Cookie Wall

A cookie wall is a pop-up notice on a website that does not allow the users any access to the website unless they accept the use of cookies. They are also known as ‘tracking walls,’ since they use tracking cookies. These cookies track user activities on the web page and use the information for services such as functional, analytics, and advertising.

IAB Europe Cookie Wall [Source]

The users have only one option to use the website: consent to use all the cookies. This “take it or leave it” approach is not well received by internet users as they feel compelled to share their information to browse the website.

There are some conflicting opinions about its legality. This article will look into how the cookie wall stands against the judgments of several data protection regulations and authorities.  

Consent is one of the essential lawful bases for processing under the GDPR. The Regulation lays out several requirements for consent to be valid. 

Article 4 of the GDPR defines consent as

“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“

Read more about consent under GDPR here.

Consent gives the users real choice and control over the processing of their data. It is a safe practice to follow to protect the rights of people. The very concept of cookie wall, however, contradicts the definition of consent under GDPR.

Some could argue that the ePrivacy Directive (ePD) allows the use of cookie walls in Recital 25. The Directive says that the website operators can enable access to specific website content on condition of affirmative consent from the users if it is for a ‘legitimate purpose.’ However, ‘specific’ does not mean restricting full access, and ‘legitimate purpose’ should not include services like analytics or advertising.

The new draft of ePrivacy Regulation (ePR) – soon to repeal ePD – also cites legitimate interest as a justification. However, ePR also believes that in some cases, it may be “depriving” the users of a real choice where the users have “few or no other options but to use the service”. Similarly, per Recital 18, consent for processing data from the internet will be invalid if the users have no real and free choice or cannot deny or revoke it.

The European Data Protection Board (EDPB) mandated that website owners should not make access to services conditional on the user consent to process their data. It violates the GDPR consent requirement to be ‘freely given.’ They stated that cookie walls should be prohibited under ePR.

Every statement, thus, points to the fact that using a cookie wall may not be reliable.

Much of the recent discussion on cookie walls came around after the EU data protection authorities questioned its validity. Let’s look at what some of the data protection regulators think about the use of cookie wall.

The Dutch Data Protection Authority (DPA) declared that cookie walls violate GDPR. DPA received many complaints from users about websites preventing access unless they give consent to use tracking cookies. They said it is unlawful to put the users under pressure to give up their personal information to access the website. 

France’s CNIL published in its guidelines on cookies and other tracking devices that websites should allow users access to the service even if they deny consent, and it should be easy to withdraw consent at any time.

So, the simple answer to the above question is: no, cookie walls are not legal.

Whether the updating laws will completely ban cookie walls, that is something to wait and watch. But the website operators should not risk it by using them on their site. The cookie wall may collapse. Stay safe!