GDPR: No Cookie Consent Walls

GDPR: No Cookie Consent Walls

The EU's attempts to regulate online advertising by restricting the use of cookies have not been universally considered a success.

Businesses have devised various methods to encourage, or force, their users to consent to cookies. Among the most controversial of these methods is the "cookie wall."

There has been a lively debate about whether cookie walls represent a legally-compliant cookie consent solution. But recently, the European Data Protection Board (EDPB) made its views clear: cookie walls are unlawful in the EU.

In this article, we'll be explaining what cookie walls are, why they are a problem for the EDPB, and which consent solutions represent a legally-compliant alternative.


A cookie wall is a pop-up that denies a user access to a website unless the user "consents" to advertising cookies.

In other words, the user may only enter the website if they agree to have their personal information collected and shared among various online marketing companies.

Here's an example of a cookie wall from Tweakers (translated from Dutch):

Tweakers cookie wall

Note that there is no option to reject cookies. The only option is "Yes, I accept cookies." Therefore, the only choices are: agree to cookies, or leave the website.

There is a debate about whether cookie walls were an acceptable means of obtaining consent. However, a recent statement from the European Data Protection Board (EPDB) has clarified this matter.

The EDPB consists of representatives from across the EU's Data Protection Authorities.The EDPB's statement doesn't change the law. But it offers an authoritative interpretation of the law and will be considered "the last word" on the subject by many.

European Data Protection Board Update

In May 2020, the EDPB issued new guidelines on consent containing the following statement:

EDPB Guidelines on Consent Under the GDPR: Consent in cookie walls section

In states that "access to services and functionalities must not be made conditional on the consent of a user... (so-called cookie walls)."

The EDPB also provides an example:

EDPB Guidelines on Consent Under the GDPR: Consent in cookie walls section - Example

This example is consistent with the cookie wall above, from Tweakers, which doesn't allow access to the website content unless the user agrees to cookies.

The EDPB's guidelines also contain a statement regarding scrolling.

To learn more about this, read our article GDPR: Why Scrolling is Not Consent.

Summary of EU Cookie Rules

It's worth briefly outlining the two laws that set the standards for cookie consent in the EU (and the UK): the ePrivacy Directive and the General Data Protection Regulation (GDPR).

The ePrivacy Directive is an older EU privacy law that is applied slightly differently across EU countries.

For example, in the UK (no longer an EU country, but currently subject to EU privacy law), the ePrivacy Directive has been implemented as the Privacy and Electronic Communications Regulations (PECR).

The ePrivacy Directive sets standards for electronic marketing and interference with users' "terminal equipment" (computers and devices). Because cookies involve transferring data to and from a user's device, the ePrivacy Directive treats this as a potential invasion of privacy.

Here's what the ePrivacy Directive has to say about cookies:

EUR-Lex ePrivacy Directive: Section 25 - Cookies and legitimate purpose highlighted

The first underlined passage clearly states that users should be allowed to refuse cookies.

However, note the second underlined passage, which states that access to website content may be made conditional on acceptance of cookies. This sounds a lot like a cookie wall. However, the GDPR overrides this, as we'll see below.

There are exceptions to the ePrivacy's consent rules. Not all cookies require consent.

The ePrivacy distinguishes two types of cookies that don't require consent:

EUR-Lex ePrivacy Directive: Section 3 - Electronic communications and the purpose of processing

The above passage identifies two types of cookies:

  1. "For the sole purpose of carrying out the transmission of a communication over an electronic communications network"
  2. "Strictly necessary in order to provide an information society service explicitly requested by the subscriber or user to provide the service"

In its Opinion 04/2012, the Article 29 Working Party (the EU body that preceded the EDPB) determined that type "A" cookies may carry out the following tasks:

  • Routing information over the network, e.g. by identifying communication endpoints
  • Exchanging data in its intended order, e.g. by numbering data packets
  • Detecting transmission errors or data loss

The Working Party only provides one example of a cookie that would meet these criteria: "load-balancing cookies" that persist only for the duration of a session.

The Working Party considers the following types of cookies to be acceptable type "B" cookies:

  • ID cookies that remember form inputs and shopping cart contents
  • Authentication cookies
  • Certain limited-duration security cookies
  • Media player session cookies
  • UI customization cookies
  • Social media plug-in cookies for sharing of content by logged-in users (not for tracking)

There is no need to obtain consent for these cookies (they can be processed on the basis of a business's "legitimate interests"), and there is no need to set up a cookie wall or even allow users to reject them.

Any cookies other than those identified above (which we've called type "A" and type "B" cookies) require consent.

Generally speaking, these fall into two categories:

  • Advertising: These cookies can be used to track users after they leave a website and create "profiles" based on their online activities.
  • Analytics: These cookies are used to monitor how a website is used by visitors.

The Working Party specifically states that analytics cookies used for "frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging" require consent.

Both third-party and first-party analytics cookies require consent. Although the privacy risk presented by first-party analytics cookies is relatively low, they are not used primarily for the benefit of the user and can (in theory) be used to identify individuals.

GDPR: Defines Consent

While the ePrivacy Directive requires that you obtain consent for most cookies, the GDPR defines consent itself.

When the GDPR came into force, many websites changed their approach to cookie consent. This is because the definition of "consent" became stricter, and the territorial scope of EU privacy law was clarified to include non-EU businesses targeting EU consumers.

Here is the definition of "consent," as it appears at Article 4 of the GDPR:

EUR-Lex GDPR: Article 4 - Definition of consent

This definition consists of five elements. Consent is:

  1. Freely given
  2. Specific
  3. Informed
  4. Unambiguous
  5. Given via a clear, affirmative action

A sixth condition also appears at Article 7 of the GDPR. Consent must also be:

  1. Easy to withdraw

Also relevant (if somewhat unclear) is this passage from Article 7 (4):

EUR-Lex GDPR: Article 7 Section 4 - Assessing whether consent is freely given

This implies that the provision of a service should not be made conditional on consent to the processing of personal data. Cookies are considered personal data under the GDPR.

Based on the GDPR's definition of consent we can see why cookie walls are impermissible under the GDPR. A request for consent cannot be "freely given" if the user has no choice but to consent in order to gain access to a service.

ePrivacy Regulation: The Next Chapter

ePrivacy Regulation: The Next Chapter

The ePrivacy Regulation is the next chapter in the EU's privacy legislation. It remains in draft form and is unlikely to see enactment until at least 2021.

The ePrivacy Regulation is likely to have further implications for the use of cookie walls.

The EDPB recommended in 2019 that the ePrivacy Regulation should prohibit the use of cookie walls, but this advice is not binding on EU countries, which must ultimately pass the law.

The rules on cookie walls have been amended several times throughout drafts of the ePrivacy Regulation.

  • In a May 2018 draft of the regulations, it was proposed that websites could make access to "specific website content" conditional on consent.
  • In February 2019, this proposal was amended to allow so-called "cookie paywalls," which offer payment as an alternative to consent. We'll look at this type of consent solution below.

As it stands, the relevant laws remain the ePrivacy Directive and the GDPR, and the EDPB's interpretation of these laws remains authoritative.

Alternatives to Cookie Walls

Since the EDPB's announcement, several notorious cookie walls have come down, to be replaced by more GDPR-compliant alternatives.

It's actually not all that easy to find examples of perfectly GDPR-compliant cookie consent solutions on the web. But we've compiled a few examples of cookie consent solutions that implement some aspects of the law correctly.

Perhaps the most common type of consent solution is the "cookie banner." This sits at the bottom, top, or side of a webpage and allows the user to browse the website regardless of whether or not they consent.

Here's an example from BBC:

BBC Cookie Consent banner: Full screenshot

This cookie banner is unobtrusive and offers two clear options. Arguably, it would be better to have an option for "Reject all," rather than "No, take me to settings."

Note that cookie banners must offer a genuine choice, and cookies must not be enabled until/unless the user consents.

Here's an example, from Spotify, of a cookie banner with no obvious means to refuse consent:

Spotify Cookie Consent banner with browsewrap highlighted

This is not a proper cookie consent solution as it does not request consent. It simply informs the user that cookies have already been set. This would appear to be incompatible with EU privacy law.

Pop-Ups

An alternative to cookie banners is the "cookie pop-up."

A cookie pop-up dominates a screen when the user visits a website, in much the same way as a cookie wall. However, unlike with a cookie wall, the user must either confirm or reject consent before proceeding. They are not forced to consent.

Here's an example from TechRadar:

TechRadar Cookie Consent pop-up with More Options highlighted

The user is presented with a choice between "More Options" and "I Accept."

Arguably, the pop-up is biased towards "I accept" as it is easier to choose this option and dismiss the banner. However, because TechRadar uses cookies for a variety of purposes, it may be reasonable to allow users to accept or reject each of these.

The Article 29 Working Party says:

"If a website uses several cookies or cookies that cover several purposes, this does not mean that it must present a separate 'banner' or consent request for each cookie or purpose. A single point of information and consent, presented in a clear and comprehensive manner is sufficient in most cases."

On selecting "More options," the user is taken to the following screen:

TechRadar Cookie Consent pop-up: More Options screen with toggles and reject or accept buttons

Each type of cookie used by TechRadar can be turned "on" or "off." Alternatively, the user can select "Reject all" or "Accept all."

So-called "cookie paywalls" offer the user an opportunity to refuse cookies, but only if they pay a fee.

Let's take a look at a cookie paywall featured on the website of The Washington Post:

The Washington Post Cookie Paywall with Free and Premium options highlighted

EU users visiting The Washington Post website are presented with the above screen. They cannot proceed to the main website without selecting one of these options.

As you can see above, a condition of browsing the website as a "free" user is that you "consent" to the use of tracking cookies. The alternative is to pay a "Premium EU Ad-Free" subscription fee.

Some interpretations of the ePrivacy Directive and the GDPR hold that offering a paid subscription as an alternative to using tracking cookies is acceptable. As noted above, cookie paywalls may or may not be permitted once the ePrivacy Regulation is enacted.

For now, cookie paywalls remain highly contentious and have been explicitly deemed non-compliant by some Data Protection Authorities, including the UK's Information Commissioner's Office (ICO):

ICO: How do we comply with the cookie rules - Cookie walls and consent - GDPR Recital 43 section

This view is supported by Recital 42 of the GDPR, which states:

"Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."

The EPDB's recent statement also suggests that cookie paywalls are not GDPR-compliant:

EDPB Guidelines on Consent Under the GDPR: Free and Freely given consent section

Therefore, on balance, it would appear that cookie paywalls are not currently an appropriate alternative to cookie walls.

To be clear, there is no EU law against putting a website behind a regular paywall. Charging money for services is permissible. The difficulty arises where businesses treat personal information as a commodity. This appears to be incompatible with the spirit of the GDPR.

Summary

Cookie walls have always been a controversial means of obtaining consent, and the EDPB's recent statement should settle the debate (at least until the ePrivacy Regulation finally arrives).

To ensure your cookie consent solution is GDPR-compliant, it must present the user with a genuinely free choice. This means using a cookie banner or pop-up, and avoiding presenting consent as an alternative to payment.

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.