CNIL Cookie Wall Guidelines

CNIL, the French data protection agency, recently released new guidelines regarding the use of cookie walls.

The EDPB guidelines on cookie walls initially gave businesses the impression that cookie walls were universally forbidden. However, CNIL has decided to ease these rules slightly.

Does this make it easier for businesses? Not exactly.

The guidelines remain so vague that businesses might struggle to determine whether their use of cookie walls in France is justifiable and legal. In this article, we'll explain the criteria determining the legality of cookie walls, but it will be up to you to ensure your practices are within legal bounds or risk facing potential fines.

What is a Cookie Wall?

A cookie wall is a type of cookie notice that blocks users from accessing a website unless they accept cookies. An example of a cookie wall might look like this:

As you can see, a cookie wall prevents users from accessing the website unless they accept the cookies. However, under GDPR rules, cookie consent must be freely given; consent that's conditional on website access is not considered freely given. Consequently, such consent is invalid, making cookie walls illegal.

The EDPB guidelines were straightforward about this, but CNIL's new guidelines on the same issue are less clear-cut.

In the past, CNIL banned cookie walls, echoing the EDPB measures. However, this decision was challenged in the French Administrative Court. The court ruled that the data protection agency had overstepped with its total ban on cookie walls, prompting CNIL to issue new guidelines.

What Do the CNIL Cookie Wall Guidelines Say?

According to the CNIL guidelines, cookie walls can be used in certain instances if they meet specific criteria. The guidelines address four primary questions about the use of cookie walls:

• Does the user who refuses cookies have a fair alternative to access the content?
• What is a reasonable price to place a paywall?
• Can a cookie wall or a paywall automatically mean acceptance of some types of cookies?
• The user chooses paid access without consenting to cookies: in what (limited) cases can tracers still be deposited?

Does a user who refuses cookies have a fair alternative to access the content?

Imagine that a user opts out of trackers by clicking the 'decline' button. In this case, the CNIL advises site publishers to provide a genuine and fair alternative for accessing the site without requiring data consent.

If the site publisher cannot offer this, they must demonstrate to the CNIL that another publisher provides non-conditional access to the same type of content. Websites that require cookie consent for access must ensure there's no power imbalance with the user that could limit a genuine choice. They should make the alternatives easy to access.

Potential imbalances could occur when:

• The publisher is the sole provider of a specific content or service, such as administrative services. These shouldn't require tracker consent for access. In this case, user choice is limited as the service is only available on the administration's site.
• Users have few or no service alternatives and, therefore, have no real choice about cookie use. This is like in the case of dominant or essential service providers.

However, a media outlet that publishes the same type of content as many other media companies can easily prove that there are alternative sources of such information.

Moreover, if a website conditions site access on tracker acceptance or payment, it's generally considered permissible as an alternative to tracker consent. However, the cost should not deprive users of real choice and should be reasonable.

What is a reasonable rate?

CNIL doesn't specify what constitutes a reasonable rate for payment as an alternative to tracking visitors. It is up to you to determine this, ensuring you don't violate the law.

They simply state that if a publisher wishes to set up a paywall, they must be able to justify its affordability. CNIL also recommends publishers share their pricing analysis for increased transparency with users. This is not an obligation, but merely a recommendation.

Can a “cookie wall” or a “pay wall” systematically impose acceptance of all the trackers on the website?

No, because this would imply that consent is not freely given, which renders it invalid. While it's not prohibited to condition site access on consent for one or more tracker purposes, the publisher must ensure their cookie wall includes only purposes tied to fair service compensation. For instance, if a publisher's revenue relies on income from targeted ads, only consent for this purpose should be necessary for site access. Non-consent to other purposes (like content personalization) should not impede access to the site content.

Moreover, publishers should clearly inform users about the purposes that require consent for service access. CNIL specifically emphasizes that targeted ads and content personalization are two distinct purposes when determining conditions for accessing the service. In services like YouTube, this would mean they can use data to inform the algorithm of user preferences, but not for serving ads.

In essence, your business model can justify the use of cookies in certain instances.

If the user chooses paid access without consenting to cookies, in what limited cases can tracers still be deposited?

As a general rule, no cookie should be used when the user refuses them and chooses the alternative proposed by the publisher. In such a case, only tracers necessary for the operation of the website may be used.

In some instances, the website operator can request consent from the user for access to content hosted on third-party websites. For example, when a YouTube video is embedded on the site or when using social media sharing buttons.

The user's consent could be collected, for instance, within a dedicated window displayed when the user wants to access the content:

• The user must be informed that the activation of external content or the use of sharing buttons requires their consent for the deposit of online trackers.
• They should be educated about the processing purposes of the online trackers.
• The user should be made aware of the possibility to easily withdraw their consent at any time.
• They must be informed about the consequences of refusing or withdrawing their consent, which may include the inability to access external content.

The user must always have the opportunity to set their own cookie preferences.

Summary: What is Allowed?

In summary, CNIL cookie wall guidelines permit you to:

• Give users the option between being tracked or paying to access your content.
• Set your own prices, but they must be reasonable.
• You are not allowed to use cookies without consent while charging for access to your content.