A question is increasingly being raised on the side of companies looking to find a way around the constraints imposed by the Cookie regulation associated with the notion of consent borrowed from the GDPR:
Can we impose a choice on the user during their visit to a website? “Are you agreeable to us depositing a cookie on your device? Answer or leave.”
In other words, is the user entitled not to respond to the perpetual question, “Do you accept our cookies?”? Having to choose between “I accept” and “I refuse,” does this always benefit from the notion of free consent imposed by the GDPR?
Let’s be frank, the question is far from simple in reality and can only be settled by the succession of disputes that national and European courts may determine… We await the positioning of a lasting jurisprudence. This is indeed its role: to refine the legal analysis of existing texts.
Will the future EPrivacy regulation provide a more obvious answer? It is easier to say once the final text is voted on.
But we can still doubt it, as the references to the notion of consent present in the GDPR are numerous. And they are taken up in the current draft of the e-privacy regulation.
Let’s take a risk and analyze…
Article 4.11 of the GDPR defines consent as follows: “consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by an explicit affirmative action, signifies agreement to the processing of personal data relating to them.
Let’s focus on the notion of freedom.
Is a choice free when a limited alternative is imposed? Are we not missing a whole series of possible responses? And notably the “yes but.” “Yes, but later,” “Yes, but not on everything,” “Yes, but not today.”
To analyze such a device, we must go back to the sources of law and pull out our first-year law school textbooks… How do legally qualify the deposit of a cookie or, more precisely, the consent given to deposit a cookie?
Two options present themselves to us: legal fact or legal act.
It is established that the difference between these two concepts lies in the legal effects attached to them. In the case of a legal fact, the legal consequences are not produced by the will of the legal subject but by the legal rule itself (regulation, law, international treaty…): the dismissal of an employee opens up rights for them: this is a legal fact. This legal fact can be voluntary or involuntary. But the legal subject did not necessarily seek to produce the legal effects attached to the truth by the legal rule.
The situation is quite different with the legal act: the legal effects induced by a legal action entirely stem from the legal subject’s will: I sign a contract. In this case, we find the notion of will (consent…).
What about this file deposit (the cookie)? We assume consent is required. If support is needed, it is a “legal action.” Therefore, the cookie deposit in such a case would be a legal action.
If the cookie deposit is a legal act, my consent must also be analyzed in light of the approval of legal acts. This is what Article 1100-1 of the Civil Code tells us: “Legal acts are manifestations of will be intended to produce legal effects. They may be conventional or unilateral. For their validity and effects, they shall, as far as possible, be governed by the rules governing contracts.”
We are, therefore, on the significant ground of the theory of the autonomy of will, which Rousseau was able to explain to us and which populates the very first hours of classes for first and second-year law students. The case law that has shaped this notion since 1804 does not admit any constraint, whatever it may be when it comes to…
For example, let us now return to the hypothesis of browsing on an e-commerce site.
Unrestricted browsing would consist of being able to consult the website without obstacles.
Therefore, we can question the prohibition of being able to consult the website without first having to formalize a choice between options imposed by the publisher of said website – and therefore be constrained.
It is indeed the publisher who chooses, alone, the options that are available to you. If these do not suit you, you must leave the website.
The combination of Recital 42 and Article 7.4 of the GDPR provides a framework for assessing the “quality” of the consent provided:
Consideration No. 42: Consent should not be considered freely given if the data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment.
Article 7.4: “When assessing whether consent is freely given, utmost account shall be taken of whether, among other things, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Article 7.4 refers to the notion of contract. As we have seen earlier, the deposit of a file on your device (the cookie) will likely be classified as a legal act. There would therefore be legal coherence between contractual consent and cookie consent mentioned in the GDPR.
After reading these texts, one should perhaps ask the following question to obtain a beginning answer on the conformity of choice imposed on the deposit of a cookie: is the deposit of the cookie necessary for the provision of the service (the free and unconstrained consultation of the website)?
If the answer is yes, the constraint of choice may appear legitimate. Otherwise, the rule of choice seems to be imposed in violation of Article 7.4 of the GDPR, especially since Recital 32 does not leave the economic actor without a response as the lack of response from the Internet user is equivalent to a refusal (Recital 32: “(…) there can be no consent in case of silence (…) or inactivity”).
Invoking silence or inactivity, isn’t it legally validating them? The European legislator has certainly considered this scenario. Therefore, he responds to the argument that the e-commerce site would say, “I want a choice!” Let the internet user pass without constraint – the “real freedom of choice” -and you will get your answer: it will be negative because the regulation authorizes you to formalize this deduction.
Being free in this legal analysis is to have the possibility to act without constraint. At all. However, imposing a choice, having to choose, is setting a limitation. In doing so, one could argue that we are preventing the Internet user from exercising one of the regulation’s choices: not to choose (no consent in case of silence).
But let’s take the argument further…
Do we allow ourselves to think that consent to the cookie is a legal act (an essential assumption, as you may have understood)? If this is the case, what about consent obtained out of despair, tiredness, or a desire to continue browsing? Does the law consider situations in which a person has consented for reasons they thought were good or, by mistake… under duress?
The answer is yes, and this gives rise – at least in French law – to the extensive literature on the theory of defects in consent. However, to consider using arguments from this theory, one must accept that consent is a legal act (a debate is also open, so let us be cautious).
Consider that consent to cookies is a legal act (an essential assumption, as you have understood). If that is the case, what does the theory of the defects of consent teach us? First of all, it has been enshrined in the Civil Code for a long time: Article 1130 states:
“Their determining character is assessed about the persons and circumstances in which the consent was given.”
Let us put aside violence. We are left with error and fraud.
Fraud is the will to deceive. Article 1137 of the Civil Code deals with this: “Fraud is the act of a party to obtain the consent of the other party using maneuvers or lies.”
In the case of law, a distinction is usually made between “good fraud” (the skill of a seller in promoting his products, for example) and “bad fraud” (lying, deliberate deception).
In simplified terms, error corresponds to an erroneous view of reality for the person giving consent. To be validly retained, the error must relate to the essential and determining qualities of the legal act. The error, according to case law, must be “excusable.”
But when the average person consents to a cookie, do they even know what it is? They only know what they may have vaguely heard about it on the 1 pm news on TF1 between the report on the preservation of the hundred-year-old recipe for Garbure in the Pyrénées-Orientales and the information on shore fishing along the Opal Coast.
Let’s be serious; few people could profoundly explain the principle of how a cookie works.
This opens the way to characterizing excusable errors and, therefore, to the defect of consent.
It should be remembered at this stage that Article 1100-1 of the Civil Code states in its second paragraph that legal acts “(…) comply (…) for their validity and effects, with the rules governing contracts.”
It is up to each individual to question these notions and the deliberate intention of some publishers to use them to capture valuable personal data. Can the concept of consent seek answers on the validity of its harvesting in contract law and its abundant case law? That is the direction of this analysis.
The question is fascinating, not only from a legal point of view. Let us be sufficiently lucid to state that it would support opposing arguments. The answers will likely come from case law. The matter of data protection needs to be shaped over time and mature to find the right balance between economic constraints, technical constraints, and the protection of personal data.
But other elements can also nourish this debate; it is vast!
And we cannot even conclude a legal argument on the analysis of the implementation of a practice that remains, above all other considerations, an IT practice without citing the fabulous first article of the founding law of 6 January 1978:
“We will detach ourselves for a moment from the mathematics of the law to ask ourselves in a more airy and philosophical way whether the practice of the cookie wall is or is not in the spirit of this text.”
The answer to this single question should lead to a clear position.
Since 1957 and the Treaty of Rome, Europe has been considering its future around the notion of community, which requires the coexistence of economic imperatives and respect for individual freedoms. These two concepts regularly clash. This is undoubtedly the case with personal data protection, and we cannot dismiss the urgent need for companies to continue exploiting such data to perpetuate their economic model.
Two fundamental principles constitute the “load-bearing walls” of the European Union: the free movement of people and the free movement of goods.
The GDPR has created a third axis, contrary to what many think: that of the free movement of personal data.
Yes, the GDPR is a liberal text, and the European legislator recalls this in the fourth recital: “The right to the protection of personal data is not an absolute right; it must be considered about its function in society and balanced against other fundamental rights, by the principle of proportionality.”
The goal? The seventh recital recalls it: “To create the confidence that will allow the digital economy to develop throughout the internal market.”
A careful reading of this text and a mastery of its concepts reveal a user manual, the postulate of acceptance of a change in software to use personal data for economic purposes: one can do almost anything as long as the citizen is not reduced to a mere spectator of the life of their data. They must, in all circumstances, play the leading role. Or, more precisely: they must be put in a position to be that actor. It is up to them to decide whether they want to be in an active or passive role.
However, the practice of the cookie wall needs to fit into this approach of compromise between the principle of free enterprise and the protection of fundamental rights of the human person.
The inventor of the web, Tim Berners-Lee, who refused to patent his creation, wrote in his 1999 book, “Weaving the Web”:
“The Web is more a social creation than a technical one. I designed it to help people work together for a social effect, not as a technical toy. The ultimate goal of the Web is to support and improve our weblike existence in the world. We clump into families, associations, and companies. We develop trust across the miles and distrust around the corner. What we believe, endorse, agree with, and depend on is representable and, increasingly, represented on the Web. We must ensure that the society we build with the Web is what we intend.”
The cookie will not fit into this logic. It disfigures the web and harms those who practice it.
Far from being a load-bearing wall, it is a simple fragile partition leading to the ugliest room in the house, which is usually hidden from guests when everything else has been refurbished.
Those among decision-makers who first bet on tearing down these fragile partitions to move decisively towards a logic of inclusion of the internet user in an openly claimed and assumed commercial collaboration (“We would like to have your data, and here’s why, what do you think?”) will undoubtedly lay the groundwork for this new digital economy, which is currently building its foundations on the load-bearing walls of personal data protection.
