- what is a cookie wall?
- EDPB guidelines: are cookie walls legal?
- how do cookie walls work?
- and what is an alternative, valid way of obtaining user consent?
What is a cookie wall?
A cookie wall is very much what it sounds like: it’s a wall around a website that users can only get through by accepting cookies and trackers on the domain, most of which will be processing their personal data.
A cookie wall is a “take it or leave it”-scenario that a website sets up for users so that it can ensure to activate all cookies and trackers and get as much data as possible, even if it is against the user’s wishes.
Some websites may use a cookie wall in fear that granular consent will break their websites, if users are left with the choice to consent to only some cookies rather than others. Later in this blogpost, we will debunk this myth.
What does a cookie wall look like?
In practice, a cookie wall is a particular variation of the cookie banner that users are used to interact with on the Internet today. Only, a cookie wall leaves no real option for the user to select or deselect certain categories of cookies, like marketing cookies that typically harbor myriads of private data trackers from ad tech companies. This means that the cookie banner, which is supposed to be an interactive solution enabling granular consent for the user, becomes instead a cookie wall – and the only way through is to click OK.
Cookie walls exist on myriad of sites throughout the web, even on many news sites that people rely on for their daily information (and reporting on privacy issues, ironically).
Imagine that you’re trying to buy a newspaper, but you can only read it if you disclose everything in detail about your closest relationships and family to the stranger selling it, and dozens of other third parties.
Or imagine that you’re trying to enter a supermarket, but the only way you can go shop is by taking off your clothes, handing over your wallet and social security number before entering.
It sounds absurd, but it’s comparable to the situation that a cookie wall puts an end-user in, when it demands as payment for access that they relinquish control of their own private data and hand it over to ad tech companies who create eerily detailed profiles on individuals and sell these in real time bidding schemes on the behavioral futures markets.
Learn more about GDPR and consent
EDPB guidelines on valid consent: are cookie walls legal?
No! Cookie walls are an illegal way of obtaining user consent of individuals inside the EU.
On May 4, 2020, the European Data Protection Board (EDPB) released new guidelines that clarify the legality of cookie walls and what constitutes a valid consent.
The EDPB is an independent supervisory body made up of representatives from all national data protection authorities in the EU.
It’s the job of the EDPB to ensure a consistent application of the GDPR and ePrivacy directive inside the EU by adopting guidelines and directing national data protection authorities towards coherent enforcement.
The EDPB guidelines 05/2020 effectively rule out cookie walls as a valid means for websites to obtain consent from their users to process their personal data.
The EDPB states clearly in their guidelines that cookie walls are illegal.
Cookie walls work by making access to a service conditional on the consent of users for processing their personal data, and the EDPB state in their guidelines that this does not constitute valid consent.
“Access to services and functionalities must not be made conditional on the consent of a user to the storing, or gaining of access to information already stored, in the terminal equipment of a user” (EDPB guidelines 05/2020, page 11)
This EDPB guidelines rules out cookie walls, since – as we have explained – cookie walls operate by forcing consent from users to store cookies or accessing already stored cookies in exchange for access to services and functionalities.
And so, cookie walls are not compliant with the GDPR, since they do not meet the requirements for a consent to be freely given and on the basis of a genuine choice.
GDPR on consent
Valid consent according to the GDPR is formed by four aspects:
- Freely given
- Specific
- Informed
- Unambiguous indication of the user’s wishes
In other words, a valid consent must be a freely given, specific, informed and unambiguous indication that the user accepts your website’s use of cookies and trackers to process their personal data. A valid consent must be a clear and affirmative action on the part of the user.
The GDPR spells out clearly that consent must be freely given, and the EDPB’s guidelines from May 2020 clarify that user consent obtained through cookie walls are invalid, exactly because the consent wasn’t given freely in the first place, since it was conditional to visit the website.
How does a cookie wall work?
Most websites in the world have first and third-party cookies embedded in their source code. They range from necessary cookies that are fundamental to the operation of a website to statistics cookies that often use anonymized data to give insight into how a website performs.
Then, there are marketing cookies that are placed by ad tech companies entirely for the purpose of collecting personal data in order to target users in behavioral advertising schemes (and for other ominous ends).
The many different types of cookies have many different purposes – some are straight-up privacy infringing, which is why the European data protection legislations – the General Data Protection Regulation and the ePrivacy Directive – are in place to control and regulate how these cookies and trackers are allowed to be used by companies, organizations and websites.
The GDPR mandates that data controllers obtain the prior consent of users before any processing of their data is allowed to take place. Consent is one of six legal bases for processing personal data in the EU and the most widely used for websites and companies across the world.
And so, the cookie consent banner was born as a way for data controllers to be GDPR and ePR compliant by acquiring user consents for data processing.
A cookie wall is a hybrid cookie banner that obtains something like a user consent but leaves out any choice for the user to granulate their consent to certain types of cookies rather than others. It works by blocking access unless a user clicks ‘o.k.’ to all cookies and trackers.
Cookiebot CMP on cookie walls
Cookiebot CMP offers granular consent as opposed to cookie walls. It builds trust between the visitors and the website – something that a cookie wall betrays.
What is granular consent?
Granular consent means that your users are able to filter their consent between different categories of cookies:
- Necessary cookies
- Preference cookies
- Statistics cookies
- Marketing cookies
When users land on your website, Cookiebot CMP presents them with an interactive cookie banner that allows them to consent to cookies and not others. Only necessary cookies don’t need user consent to be activated.
Cookiebot CMP‘s unmatched scanner detects all cookies and trackers and automatically blocks them all, so your users’ personal data will not be processed until they have given their consent.
Our CMP scans your website on a monthly basis and generates a complete cookie declaration of total transparency between your website and its users.
Through the Cookiebot CMP granular consent solution, websites can offer real, freely given choice for their visitors through our highly customizable consent banners that gather user consent and manages the activation of the cookies on your website in GDPR compliance.
Granular consent is the future
By allowing users to choose for themselves which cookies and trackers they will allow a website to set on their devices, a website not only operates in compliance with the GDPR’s requirement for a legal basis for processing personal data.
It also respects the privacy and autonomy of the individuals behind the screen, behind the term “user” or “data subject” – the real human beings, whose intimate, private lives can be severely infringed through data collection by third party trackers.
Respect for the dignity of privacy and sincere regard for the autonomy of other individuals is hard to legislate on, it is more than law, it is… culture.
Cookiebot CMP works hard every day to help websites become compliant with the world’s data protection laws, but we also work hard every day to create a culture of privacy and autonomy on the Internet.
Try Cookiebot CMP free for 14 days… or forever if you have a small website.
For a free and private future.
National DPAs on cookie walls
Before the EDPB adopted guidelines on cookie walls in May 2020, some national data protection authorities throughout the EU had already started ruling on whether cookie walls could be considered legal under the GDPR.
Here is an overview of the national DPAs and their decisions prior to the EDPB guidelines 05/2020.
The Dutch DPA on cookie walls
In spring 2019, the Dutch DPA AP ruled that cookie walls are in violation of the GDPR, exactly because visitors to a website need to give their consent freely, i.e. not coerced by a cookie wall that demands a price for access to the domain.
The Dutch DPA summarized their decision by saying that a cookie wall creates a “take it or leave it”-situation for users, where they either have to give their consent to all cookies and trackers on a website or leave it without having been able to access it.
This, according to the Dutch DPA, constitutes an invalid form of consent, since the users won’t have a free and real choice to accept or reject certain cookies over others. Websites are not allowed to deny access to users who decide not to consent to cookies and trackers.
The British DPA on cookie walls
The British data protection authority ICO also updated their guidelines for the use of cookies in GDPR compliance in the summer of 2019.
Applying the standard for consent of the GDPR to the national implementations of the ePrivacy Directive (in Britain the PECR), the British ICO decided that no cookie categories except necessary are allowed to have pre-ticked checkboxes.
The ICO also specified that using a cookie wall to restrict access to a site until users consent is not GDPR (and PECR) compliant.
“Using a blanket approach such as this is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard”.
The French DPA on cookie walls
The French data protection authority CNIL also updated their guidelines in the summer of 2019 and issued the same opposition to cookie walls as the British and Dutch DPAs.
However, France’s highest administrative authority (the Conseil d’État) ruled that CNIL had exceeded its authority when it decided that blocking access to a website for users who don’t give their full cookie consent was non-compliant by default.
In its decision, the Conseil d’État stated that CNIL cannot legally prohibit cookie walls. It did, however, confirm all other points of CNIL’s guidelines, which had been contested.
In the new guidelines from September 17, 2020, CNIL has rephrased its guidance on cookie walls and states instead that cookie walls are ”likely to infringe, in certain cases, the freedom of consent”.
On March 18, 2021, CNIL also published an FAQ on its cookie guidelines (in French), including details on its guidance on the use of cookie walls.
On the topic, CNIL’s FAQ specifies that the implementation of cookie walls “must be assessed on a case-by-case basis”.
See CNIL’s new guidelines from September 17, 2020 (in French)
The Spanish DPA on cookie walls
In the summer of 2020, the Spanish data protection authority AEPD updated their guidelines on cookie walls.
In similar fashion to the British ICO and the Dutch AP, the Spanish AEPD ruled that cookie walls that do not offer an alternative to consent are not allowed.
In other words, cookie walls are deemed non-compliant by the Spanish AEPD unless an equivalent alternative to access without the user having to give their consent is provided.
AEPD highlights that cookie walls are particularly problematic in cases where users are denied access to a website when trying to exercise a legal right, e.g. to unsubscribe from a service.
Websites in Spain that do not offer a proper and equal alternative to access without consent is in non-compliance with the AEPD’s guidelines on cookie walls.
The AEPD guidelines also specify that continued scrolling on websites does not constitute valid consent, i.e. consent must be an explicit and unambiguous indication of the user’s choice.
The AEPD guidelines were released in July 2020 with a three months grace period and took effect on October 31, 2020.
Read the AEPD guidelines on consent and cookie walls (in Spanish)
The Italian DPA on cookie walls
On November 26, 2020, the Italian data protection authority Garante Per La Protezione Dei Dati Personali released new guidelines on cookies and cookie walls (in Italian).
As most other EU data protection authorities, cookie walls are also deemed illegal in Italy.
An exception is made if the website offers access to equivalent content or services, but this will be determined by the Italian DPA on a case-by-case basis.
Apart from clarifying that cookie walls are illegal, the guidelines from the Italian DPA also deem scrolling to be inadequate as consent, meaning that consent must be an active, affirmative, explicit action from the user to be valid.
The Italian cookie guidelines also specify different cookies and their properties, how to write a compliant cookie policy, and what constitutes a valid consent banner.
Read the cookie guidelines from the Italian Garante della Privacy here (in Italian)
FAQ
A cookie wall is a way for websites to deny users access if they don’t consent to all cookies and trackers on the domain. When a user lands on a website with a cookie wall, they will be presented with a banner that explains how the website has cookies and that the user must give accept to these before being granted access.
Websites have a lot of cookies that process personal data from their users. The EU’s GDPR requires websites to obtain user consent before they may activate these cookies, and a cookie wall works by forcing users to accept all cookies to be able to enter the website, or none and leave.
No, cookie walls are a non-compliant way for websites to obtain consent from their users. The European Data Protection Board (EDPB) adopted guidelines in May 2020 that effectively rule out cookie walls as a valid means for obtaining consent. Valid consent must be freely given, according to the GDPR, and cookie walls don’t give users a genuine free choice, the EDPB ruled in May 2020.
Granular consent is the compliant way to obtain valid consents from users. Granular consent means that users are able to filter their choice of consent between different categories of cookies, as well as having the options to reject all cookies and still get access to a website and its services. Granular consent means a free, clear, prior and affirmative choice of consent for website users as opposed to the forced choice of cookie walls.
Resources
Learn more about the GDPR and consent
European Data Protection Board
Dutch DPA on cookie walls (in Dutch)
CNIL’s guidance on the use of cookies in France
Dr. Johnny Ryan’s formal complaint against IAB Europe to the Irish Data Commission