CNIL publishes assessment criteria for website cookie walls:
- A cookie wall designates the fact of conditioning access to a service on the acceptance, by the Internet user, of the deposit of certain tracers on his terminal (computer, smartphone , etc.).
- If you refuse the cookies, some sites ask for consideration in the form of monetary consideration: a "paywall".
- Per the Conseil d'etat an outright ban on cookie walls is a violation of the freedom of consent and it needs to be asses on a case by case basis.
CNIL presents the criteria for assessment:
(1) You must demonstrate that there is a real and fair alternative to access the content
You must demonstrate that there alternative ways to get to the content without consenting to data collection - this is difficult if the publisher has exclusivity over the content or services or is a dominant or essential service provider.
(2) Requiring payment as an alternative is not prohibited per se but needs to be reasonable as determined on a case by case basis:
You must be able to justify the reasonable nature of the monetary consideration you are offering. CNIL recommends publishing the analysis (this is somewhat similar to the CCPA regs financial incentive reasonable consideration analysis).
(3) Consider non traditional forms of payments such as micropayment off of a virtual wallet.
These can be made on an ad hoc basis to a particular content or service in a fluid manner and without it being necessary for the Internet user to register his bank card data with the publisher
(4) If you require the creation of a user account you have to ensure that this is justified in relation to the intended purpose.
For example allowing a user who has chosen to take out a subscription (monthly or annually), to benefit from this subscription on other terminals
- inform Internet users of the use of their data;
- limit the collection to only the data necessary for the objectives pursued;
- if you wish to reuse the data collected during the creation of the account for other purposes, you must in particular ensure that you have previously and clearly informed the Internet user and obtain, if necessary, the consent of Internet users for these new purposes.
(5) A cookie wall can't systematically impose acceptance of all the trackers on the website
- - In general, the lack of possibility to accept or refuse trackers according to their objective, purpose by purpose can affect the user's freedom of choice and therefore the validity of his consent
- You must be able to demonstrate your cookie wall is limited to the purposes which allow fair remuneration for the service offered. IE: if you consider that the remuneration for your service depends on the income you could obtain from targeted advertising, only consent for this purpose should be necessary to access the service: the refusal to consent to other purposes ( personalization of editorial content, etc.) should not then prevent access to the content of the site.
- - You must clearly inform Internet users of the purposes for which it is necessary - or not - to consent to access the service.
(6) If the user chooses paid access - can you deposit any cookies anyway? (yes but very limited)
- In general - this should be limited to necessary cookies.
- You may however request, on a case-by-case basis, the Internet user's consent to the deposit of tracers when the latter are required to access content hosted on a third-party site (for example, to view a video hosted by a third-party site ) which requires the use of a cookie that is not strictly necessary, or a service requested by the user (for example, to provide access to sharing buttons on social networks).
- The user's consent could be collected, for example, within a dedicated window displayed when the Internet user wishes to activate the content and in which he must have clear information concerning:
- (1) the fact that the activation of external content, or the use of sharing buttons, requires consent to the deposit of tracers by specifying the purpose(s) of the tracers used as well as a link to the privacy policy, in French, from the external content provider;
- (2) the possibility of easily withdrawing consent at any time;
- (3) the consequences of the refusal or withdrawal of consent concerning the deposit of tracers, including the impossibility of accessing external content.
- In any case, the Internet user must always have the possibility of going himself to the settings of the site to consent to certain uses (for example, the personalization of editorial content).
Assist. Prof., Utrecht University ●Expert EDPB ●Expert Data Protection Unit of Council of Europe, ●INRIA International Chair. Researching #Online Tracking, #Dark Patterns. Co-founder @Deceptive.design/cases
2 年Thanks Odia for consolidating it! It is still delicate to capture what is "alternative", "reasonabe" and "exclusivity" and "reasonable nature of the monetary consideration" in practice. In our incoming study, we realised so far many different hybrid business models of paywalls exist, several MS continue to track even with a registered account *and* payments (in exchange to a free access and no tracking choice). A sweep is needed after this guidance (cc CNIL - Commission Nationale de l'Informatique et des Libertés)
Capital Management (up 37,12% full-year 2023, up 70,07% full-year 2024, up 4,06% as of 15 February 2025), Corporate Advisory & Digital Publishing
2 年A digital publisher must have domiciliary rights, so only he/she can set the conditions that apply for users to see the content she/he has produced. The choice of the user is to like it or not like it. And when you don't like the bread you don't visit the bakery.
CEO @ consentmanager.net | GDPR Compliance Solution / "Cookie Banner"
2 年contentpass Welect GmbH