What is a cookie wall?
Cookies are files that a website stores on your device when you visit it. Cookies provide information about how you use the website and, when combined with other information such as your IP address, they are considered personal data.
A cookie wall is a type of a cookie banner that does not allow a visitor to use the website without agreeing to the placement of cookies.
Can one use a cookie wall?
The problem with using a cookie wall is that a visitor has no choice as to whether or not cookies are placed if they want to access the website.
At the same time, the ePrivacy Directive does not expressly prohibit the use of a cookie wall in order to obtain users’ consent. However, the requirements with respect to users’ consent are stipulated in the GDPR. The GDPR, in turn, requires the consent to be “freely given”.
The European Data Protection Board (EDPB) stated that cookie walls must be prohibited.
We recall that the EDPB is an EU body responsible for the harmonised application of personal data protection legislation throughout the EU, whose guidelines are used by EU supervisory authorities when applying the GDPR.
What do EU member states’ supervisory authorities think?
Positions of supervisory authorities differ depending on the country. Let us have a look at two similar cases which took place in Austria and England respectively.
1.The Austrian online editorial Der Standard set up a cookie wall on its website. The banner allowed the user to refuse using cookies only after purchasing a paid subscription. If the user did not want to purchase a subscription, they had to either accept the cookies or leave the website (“take it or leave it”). Here is a screenshot from the website:
The Austrian data protection supervisory authority stated that this approach does not violate the legal requirements since, by paying for a subscription, the user remains able to use the website without collecting cookies. An important point is the “acceptable” subscription price.
2. A similar situation occurred in England with the American Washington Post. English users could not access the content of the website without consenting to the collection of cookies. Here is a screenshot from the website:
The English data protection authority (ICO) claimed that the use of the cookie wall violated the GDPR requirements; the visitors had to agree to the terms and conditions of the website, which, in ICO’s opinion, made such consent not “freely given” and, therefore, not compliant with the GDPR.
How should website owners behave?