The CNIL of France has published a cookie assessment criteria guide to aid businesses in determining the validity of cookies and other tracers.
The CNIL has published guidelines on the use of cookies and other tracers, which initially prohibited cookie walls as they were seen as a violation of the principle of free consent. A cookie wall requires users to consent to cookies, in order to gain access to a site or service. The CNIL concluded that the validity or legality of cookie walls was better determined on a case by case basis, rather than prohibiting cookie walls altogether. The authority deemed it necessary to publish a guide containing preliminary criteria, to assess the legality of the use of cookie walls, in the absence of a position from the CJEU.
While not prohibited in France, a careful assessment is required prior to the implementation of cookie walls.
Cookie walls require an internet user to accept cookies or other tracking devices in order to access the content of a website. In most cases, there is an alternative, paid option, in the form of a subscription, to compensate for any loss of advertising revenue from targeted ads made possible by the collection of cookies. The validity and legality of cookies is intended to be assessed on a case by case basis based on what alternatives are offered to users if they choose to decline cookies, and how reasonable these alternatives are. This will require a careful assessment of the alternative options, as suggested by the CNIL.
CNIL outlined several key factors which are considered in determining the validity of cookie consent and cookie walls.
While the validity of a cookie wall is to be determined on a case by case basis, there are a few key determining factors which the CNIL highlighted. For one, it matters whether or not the Internet user who refuses cookies still has a fair alternative to access the content. In some cases, paid access can be granted, replacing the cookie wall with a paywall. In cases where there is a paywall to access content, CNIL will consider whether the price is deemed reasonable. This, in most cases, will be determined by the amount of ad revenue which would be lost as a result of the user refusing cookies. Another important point to consider is whether the cookie wall can cover “all” cookies indiscriminately, or just certain types of cookies.
CNIL recommends that the publisher offers a real and fair alternative allowing users access to the site, in the event that they refuse cookies, which does not does not include having to consent to the use of their data. In cases where the user chooses paid access without consenting to cookies, there may be limited cases where cookies can still be deposited. The CNIL stressed that users should be able to accept and refuse cookies based on their purpose, and should be able to access the site setting and revoke consent at any time.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.
