Last updated on 22 March 2021 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Businesses have devised various methods to encourage, or force, their users to consent to cookies. Among the most controversial of these methods is the "cookie wall."
There has been a lively debate about whether cookie walls represent a legally-compliant cookie consent solution. But recently, the European Data Protection Board (EDPB) made its views clear: cookie walls are unlawful in the EU.
In this article, we'll be explaining what cookie walls are, why they are a problem for the EDPB, and which consent solutions represent a legally-compliant alternative.
A cookie wall is a pop-up that denies a user access to a website unless the user "consents" to advertising cookies.
In other words, the user may only enter the website if they agree to have their personal information collected and shared among various online marketing companies.
Here's an example of a cookie wall from Tweakers (translated from Dutch):
Note that there is no option to reject cookies. The only option is "Yes, I accept cookies." Therefore, the only choices are: agree to cookies, or leave the website.
There is a debate about whether cookie walls were an acceptable means of obtaining consent. However, a recent statement from the European Data Protection Board (EPDB) has clarified this matter.
The EDPB consists of representatives from across the EU's Data Protection Authorities.The EDPB's statement doesn't change the law. But it offers an authoritative interpretation of the law and will be considered "the last word" on the subject by many.
In May 2020, the EDPB issued new guidelines on consent containing the following statement:
In states that "access to services and functionalities must not be made conditional on the consent of a user... (so-called cookie walls)."
The EDPB also provides an example:
This example is consistent with the cookie wall above, from Tweakers, which doesn't allow access to the website content unless the user agrees to cookies.
The EDPB's guidelines also contain a statement regarding scrolling.
To learn more about this, read our article GDPR: Why Scrolling is Not Consent.
The ePrivacy Directive is an older EU privacy law that is applied slightly differently across EU countries.
For example, in the UK (no longer an EU country, but currently subject to EU privacy law), the ePrivacy Directive has been implemented as the Privacy and Electronic Communications Regulations (PECR).
Here's what the ePrivacy Directive has to say about cookies:
However, note the second underlined passage, which states that access to website content may be made conditional on acceptance of cookies. This sounds a lot like a cookie wall. However, the GDPR overrides this, as we'll see below.
There are exceptions to the ePrivacy's consent rules. Not all cookies require consent.
The ePrivacy distinguishes two types of cookies that don't require consent:
The above passage identifies two types of cookies:
In its Opinion 04/2012, the Article 29 Working Party (the EU body that preceded the EDPB) determined that type "A" cookies may carry out the following tasks:
The Working Party only provides one example of a cookie that would meet these criteria: "load-balancing cookies" that persist only for the duration of a session.
The Working Party considers the following types of cookies to be acceptable type "B" cookies:
There is no need to obtain consent for these cookies (they can be processed on the basis of a business's "legitimate interests"), and there is no need to set up a cookie wall or even allow users to reject them.
Any cookies other than those identified above (which we've called type "A" and type "B" cookies) require consent.
Generally speaking, these fall into two categories:
The Working Party specifically states that analytics cookies used for "frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging" require consent.
Both third-party and first-party analytics cookies require consent. Although the privacy risk presented by first-party analytics cookies is relatively low, they are not used primarily for the benefit of the user and can (in theory) be used to identify individuals.
While the ePrivacy Directive requires that you obtain consent for most cookies, the GDPR defines consent itself.
When the GDPR came into force, many websites changed their approach to cookie consent. This is because the definition of "consent" became stricter, and the territorial scope of EU privacy law was clarified to include non-EU businesses targeting EU consumers.
Here is the definition of "consent," as it appears at Article 4 of the GDPR:
This definition consists of five elements. Consent is:
A sixth condition also appears at Article 7 of the GDPR. Consent must also be:
Also relevant (if somewhat unclear) is this passage from Article 7 (4):
This implies that the provision of a service should not be made conditional on consent to the processing of personal data. Cookies are considered personal data under the GDPR.
Based on the GDPR's definition of consent we can see why cookie walls are impermissible under the GDPR. A request for consent cannot be "freely given" if the user has no choice but to consent in order to gain access to a service.
The ePrivacy Regulation is the next chapter in the EU's privacy legislation. It remains in draft form and is unlikely to see enactment until at least 2021.
The ePrivacy Regulation is likely to have further implications for the use of cookie walls.
The EDPB recommended in 2019 that the ePrivacy Regulation should prohibit the use of cookie walls, but this advice is not binding on EU countries, which must ultimately pass the law.
The rules on cookie walls have been amended several times throughout drafts of the ePrivacy Regulation.
As it stands, the relevant laws remain the ePrivacy Directive and the GDPR, and the EDPB's interpretation of these laws remains authoritative.
Since the EDPB's announcement, several notorious cookie walls have come down, to be replaced by more GDPR-compliant alternatives.
It's actually not all that easy to find examples of perfectly GDPR-compliant cookie consent solutions on the web. But we've compiled a few examples of cookie consent solutions that implement some aspects of the law correctly.
Perhaps the most common type of consent solution is the "cookie banner." This sits at the bottom, top, or side of a webpage and allows the user to browse the website regardless of whether or not they consent.
Here's an example from BBC:
This cookie banner is unobtrusive and offers two clear options. Arguably, it would be better to have an option for "Reject all," rather than "No, take me to settings."
Note that cookie banners must offer a genuine choice, and cookies must not be enabled until/unless the user consents.
Here's an example, from Spotify, of a cookie banner with no obvious means to refuse consent:
This is not a proper cookie consent solution as it does not request consent. It simply informs the user that cookies have already been set. This would appear to be incompatible with EU privacy law.
An alternative to cookie banners is the "cookie pop-up."
A cookie pop-up dominates a screen when the user visits a website, in much the same way as a cookie wall. However, unlike with a cookie wall, the user must either confirm or reject consent before proceeding. They are not forced to consent.
Here's an example from TechRadar:
The user is presented with a choice between "More Options" and "I Accept."
The Article 29 Working Party says:
"If a website uses several cookies or cookies that cover several purposes, this does not mean that it must present a separate 'banner' or consent request for each cookie or purpose. A single point of information and consent, presented in a clear and comprehensive manner is sufficient in most cases."
On selecting "More options," the user is taken to the following screen:
Each type of cookie used by TechRadar can be turned "on" or "off." Alternatively, the user can select "Reject all" or "Accept all."
Let's take a look at a cookie paywall featured on the website of The Washington Post:
EU users visiting The Washington Post website are presented with the above screen. They cannot proceed to the main website without selecting one of these options.
As you can see above, a condition of browsing the website as a "free" user is that you "consent" to the use of tracking cookies. The alternative is to pay a "Premium EU Ad-Free" subscription fee.
Some interpretations of the ePrivacy Directive and the GDPR hold that offering a paid subscription as an alternative to using tracking cookies is acceptable. As noted above, cookie paywalls may or may not be permitted once the ePrivacy Regulation is enacted.
This view is supported by Recital 42 of the GDPR, which states:
"Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."
The EPDB's recent statement also suggests that cookie paywalls are not GDPR-compliant:
Therefore, on balance, it would appear that cookie paywalls are not currently an appropriate alternative to cookie walls.
To be clear, there is no EU law against putting a website behind a regular paywall. Charging money for services is permissible. The difficulty arises where businesses treat personal information as a commodity. This appears to be incompatible with the spirit of the GDPR.
Cookie walls have always been a controversial means of obtaining consent, and the EDPB's recent statement should settle the debate (at least until the ePrivacy Regulation finally arrives).
To ensure your cookie consent solution is GDPR-compliant, it must present the user with a genuinely free choice. This means using a cookie banner or pop-up, and avoiding presenting consent as an alternative to payment.