law.

CNIL's new guidance also addresses the question of identifying the data controller or controllers when several entities are involved in the deposit and reading of the cookies’ data, and the CNIL has further confirmed that internet users that navigate beyond the homepage cannot be considered to have provided their consent to the place of cookies on their devices, Paris-based data privacy expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law, said.

According to CNIL, it will issue a more detailed recommendation on how the new consent rules work in practice for cookies in the first quarter of 2020. A draft recommendation will be published following a six month consultation exercise, and a final recommendation issued following a further six week consultation, it said.

Businesses will have six months from the date on which the final recommendation is issued to adapt their practices to comply with the new requirements, CNIL said. The regulator confirmed, though, that it could still raise enforcement against businesses during the six month transition period in relation to aspects of the cookies regime which have not been modified by the new consent rules.

The UK's Information Commissioner's Office (ICO) also recently updated its own guidance on cookies. Both the ICO and CNIL chose to issue refreshed guidance despite the prospect of reforms to the EU e-Privacy rules.