Understand the latest guidelines from CNIL, the French data protection agency, on the use of cookie walls. Discover the criteria determining the legality of cookie walls and ensure your practices align with the regulations. Stay compliant to avoid potential fines.
CNIL, the French data protection agency, recently released new guidelines regarding the use of cookie walls.
The EDPB guidelines on cookie walls initially gave businesses the impression that cookie walls were universally forbidden. However, CNIL has decided to ease these rules slightly.
Does this make it easier for businesses? Not exactly.
The guidelines remain so vague that businesses might struggle to determine whether their use of cookie walls in France is justifiable and legal. In this article, we'll explain the criteria determining the legality of cookie walls, but it will be up to you to ensure your practices are within legal bounds or risk facing potential fines.
Explore more privacy compliance insights and best practices
A cookie wall is a type of cookie notice that blocks users from accessing a website unless they accept cookies. An example of a cookie wall might look like this:
As you can see, a cookie wall prevents users from accessing the website unless they accept the cookies. However, under GDPR rules, cookie consent must be freely given; consent that's conditional on website access is not considered freely given. Consequently, such consent is invalid, making cookie walls illegal.
The EDPB guidelines were straightforward about this, but CNIL's new guidelines on the same issue are less clear-cut.
In the past, CNIL banned cookie walls, echoing the EDPB measures. However, this decision was challenged in the French Administrative Court. The court ruled that the data protection agency had overstepped with its total ban on cookie walls, prompting CNIL to issue new guidelines.
According to the CNIL guidelines, cookie walls can be used in certain instances if they meet specific criteria. The guidelines address four primary questions about the use of cookie walls:
Imagine that a user opts out of trackers by clicking the 'decline' button. In this case, the CNIL advises site publishers to provide a genuine and fair alternative for accessing the site without requiring data consent.
If the site publisher cannot offer this, they must demonstrate to the CNIL that another publisher provides non-conditional access to the same type of content. Websites that require cookie consent for access must ensure there's no power imbalance with the user that could limit a genuine choice. They should make the alternatives easy to access.
Potential imbalances could occur when:
However, a media outlet that publishes the same type of content as many other media companies can easily prove that there are alternative sources of such information.
Moreover, if a website conditions site access on tracker acceptance or payment, it's generally considered permissible as an alternative to tracker consent. However, the cost should not deprive users of real choice and should be reasonable.
CNIL doesn't specify what constitutes a reasonable rate for payment as an alternative to tracking visitors. It is up to you to determine this, ensuring you don't violate the law.
They simply state that if a publisher wishes to set up a paywall, they must be able to justify its affordability. CNIL also recommends publishers share their pricing analysis for increased transparency with users. This is not an obligation, but merely a recommendation.
No, because this would imply that consent is not freely given, which renders it invalid. While it's not prohibited to condition site access on consent for one or more tracker purposes, the publisher must ensure their cookie wall includes only purposes tied to fair service compensation. For instance, if a publisher's revenue relies on income from targeted ads, only consent for this purpose should be necessary for site access. Non-consent to other purposes (like content personalization) should not impede access to the site content.
Moreover, publishers should clearly inform users about the purposes that require consent for service access. CNIL specifically emphasizes that targeted ads and content personalization are two distinct purposes when determining conditions for accessing the service. In services like YouTube, this would mean they can use data to inform the algorithm of user preferences, but not for serving ads.
In essence, your business model can justify the use of cookies in certain instances.
As a general rule, no cookie should be used when the user refuses them and chooses the alternative proposed by the publisher. In such a case, only tracers necessary for the operation of the website may be used.
In some instances, the website operator can request consent from the user for access to content hosted on third-party websites. For example, when a YouTube video is embedded on the site or when using social media sharing buttons.
The user's consent could be collected, for instance, within a dedicated window displayed when the user wants to access the content:
The user must always have the opportunity to set their own cookie preferences.
In summary, CNIL cookie wall guidelines permit you to:
