The users have only one option to use the website: consent to all the cookies. This “take it or leave it” approach is not well received by internet users as they feel compelled to share their information to browse the website.
There are some conflicting opinions about its legality. This article will look into how the cookie wall stands against the judgments of several data protection regulations and authorities.
Cookie Wall vs. the Law
Consent is one of the essential lawful bases for processing under GDPR. The Regulation lays out several requirements for consent to be valid.
Article 4 of the GDPR defines consent as
"‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"
Read more about consent under GDPR here.
Consent gives the users real choice and control over the processing of their data. It is a safe practice to follow to protect the rights of people. The very concept of cookie wall, however, contradicts the definition of consent under GDPR.
Some could argue that the ePrivacy Directive (ePD) allows the use of cookie walls in Recital 25. The Directive says that the website operators can enable access to specific website content on condition of affirmative consent from the users if it is for a ‘legitimate purpose.’ However, ‘specific’ does not mean restricting full access, and 'legitimate purpose' should not include services like analytics or advertising.
The new draft of ePrivacy Regulation (ePR) - soon to repeal ePD - also cites legitimate interest as a justification. However, ePR also believes that in some cases, it may be considered “depriving" the users of a real choice where the users have “few or no other options but to use the service”. Similarly, per Recital 18, consent for processing data from the internet will be invalid if the users have no real and free choice or cannot deny or revoke it.
The European Data Protection Board (EDPB) mandated that access to services should not be made conditional on the user consent to process their data. It violates the GDPR consent requirement to be 'freely given.’ They stated that cookie walls should be prohibited under ePR.
Every statement, thus, points to the fact that using a cookie wall may not be reliable.
Cookie Walls: Legal or Not?
Much of the recent discussion on cookie walls came around after the EU data protection authorities questioned its validity.
The Dutch Data Protection Authority (DPA) declared that cookie walls violate GDPR. DPA received many complaints from users about websites preventing access unless they agree to be tracked by cookies. They said it is unlawful to put the users under pressure to give up their personal information to access the website.
ICO, in their myth-busting blog post, said that consent obtained through cookie walls is not likely to be considered valid. They also added that "Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard.” However, they did include that the matter is still under consideration.
France's CNIL published in its guidelines on cookies and other tracking devices that the users should be allowed access to the service even if they deny consent, and it should be easy to withdraw consent at any time.
So, the simple answer to the above question is: no, cookie walls are not legal.
Whether the updating laws will completely ban cookie walls, that is something to wait and watch. But the website operators should not risk it by using them on their site. The cookie wall may collapse. Stay safe!
Disclaimer: This article is not meant to be legal advice. The sole purpose of this article is to share information with the readers. For any legal counsel, please contact a lawyer specialized in the area.