The CNIL proceeds firmly its legal fight against cookie walls, by shooting two meaningful bullets against two giants of big tech (Google and Amazon). On 7 December 2020, the CNIL has indeed imposed 100 million euros sanctions to Goole (Google LLC and Google Ireland Limited) and 35 million euros to Amazon for violating the e-Privacy Directive (Directive 2002/58/EC as transposed in Article 82 of the French Loi “Informatique et Liberté” n° 78-17 of 6 January 1978), in particular for what concerns the transparency duties about cookies, the possibility to refuse cookies, and the informational architecture of cookie collection (which is accused of being based on an opaque and defective opt-out mechanism).

This case raises important legal issues in terms of a) territoriality of e-privacy rules; b) the interpretational relationship between the e-Privacy Directive and the GDPR (in particular on the notion of freedom of consent); c) the ambiguous lawfulness of “cookie walls” under the existing EU data protection legislation.

 

The Background

These two CNIL’s deliberations are just an additional episode to the long “saga” of the CNIL’s activity against big tech industries about cookie walls and data subjects’ freedom of consent. In January 2019, the CNIL had already imposed 50 millions euros penalties on Google for the lack of validity of consent for ads personalisation under the GDPR (not the e-Privacy Directive). In that case, the CNIL observed that Google, for processing data for marketing purposes, collected data subjects’ consent that was invalid under Article 7 GDPR for two reasons: that consent was not adequately informed (the relevant information about the data processing was accessible just after several steps and hyperlinks and was not clearly intelligible) and was not “specific and unambiguous”, because specific different purposes were not clarified and the data subject could decide about ads personalisation options just after different steps and clicks (and it was, however, a pre-ticked box).

For what concerns the specific issue of cookies and the respect of e-Privacy Directive, France has represented a central battlefield for the crucial question: are cookie-walls allowed under EU data protection law or not? Under the e-Privacy Directive and Article 82 of the French Law, the cookie-related data processing should be based on consent, but:

  1. for cookies that facilitate the electronic communication or are necessary for the provision of internet services, consent is not necessary;
  2. for other (e.g., ads-based) cookies, consent may result from appropriate parameters of her connection device or any other device placed under his control;
  3. recital 25 of that directive stated that “access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose”.

This set of provisions seems compatible with cookie-walls, i.e. imposing cookies to the data subject in order to acess to a website. However, the approval of the GDPR in 2016 has given much more importance to the freedom of consent for data processing: if the provision of a service (including accessing to website content) is conditional to the data subject’s consent for unnecessary personal data, that consent is probably not free (Article 7(4)). In addition, withdrawing consent should never lead to adverse effects for the data subject (i.e., prohibiting the access to a website to subjects who deny their consent should not be permitted) (recital 43).

This conflict of norms (cookie walls formally permitted by the e-Privacy directive and substantially prohibited by the GDPR) has been addressed by the European Data Protection Board in different documents (see, lastly, Guidelines 5/2020) that emphasized that the new concept of freedom of consent (in the GDPR) should inspire a more restrictive interpretation of cookie-wall rules in the e-Privacy Directive: it is possible to make only specific contents of a website conditional to subject’s consent to cookies, but generalized cookie-walls seem to violate the notion of valid consent under the GDPR. At the same time, the CJEU in Planet49 Case (2019) affirms that the data subject’s consent for cookies is not validly constituted if based on a pre-checked checkbox which the user must deselect to refuse his or her consent.

These Solomonic interpretations have led national Data Protection Authorities to take more firm steps: the CNIL in July 2019 has declared any form of cookie-wall unlawful. This decision has been invalidated on June 2020 by the French Conseil d’Etat, who affirmed that the CNIL had abused its power. As a reaction, in September 2020, the CNIL has released new Guidelines affirming that cookie wall “is likely to infringe, in certain cases, the freedom of consent”. Thus, “if a “cookie wall” is set up, and subject to the lawfulness of this practice which must be assessed on a case-by-case basis, the information provided to the user should clearly indicate the consequences of her choices and in particular the inability to access content or service without consent” (italics added).

Thus, trying at the same time to conciliate the GDPR with the e-Privacy Directive, but also the EDPB’s Guidelines with the Conseil d’Etat’s admonishments, the CNIL adopted a case-by-case compromise on cookie-related data processing. However, while such a case-by-case approach might appear advantageous for data controllers (because it is not a strict prohibition of cookie-walls), there is another side of the moon: considering the circumstances of the case, in some specific contexts even “de facto” cookie-walls (i.e., informational architectures that make the refusal of cookies very difficult) might be abusive and unlawful. That is the case of the deliberation of 7 December 2020, which is also the first opportunity for the CNIL to enforce its new “cookie Guidelines” of 17 September 2020.

Why Google and Amazon were imposed penalties

The declared violations of the GDPR by Google and Amazon concern two aspects: information duties and lawfulness of cookies policies. What the CNIL seems to suggest is that the two big tech companies create some “de facto” cookie-walls that are unlawful.

In principle, cookies that are not necessary for the well-functioning of the website can be installed and accessed only after that the data subject has been adequately informed (through a “user-friendly” communication, according to recital 25 of the e-Privacy Directive) and has provided her consent. The CNIL observes that when data subjects go on Google.fr, the first pieces of information appearing on the “privacy” banner is not related to cookies. Nevertheless, several cookies (also for ads purposes) are immediately installed on the user’s device. In addition, even clicking on “more information”, the user cannot immediately understand which cookies are collected and for which purposes. She cannot even disable those cookies, unless she scrolls the whole privacy policy (avoiding clicking on any hyperlink) and finally clicks on “other options”.

After the CNIL’s investigation started, Google changed its transparency policy about cookies. However, the CNIL finds that, even considering these improvements, the declared purposes for cookie-related data processing are generic and not specific enough; the effects (e.g., personalization of ads on different Google services) are not adequately communicated; the procedures to refuse cookies are still hidden behind opaque buttons like “options” or “more information”. Moreover, the CNIL found that even if the user opts out, some unnecessary cookies are still kept in the user device: in other terms, the opt-out system is not only opaque but also defective (“defaillant”). Lastly, the CNIL argues that the expression “withdraw your consent” used by Google is “abusive”, since consent was never really given by the subjects, but presumed under an opt-out system.

The reasons why the CNIL has imposed penalties to Amazon are similar. In particular, when the data subject accesses on Amazon.fr she can only read a banner affirming “using this website you accept our use of cookies to offer and improve our services”. This is a violation of the last CNIL Guidelines of September 2020 (and of the CJEU Judgement “Planet49”): there should be an unambiguous expression of consent, the opt-out system (that was accepted before the GDPR) is now no more acceptable.

In sum, the CNIL argues that the whole informational architecture of the two big tech industries for cookie collection is not based on a transparent opt-in system (which is the only acceptable one) but on an opaque opt-out system, which results in an obstacle race for data subjects.

Territoriality

The territorial scope of CNIL’s activity and of French Law applicability was also a topic of discussion: while Google affirmed that under the GDPR the cooperation mechanism imposes that the Data Protection Authority of the Member State where Google has its main establishment (Ireland) should take the lead of the infringement procedure (i.e. the Irish Data Protection Authority); Amazon claimed that since its main establishment is in Luxembourg, it respects Luxembourgish legal rules on cookies and should not be asked to respect French rules (which, by the way, are more restrictive and severe).

The CNIL rejected both the argument: cookie-related personal data are regulated by the e-Privacy Directive, where the cooperation mechanism indicated by the GDPR cannot apply. In addition, the e-Privacy Directive allows (at Article 15a) Member States to determine, under their national law, the procedures to enforce e-privacy rules. Accordingly, each Member State can follow its own national rules (implementing the EU directive). The applicability of French Law and the competence of the CNIL are evident since cookies are installed in the hardware devices of data subjects who are in France: the data processing happens in France and, thus, the territoriality principle of the French Loi Informatique et Liberté (Article 3) is respected.

Conclusions

These two CNIL decisions are important not only for the entity of the sanctions, but because they are the first important CNIL deliberations after the CJEU case Planet49, but also after the difficult sequence of CNIL Guidelines (of 2019 and 2020) against cookie walls.

The main finding that we could learn from these decisions is that not only cookie walls are (on a case-by-case basis) likely to be unlawful, but also “de facto” cookie walls are generally unlawful. In other terms, forcing the data subject to take a difficult obstacle racing of clicks, scrolls and ambiguous buttons before being able to refuse cookies has the same effect of a cookie wall and should be prohibited.

Looking at the broader picture, this last episode of the long and vibrant saga about cookie rules in Europe clarifies the urgency of a reform of the e-Privacy Directive. The prohibition of cookie walls is not explicit in EU law (the e-Privacy Directive seems to tolerate them in conflict with the GDPR’s notion of consent – as interpreted by the EDPB–). In addition, it is not clear why the procedural rules of the GDPR (e.g., the cooperation mechanism) cannot be applied to the e-privacy rules too, which are instead fragmented in many different national rules (that are often incompatible each other). However, a EU reform of e-privacy rules seems still far to be approved.