On June 19, 2020, the Conseil d'Etat issued a decision regarding the guidelines published by the Cnil regarding cookies[1], following an appeal filed by professionals in the digital sector.
These guidelines, which date from July 4, 2019, are intended to remind the law applicable to read or write operations in a user's terminal and in particular the use of cookies and other tracers.
In this decision, the Council of State rejects the general and absolute prohibition to integrate a "cookie wall" into websites, which blocks access to the site to the user who has not consented to the deposit of cookies and tracers on the device he uses to browse the Internet (computer, tablet, smartphone ...).
The CNIL stated in its guidelines that the validity of the Internet user's consent was subject to the condition that he or she would not suffer any major inconvenience, such as the impossibility of accessing a website because of a "cookie wall", in the event of the absence or withdrawal of consent.
The Conseil d'Etat indicated[2] that by interpreting the validity of the consent of Internet users in this way, the CNIL exceeded its competence by deducing a general and absolute prohibition from a legal provision that only mentions the requirement of "free consent".
Thus, the published decision does not have the effect of censoring the Cnil's deliberation, but rather of reminding us of the contours of its normative power with regard to its mission of accompanying and informing with regard to the applicable regulations (difference between standard regulations, recommendations, guidelines, opinions, etc.).
The CNIL indicates that it takes note of this decision and that it will strictly comply with it by adjusting the content of its guidelines and by specifying the methods of collecting the consent of Internet users with regard to cookies in a future recommendation, which is expected to be published in 2020.
The stakes were high insofar as these guidelines, which provide professionals with the CNIL's interpretation of the applicable regulations, may lead them to see heavy administrative penalties imposed on them as a result of the entry into force of the RGPD on 25 May 2018.
The publication of the amended guidelines, as well as the future recommendation, should enable new technology actors to bring their website(s) into compliance with the provisions on the protection of personal data, thus securing a particularly exposed area of non-compliance.
[1] Deliberation No. 2019-093 of July 4, 2019 adopting guidelines on the application of Article 82 of the amended Act of January 6, 1978 to read or write operations in a user's terminal (including cookies and other tracers)
[2] EC n°434684, 19 June 2020, paragraph 10.