France: Practical do's and don'ts for cookie walls and paywalls
Website operators should take note that they may be breaking the law if they force visitors to accept cookies or pay for access. The latest guidance on website cookie walls, published on 16 May 2022 by the French data protection authority ('CNIL'), sheds some light on criteria for assessing the legality of cookie walls1. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, breaks down the guidance into practical steps for website operators.
For background, a cookie wall conditions access to a service on the internet user's acceptance of certain tracers on their terminal (such as a computer or smartphone). If the user refuses the cookies, some sites ask for monetary consideration: a 'paywall'.
According to the Conseil d'Etat, an outright ban on cookie walls is a violation of the freedom of consent. It needs to be assessed on a case-by-case basis, and that is where CNIL and its latest guidance comes in.
Do's and don'ts
CNIL has offered some helpful do's and don'ts to navigate this difficult area of privacy law.
- DO demonstrate that there is a real and fair alternative to access the content. You must show that there are alternative ways to get to the content without consenting to data collection. This is difficult if the publisher has exclusivity over the content or services, or is a dominant or essential service provider.
- DO be reasonable if you want to require payment as an alternative. Charging a fee is not prohibited per se, but that payment needs to be reasonable as determined on a case-by-case basis.
- DO justify the reasonable nature of the monetary consideration you are offering. CNIL recommends publishing the analysis, which is somewhat similar to the California Consumer Privacy Act of 2018 ('CCPA') regulations financial incentive reasonable consideration analysis.
- DO consider non-traditional forms of payments, such as micropayments from a virtual wallet. These can be made on an ad hoc basis to a particular content or service in a fluid manner and without it being necessary for the internet user to register their bank card data with the publisher.
- DO tell internet users about the use of their data.
- DO limit the collection to only the data necessary for the objectives pursued.
- DO ensure that you have clearly informed an internet user if you wish to reuse data collected during the creation of the account for other purposes. If necessary, secure the consent of the internet users for these new purposes.
- DO make sure you can demonstrate your cookie wall is limited to the purposes which allow fair remuneration for the service offered. For example, if you consider that the remuneration for your service depends on the income you could obtain from targeted advertising, only require consent for this purpose. Refusal to consent to other purposes, like the personalisation of editorial content, should not then prevent access to the site's content.
- DO clearly inform internet users of the purposes for which it is necessary - or not - to consent to access the service.
- DO consider what, if any, cookies you can still deposit if the user chooses paid access. In general, this should be limited to necessary cookies, but you may request, on a case-by-case basis, the internet user's consent to the deposit of tracers when they are required to access content hosted on a third-party site (like a video), that requires the use of a cookie that is not strictly necessary, or a service requested by the user (like access to sharing buttons on social networks). In this regard, a user's consent could be collected, for example, within a dedicated window displayed when the user wishes to activate the content, but there must be clear information concerning:
- the possibility of easily withdrawing consent at any time;
- the consequences of the refusal or withdrawal of consent concerning the deposit of tracers, including the impossibility of accessing external content; and
- in any case, the internet user must be able to go themselves to the settings of the site to consent to certain uses (like the personalisation of editorial content).
- DON'T require the creation of a user account unless you can ensure that this is justified in relation to the intended purpose, for example, by allowing a user who has chosen to take out a monthly subscription to benefit from this subscription on other terminals.
- DON'T use a cookie wall to systematically impose acceptance of all trackers on a website. The lack of ability to accept or refuse trackers according to their objective, purpose by purpose, can affect the user's freedom of choice and therefore the validity of their consent.
Echoing DSB guidance
Additionally, the FAQs outline the DSB's position regarding cookie walls and the so-called 'pay or okay' approach. In fact, the DSB reiterated its previously stated position that, in principle, it is permissible to offer payment for access to a website as an alternative to consent. However, the DSB stated that there is a caveat: this is only the 'current' view of the DSB, as for the time being there is no case law from the Court of Justice of the European Union on this topic.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia
1. Available at: https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookie-walls/la-cnil-publie-des-premiers-criteres-devaluation (only available in French)
2. Available at: https://www.dsb.gv.at/download-links/FAQ-zum-Thema-Cookies-und-Datenschutz.html (only available in German)