Cookies Without Consent: a Web Development Contract Terminated for Regulatory Non-Compliance

Key Takeaway

The Bordeaux Court of Appeal terminated a website development contract due to non-compliance with data protection regulations and contractual breaches by the supplier.


In a ruling dated May 13, 2025, the Bordeaux Court of Appeal ordered the judicial termination of a website supply contract, based on Articles 1217 and 1224 of the French Civil Code, due to the supplier’s failure to deliver a compliant product: the delivered website did not comply with cookie regulations and the requirement to collect user consent.


1. Origin of the Dispute and Procedural History

On October 3, 2019, Mr. [J.], an automotive repair professional, entered into a licensing agreement with Incomm for the provision of a customized website and an online SEO service, in consideration for a subscription fee, followed by 48 monthly payments. A delivery and compliance acceptance certificate was signed on November 19, 2019. The contract was later assigned to Locam, which took over the financing part of the agreement.

Facing financial difficulties, Mr. [J.] requested early termination of the contract, which was refused by Locam. He then attempted to exercise his right of withdrawal based on the Consumer Code, and failing that, sought termination of the contract for non-performance by the supplier.

On September 17, 2021, Locam invoked the contract’s termination clause and requested payment of the outstanding monthly installments, increased by a penalty clause.

Mr. [J.] then brought legal action against Incomm and Locam before the Bordeaux Commercial Court. In a judgment dated April 18, 2023, the Commercial Court upheld the validity of the contract and its assignment to Locam.

Mr. [J.] appealed the decision.


2. Termination of the web development Contract for Failure to Deliver a Compliant website

Citing in particular the non-compliance of the delivered website, Mr. [J.] sought termination of the contract for non-performance, based on Art. 1217 and 1224 of the French Civil Code.

The Court found that Incomm had breached several of its obligations, notably the website’s non-compliance with cookie regulations (ePrivacy Directive) and the requirement to obtain user consent (Art. 7 of the GDPR), as well as the lack of evidence regarding the provision of the SEO service. (1)

Article 82 of the French Data Protection Act (Loi Informatique et Libertés), which transposes Article 5(3) of the 2002 ePrivacy Directive, provides that subscribers to an electronic communications service must be informed by the data controller (including website publishers) and must give prior consent before cookies (or trackers) are stored or read on their devices. This obligation specifically applies to cookies used for personalized advertising and those set by social networks through sharing buttons.

Not all cookies are subject to the consent requirement, such as cookies that save the user’s cookie preferences, authentication cookies, or cookies used to retain the contents of a shopping cart on a merchant website. (2)

In this case, Mr. [J.] discovered, through a bailiff’s report, that when users accessed his website, cookies (specifically Google Analytics cookies and reCaptcha cookies) were being placed on their devices. Contrary to Incomm’s assertions, these were not technical cookies. As such, the supplier was required to configure the website—such as by implementing a cookie banner and consent collection mechanism—to bring it into compliance with data protection regulations, particularly regarding user consent collection and the lawfulness of processing (Articles 5, 6, and 7 of the GDPR).

The supplier argued, on the one hand, that it was only bound by a best-efforts obligation (obligation de moyens), and on the other hand, that the client’s signature of the delivery and compliance acceptance certificate released it from liability.

However, according to the Court, Incomm failed to fulfil its obligation to deliver a website configured in compliance with personal data protection regulations. The client’s signature of the acceptance certificate was insufficient to release the provider from liability, given the hidden nature of the non-compliances.

Moreover, providing the delivery certificate did not prove that Incomm had actually fulfilled its SEO service obligation, since this service was to be performed after the acceptance testing phase.

Therefore, the Court held that Incomm had breached its obligation to deliver a compliant product.

The Court also rejected the application of the Consumer Code, including the right of withdrawal, as well as the claim for annulment of the contract, finding no defect affecting its formation.

Consequently, the Court ordered the termination of the contract, and sentenced Incomm to refund the subscription fee and Locam to reimburse the monthly payments received, as the financial lease agreement was void following the termination of the main agreement.


     Website and software development are not limited to technical and graphic aspects. Service providers are also required to ensure that the delivered solution complies with applicable regulations, particularly regarding personal data protection and copyright law. This principle was reaffirmed by the Bordeaux Court of Appeal in this decision, which sanctioned regulatory non-compliance by ordering the termination of the contract.


If you develop websites or software, our firm is available to assist you with contract drafting and contract management.

(1) CA Bordeaux, 4é ch. com., 13 mai 2025, M. [J.] c. SAS Incomm et SAS Locam, n°23/02044

(2) Applicable rules regarding cookies were restated by the CNIL in its communication of September 29, 2020: “Cookies and trackers: What does the law say?” (in French)


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

June 2025