News

💥 Cookies: the post office wins in the Council of State
Some cookies are exempt from consent!

Reminder: The La Poste / Digiposte case before the Council of State in March 2025

👉 What the court held
A user challenged the CNIL’s decision to close his complaint against Digiposte (La Poste) regarding: 1  data transfer to the United States and 2 cookies set despite his refusal. He sought annulment of that closure.

🚨 Useful timeline
30 Jan 2023: complaint filed.
24 Nov 2023: CNIL intervenes with La Poste about tools involving transfers to the U.S., then closes the case.
26 Jan 2024: CNIL reopens and checks again.
3 May 2024: case closed again; no further infringements found.
12 Mar 2025: the Council of state dismisses the appeal against the closure.

⚠️ Reasoning of the Council of state
CNIL has broad discretion to follow up (or not) on a complaint; the court will annul only in cases of illegality, error of law or fact, manifest error, or abuse of power.

·       The cookies at issue were strictly necessary technical cookies (statistics/performance without individual tracking): no consent required (Article 82 of the French Data Protection Act). No error by CNIL.

·       The “cookies” information provided to users was deemed sufficient. No manifest error of assessment.

·       CNIL was not required to extend its checks beyond the issues expressly raised by the complainant.

·       Processing time does not affect the legality of the decision.

➡️ Consequence
No infringement was upheld against La Poste; the Council of state simply confirmed that CNIL’s closure of the complaint was legally justified in this case.

💥 Practical takeaways
- Strictly necessary/technical cookies remain exempt from consent if clearly described and non-tracking.
- For extra-EU transfer grievances, CNIL may intervene and then close the case if it finds no other proven infringements. The court reviews, but does not investigate in CNIL’s stead.