Cookie Wall
What is a cookie wall?
Cookies are files that a website stores on your device when you visit it. Cookies provide information about how you use the website and, when combined with other information such as your IP address, they are considered personal data.
The rules for the use of cookies in the EU are established not only in the GDPR but also in the ePrivacy Directive, which will soon be replaced by the new ePrivacy Regulation.
A cookie wall is a type of a cookie banner that does not allow a visitor to use the website without agreeing to the placement of cookies.
Can one use a cookie wall?
The problem with using a cookie wall is that a visitor has no choice as to whether or not cookies are placed if they want to access the website.
At the same time, the ePrivacy Directive does not expressly prohibit the use of a cookie wall in order to obtain users’ consent. However, the requirements with respect to users’ consent are stipulated in the GDPR. The GDPR, in turn, requires the consent to be “freely given”.
The European Data Protection Board (EDPB) stated that cookie walls must be prohibited.
We recall that the EDPB is an EU body responsible for the harmonised application of personal data protection legislation throughout the EU, whose guidelines are used by EU supervisory authorities when applying the GDPR.
What do EU member states’ supervisory authorities think?
Positions of supervisory authorities differ depending on the country. Let us have a look at two similar cases which took place in Austria and England respectively.
1.The Austrian online editorial Der Standard set up a cookie wall on its website. The banner allowed the user to refuse using cookies only after purchasing a paid subscription. If the user did not want to purchase a subscription, they had to either accept the cookies or leave the website (“take it or leave it”). Here is a screenshot from the website:
The Austrian data protection supervisory authority stated that this approach does not violate the legal requirements since, by paying for a subscription, the user remains able to use the website without collecting cookies. An important point is the “acceptable” subscription price.
2. A similar situation occurred in England with the American Washington Post. English users could not access the content of the website without consenting to the collection of cookies. Here is a screenshot from the website:
The English data protection authority (ICO) claimed that the use of the cookie wall violated the GDPR requirements; the visitors had to agree to the terms and conditions of the website, which, in ICO’s opinion, made such consent not “freely given” and, therefore, not compliant with the GDPR.
How should website owners behave?
Despite the different positions of EU data protection supervisory authorities, the use of cookie walls is not recommended. The upcoming ePrivacy Regulation should establish a uniform practice for the use of cookies and cookie walls and, until then, it is not compliant to use cookies without the “freely given” consent of the user.
If you like this article and want to receive more useful materials, subscribe to our LawGeek Medium channel.
Should you have any questions regarding the GDPR, ePrivacy, and cookies, do not hesitate to contact us.
