On June 19, 2020, the Conseil d’Etat, the highest administrative court in France, annulled in part the cookie guidelines issued by the CNIL (the French data protection authority). The court ruled that the CNIL did not have the power to prohibit “cookie walls” (i.e., the practice of blocking access to a site or app for users who do not consent to the use of cookies) in the guidelines.
Specifically, while the GDPR allows supervisory authorities to create “flexible law” (such as guidelines), the CNIL had exceeded its authority in imposing a prohibition on cookie walls which was described by the court as overly general. Notably, the court did not rule on the substance of the cookie wall question, only that the CNIL exceeded its authority in imposing the blanket prohibition. As to other issues, the court upheld the provisions in the Guidelines in relation to giving users specific information before obtaining consent for different types of processing. The court also upheld terms in the Guidelines about the ease of withdrawing consent to cookies. This decision highlights the fragmented approach to cookies in Europe – while the GDPR has harmonized data protection law across Europe, the e-Privacy Directive, which regulates cookies and other trackers, is still implemented into national law which has resulted in a patchwork of laws and guidelines that apply to the use of cookies in Europe.