Cookie walls that demand a website visitor agrees to their internet browsing being tracked for ad-targeting as the “price” of entry to the site are not compliant with European data protection law, the Dutch data protection agency clarified yesterday.
The DPA said it has received dozens of complaints from internet users who had had their access to websites blocked after refusing to accept tracking cookies — so it has taken the step of publishing clear guidance on the issue.
It also says it will be stepping up monitoring, adding that it has written to the most-complained-about organizations (without naming any names) — instructing them to make changes to ensure they come into compliance with GDPR.
Europe’s General Data Protection Regulation, which came into force last May, tightens the rules around consent as a legal basis for processing personal data — requiring it to be specific, informed and freely given in order for it to be valid under the law.
Of course consent is not the only legal basis for processing personal data, but many websites do rely on asking internet visitors for consent to ad cookies as they arrive.
And the Dutch DPA’s guidance makes it clear internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.
So, in other words, a “data for access” cookie wall isn’t going to cut it. (Or, as the DPA puts it: “Permission is not ‘free’ if someone has no real or free choice. Or if the person cannot refuse giving permission without adverse consequences.”)
“This is not for nothing; website visitors must be able to trust that their personal data are properly protected,” it further writes in a clarification published on its website [translated via Google Translate].
“There is no objection to software for the proper functioning of the website and the general analysis of the visit on that site. More thorough monitoring and analysis of the behavior of website visitors and the sharing of this information with other parties is only allowed with permission. That permission must be completely free,” it adds.
We reached out to the DPA with questions. A spokesperson told us it can’t comment on any individual complaints, but added: “Cookie walls are non-compliant with the principles of consent of the GDPR. Which means that any party with a cookie wall on their website has to be compliant ASAP, whether or not we will check that in a couple of months, which we certainly will do.”
In light of this ruling clarification, the cookie wall on the Internet Advertising Bureau (IAB)’s European site (screengrabbed below) looks like a textbook example of what not to do — given the online ad industry association is bundling multiple cookie uses (site-functional cookies; site-analytical cookies; and third-party advertising cookies) under a single “I AGREE” option.
If the user does not click “I I AGREE” they cannot gain access to the IAB’s website. So there’s no free choice here. It’s agree or leave.
Again the only “choice” offered to site visitors is “I AGREE” or leave without gaining access to the website. Which means it’s not a free choice.
The IAB told us no data protection agencies had been in touch regarding its cookie wall.
Asked whether it intends to amend the cookie wall in light of the Dutch DPA’s guidance, a spokeswoman said she wasn’t sure what the team planned to do yet — but she claimed GDPR does not “outright prohibit making access to a service conditional upon consent”; pointing also to the (2002) ePrivacy Directive which she claimed applies here, saying it “also includes recital language to the effect of saying that website content can be made conditional upon the well-informed acceptance of cookies.”
The IAB’s position appears to be that the ePrivacy Directive trumps GDPR on this issue.
Though it’s not clear how they’ve arrived at that conclusion. (The more than 15-year-old ePrivacy Directive is also in the process of being updated — while the flagship GDPR only came into force last year.)
On this Matthiesen cited a “general principle of law” that he said means that “in a conflict between two rules that cover the same thing it’s the more specific law prevails.” (Though that does assume the GDPR and ePrivacy Directive are in conflict where cookie walls are concerned.)
The portion of the ePrivacy Directive that the IAB appears to be referring to is recital 25 — which includes the following line:
Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.