Background

As noted, CNIL's new guidance arrives in the context of a complex regulatory patchwork knit by several major regulatory stakeholders at a national and EU level. Cookie walls have been the subject of major contention in ePrivacy regulation for many years now, with the issue of whether their implementation runs contrary to the key principle of freedom of consent under data protection law at the centre of debates.

Caught between the EDPB and the Council of State?

The prevalent regulatory approach in Europe is that currently advocated by the European Data Protection Board ('EDPB') in its Guidelines 05/2020 on Consent under Regulation 2016/679 whereby the EDPB provides in no uncertain terms that '[i]n order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information (paragraph 39 of the Guidelines)'.

In France, following the EDPB's approach, CNIL sought to lay down a general prohibition on cookie walls through the Cookie Guidelines as originally adopted in July 2019. However, the French Council of State then issued a decision annulling the provisions of the Cookie Guidelines laying down the general prohibition against cookie walls, reasoning that CNIL had exceeded its legal powers. Notably, however, the Council of State did not expressly rule on the validity of cookie walls themselves, but rather the extent of CNIL's powers.

Sixtine Crouzet, Associate at Fieldfisher, shed further light on the above situation and its impact on cookie practices in France:

"CNIL was in an awkward position – caught between the EDPB's interpretation and the decision of the Council of State, with which it had to comply. This new guidance is welcome to the extent that it seeks to fill in the regulatory gap that has been existing in France since then. Following the Court's decision, CNIL reversed its position on cookie walls: it considered that cookie walls need to be assessed on a case-by-case basis to ensure that user consent for cookies is 'freely given'. While the CNIL had to open the door to cookie walls, websites or mobile apps did not have any clear and tangible criteria to perform this case-by-case analysis. Since then, and despite the lack of regulatory guidance, the practice of cookie walls and paywalls has flourished online".

CNIL's guidance and the Draft ePrivacy Regulation

The regulation of cookie walls has been one of the several key sticking points for stakeholders over the course of the five-year period of deliberations over the Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) ('the Draft ePrivacy Regulation') which would see the fragmented Member State regulatory approaches to cookies that multinationals are now familiar with consolidated into a coherent EU-level position. Whilst other EU data and digital initiatives such as the Data Governance Act and the Digital Markets Act have stormed through trilogue negotiations between the EU authorities, official communications on the Draft ePrivacy Regulation have been stalled since February 2021, when the Council of the European Union announced that Member States had agreed a mandate to commence negotiations will the European Parliament.

Under the text established by the Council's mandate, cookie walls would be permissible, provided that users are offered a choice between:

• consenting to the use of cookies for certain purposes; and
• an 'equivalent offer' by the same provider that does not entail the use of cookies.

With the above in mind, Crouzet made the following assessment of the likely shelf-life of CNIL's new guidance:

"At first glance, the timing suggests that the CNIL's guidance is temporary given that the future ePrivacy Regulation – once adopted – will be directly applicable in France and will prevail over regulatory guidance. However, the CNIL's position presents similarities with the position agreed upon by the Council in February 2021 before the trilogue negotiations started with the European Parliament and the Commission to agree on a final text. Should the Council's position survive the trilogue process, this means that the final text of the CNIL's guidance may be partly in line with the final ePrivacy Regulation".

The assessment criteria

Against the above backdrop, the new guidance issued by CNIL highlights that although the requirement of 'free' consent under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') does not lead to a general ban on the practice of cookie walls, their legality must be assessed by taking into account, in particular, the existence of real and satisfactory alternatives offered in the event of users refusing the deposit of cookies on their terminal devices.

Criteria 1: Service provider or third party must provide 'a real and fair alternative' to walled content or services

As a first criterion for ensuring that cookie walls do not contradict the requirement of freedom of consent, CNIL's guidance stipulates that, either:

• the publisher must offer a real and fair alternative allowing access to the site and which does not imply having to consent to the use of their data; or

• the publisher must be able to demonstrate, in particular to CNIL, that another publisher offers such an alternative without imposing a cookie wall.

Further to the above, CNIL outlines that the publisher of the site imposing a cookie wall must in any case be wary of an imbalance of power in respect of the internet user which would undermine freedom of choice, specifically stipulating that the publisher must therefore ensure the user's ease of access to the alternative means of accessing the services or content. Additionally, CNIL further specifies that such imbalance may arise in the event of exclusivity of the publisher on the content or services offered, or when the user has few or no alternatives to the service and therefore has no real choice as to the use of cookies, for example in the case of dominant or essential service providers.

Commenting on this criterion, Crouzet noted, "[l]ast year, the EDPB called on the European legislator to explicitly prohibit 'take it or leave it' cookie practices, which make access to a service conditional on the forced acceptance of cookies. However, the EDPB did consider that users could have the choice between accepting cookies or 'fair alternatives' offered by the same service providers".

Although noting correlations in the approaches advocated by the key regulatory stakeholders, Crouzet highlights that more granular guidance on this criterion is still wanting:

"While the Council, the EDPB and the CNIL all mention the concept of a 'fair' and 'equivalent' offer, none of them provide practical factors to clarify that concept. Will it depend on whether the main features of the website are available? On whether most content is freely accessible? What about requiring users to login to the website if they do not accept cookies? Or more generally requiring users to provide their personal data? What about offering a website with more tracker-free ads?"

Criterion 2: Paywall price must be 'reasonable'

In addition, CNIL outlined that offering a paid alternative (i.e. requiring either the acceptance of cookies or remuneration for the services provided) is not prohibited in practice. However, CNIL stipulated that the price must be reasonable, i.e. not so high as to deprive users of a real choice. As opposed to setting out specific thresholds, CNIL noted that the determination of what is 'reasonable' is subject to a case-by-case analysis, further outlining that those wishing to implement a paywall must be able to justify the reasonableness of the monetary consideration offered. In addition, CNIL recommended that, for the purpose of transparency, such analysis should be published.

Crouzet highlighted the novel nature of this criterion and noted potential difficulties in the implementation for organisations and enforcement for CNIL, respectively:

"The Council's mandate does not explicitly refer to paywalls. It will necessarily be difficult for websites and apps to set a price at a level considered 'reasonable' and to justify such level based on objective criteria. According to the CNIL, an organisation could ask users to pay subscription fees or allow them to use virtual wallets to make punctual payments. More specifically, websites could choose to calculate the revenue that they obtain from the use of advertising cookies and ask users refusing advertising cookies to pay a fixed price on that basis. Such price will therefore be specific to the website's business model and how advertising revenue is obtained. If a dispute over price levels were to end up before the CNIL, the discussion would necessarily be based on economic considerations – which the CNIL is not used to tackling."

Criterion 3: User account creation must correspond to specified purposes

As an additional requirement, CNIL specifies that where website or app operators require users to create a user account, it must ensured that such an obligation is justified in relation to the intended purpose, noting that this will be the case when it comes to allowing a user who has chosen to take out a subscription (monthly or annually), to benefit from this subscription on other terminals.

Additionally, the guidance provides that websites and apps must, in relation to user account creation:

• inform users of the use of their data;
• limit the collection to only the data necessary for the objectives pursued; and
• ensure that, if the publisher wishes to reuse the data collected during the creation of the account for other purposes, it has previously and clearly informed the user and obtain, if necessary, the consent of users for these new purposes.

Criterion 4: Pay/cookie walls must correspond to specified cookie purposes

Recalling the established principle that the lack of possibility to accept or refuse trackers according to their objective, purpose by purpose can affect the user's freedom of choice and therefore the validity of consent, CNIL highlighted that where cookie walls are implemented, the publisher must demonstrate that it is limited to the purposes which allow fair remuneration for the service offered. To illustrate this requirement, the guidance provides that if a publisher considers that the remuneration for its service depends on the income it could obtain from targeted advertising, only consent for this purpose should be necessary to access the service; the refusal to consent to other purposes should not prevent access to the content of the site.

Criterion 5: Where an alternative to cookie walls is selected, cookies may only be deposited in limited circumstances

The guidance further stipulates that, as a general rule, where the user chooses the publisher's alternative to the cookie wall, no cookies or similar trackers should be deposited by the publisher, with the exception of those strictly necessary for the provision of the requested service. However, as a further exception, CNIL noted that publishers may request, on a case-by-case basis, the user's consent to the deposit of cookies or similar trackers when the latter are required to access content hosted on a third-party site (e.g. to view a video hosted by a third-party site), provided that the required information is made available to users, including:

• the fact that activation of external content requires purpose-specific consent;
• a link to the privacy policy (in French) of the external content provider;
• the possibility of easily withdrawing consent at any time; and
• the consequences of not providing consent, i.e. not being able to access the service.

Implementation challenges for organisations

Generally commenting on the above outlined criteria, Crouzet highlighted, "[w]ebsites and apps implementing a cookie wall in France will need to document the lawfulness of this practice in light of the CNIL guidance. Applying the CNIL's criteria will necessarily prove difficult as there will be no 'one-size-fit-all' justification and websites and apps will have to draft this assessment on a case-by-case basis. More specifically, the criterion of 'real and equitable alternative' implies that websites implementing a cookie wall will have to benchmark competing offers. Furthermore, the CNIL will likely expect that they update their assessment overtime and monitor whether the alternatives still exist".

Enforcement and next steps

Following the publication of the guidance, organisations are likely to be questioning how the criteria will be enforced by CNIL, particularly in light of CNIL's recent enforcement campaign against the practice of making cookies difficult to reject. On this point, Crouzet makes the following assessment:

"The CNIL does not specify any timeline regarding enforcement, and does not mention whether there will be a grace period, therefore it is possible that the regulator may wait until the EU co-legislators reach a final agreement on the ePrivacy Regulation and on cookie walls. So far, CNIL's enforcement of cookie rules has been limited to specific areas of non-compliance, namely whether giving consent for cookies was as easy as rejecting cookies and whether cookies were automatically being set on users' devices. However, the CNIL did highlight that it has been receiving a number of complaints from users facing cookie walls. This suggests that the CNIL may still turn to enforcement to address these complaints".

On a final note, Crouzet drew attention to the fact that CNIL chose to describe the above criteria as 'a first set of criteria'. Analysing this choice of words, Crouzet surmised, "[t]his implies that the CNIL will follow up and release more guidance on the topic. Hopefully the additional guidance will depend on the evolution of the draft ePrivacy Regulation."

Alexis Galanis Lead Privacy Analyst
[email protected]

Comments provided by:
Sixtine Crouzet Associate
[email protected]
Fieldfisher (Belgium) LLP, Brussels