On 13 July, 11 European trade associations from the advertising and retail sectors, including Ecommerce Europe, sent a letter to EU policymakers and the European Data Protection Board (EDPB) regarding its guidelines on consent and the recent French Court decision on cookie walls. The letter urges the EDPB to respect the flexibility that the General Data Protection Regulation (GDPR) provides, specifically in the context of cookie walls. Moreover, the signatories demand that the EDPB avoids using its guidelines to set higher standards than the ones provided by the law and require it to emphasise the optional nature of its recommendations as opposed to the mandatory one of legal obligations to ensure that businesses do not feel pressured to comply with them.
French ‘cookie wall’ ruling
On 19 June, the French Council of State, ruled (in French) that requiring users to accept cookies to access a website is compatible with the General Data Protection Regulation (GDPR). This decision went against the French Data Protection Authority (CNIL) Guidelines (in French) published last year and against EDPB guidelines on consent. Some French advertising groups took the CNIL to court over their published guidance from July last year. Website operators must allow access to users even if they do not consent to cookies, which track users around the web. However, the French court ruling states that the CNIL cannot legally prohibit websites from putting up ‘cookie walls’.
Associations’ concerns regarding limiting GDPR
The signatories of the letter express concerns that the EDPB, and by extension Data Protection Authorities at national level, would recommend a more stringent norm than the one foreseen by the legislator with regards to cookie walls. As a consequence, the industry would feel pressured to implement this norm, or risk being in direct conflict with the position of its data protection regulator, potentially threatening its economic situation and reputation. Therefore, they call on the EDPB to ensure that the flexibility of the GDPR is reflected in its guidelines and to clearly differentiate between legal obligations that must be complied with and what is considered a recommendation. The signatories also note that the latest update to the EDPB guidelines on consent has been made without prior information or consultation of the various stakeholders. Therefore, they express concern that this process may create a precedent for future guidelines, including for those which are currently being developed and remind that discussions between regulators and stakeholders are essential to ensure informed and balanced interpretation of the GDPR.
Interplay with e-Privacy Regulation
The European Commission, Council of the EU and European Parliament are currently working on the new ePrivacy Regulation which includes rules on consent for cookies and other tracking technologies. No decision has been reached for the moment and the cosignatories of the letter want to ensure that policymakers are not restricted in their decision by guidelines on existing legislation, but instead remain free to take into consideration all policy options, and design a balanced future legal framework for ePrivacy.