Cookie walls don’t comply with GDPR, says Dutch DPA

Cookie walls that demand a website visitor agrees to their internet browsing being tracked for ad-targeting as the “price” of entry to the site are not compliant with European data protection law, the Dutch data protection agency clarified yesterday.

The DPA said it has received dozens of complaints from internet users who had had their access to websites blocked after refusing to accept tracking cookies — so it has taken the step of publishing clear guidance on the issue.

It also says it will be stepping up monitoring, adding that it has written to the most-complained-about organizations (without naming any names) — instructing them to make changes to ensure they come into compliance with GDPR.

Europe’s General Data Protection Regulation, which came into force last May, tightens the rules around consent as a legal basis for processing personal data — requiring it to be specific, informed and freely given in order for it to be valid under the law.

Of course consent is not the only legal basis for processing personal data, but many websites do rely on asking internet visitors for consent to ad cookies as they arrive.

And the Dutch DPA’s guidance makes it clear internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.

So, in other words, a “data for access” cookie wall isn’t going to cut it. (Or, as the DPA puts it: “Permission is not ‘free’ if someone has no real or free choice. Or if the person cannot refuse giving permission without adverse consequences.”)

“This is not for nothing; website visitors must be able to trust that their personal data are properly protected,” it further writes in a clarification published on its website [translated via Google Translate].

“There is no objection to software for the proper functioning of the website and the general analysis of the visit on that site. More thorough monitoring and analysis of the behavior of website visitors and the sharing of this information with other parties is only allowed with permission. That permission must be completely free,” it adds.

We reached out to the DPA with questions. A spokesperson told us it can’t comment on any individual complaints, but added: “Cookie walls are non-compliant with the principles of consent of the GDPR. Which means that any party with a cookie wall on their website has to be compliant ASAP, whether or not we will check that in a couple of months, which we certainly will do.”

In light of this ruling clarification, the cookie wall on the Internet Advertising Bureau (IAB)’s European site (screengrabbed below) looks like a textbook example of what not to do — given the online ad industry association is bundling multiple cookie uses (site-functional cookies; site-analytical cookies; and third-party advertising cookies) under a single “I AGREE” option.

It does not offer visitors any opt-outs at all. (Not even under the “MORE INFO” or privacy policy options pictured below.)

If the user does not click “I I AGREE” they cannot gain access to the IAB’s website. So there’s no free choice here. It’s agree or leave.

Clicking “MORE INFO” brings up additional information about the purposes the IAB uses cookies for — where it states it is not using collected information to create “visitor profiles.”

However, it notes it is using Google products, and explains that some of these use cookies that may collect visitors’ information for advertising — thereby bundling ad tracking into the provision of its website “service.”

Again the only “choice” offered to site visitors is “I AGREE” or leave without gaining access to the website. Which means it’s not a free choice.

The IAB told us no data protection agencies had been in touch regarding its cookie wall.

Asked whether it intends to amend the cookie wall in light of the Dutch DPA’s guidance, a spokeswoman said she wasn’t sure what the team planned to do yet — but she claimed GDPR does not “outright prohibit making access to a service conditional upon consent”; pointing also to the (2002) ePrivacy Directive which she claimed applies here, saying it “also includes recital language to the effect of saying that website content can be made conditional upon the well-informed acceptance of cookies.”

“We’re not going to change our implementation of our cookie banner on this point because the law does not require us to allow people to access our website without consenting to the use of cookies,” Matthias Matthiesen, the IAB’s director for privacy and public policy, told us in a follow-up call.

The IAB’s position appears to be that the ePrivacy Directive trumps GDPR on this issue.

Though it’s not clear how they’ve arrived at that conclusion. (The more than 15-year-old ePrivacy Directive is also in the process of being updated — while the flagship GDPR only came into force last year.)

On this Matthiesen cited a “general principle of law” that he said means that “in a conflict between two rules that cover the same thing it’s the more specific law prevails.” (Though that does assume the GDPR and ePrivacy Directive are in conflict where cookie walls are concerned.)

The portion of the ePrivacy Directive that the IAB appears to be referring to is recital 25 — which includes the following line:

Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

However, “specific website content” is hardly the same as full site access, i.e. as is entirely blocked by their cookie wall.

The “legitimate purpose” point in the recital also provides a second caveat vis-à-vis making access conditional on accepting cookies — and the recital text includes an example of “facilita[ting] the provision of information society services” as such a legitimate purpose.

What are “information society services”? An earlier European directive defines this legal term as services that are “provided at a distance, electronically and at the individual request of a recipient” [emphasis ours] — suggesting it refers to Internet content that the user actually intends to access (i.e. the website itself), rather than ads that track them behind the scenes as they surf.

So, in other words, even per the outdated ePrivacy Directive, a site might be able to require consent for functional cookies from a user to access a portion of the site.

But that’s not the same as saying you can gate off an entire website unless the visitor agrees to their browsing being pervasively tracked by advertisers.

That’s not the kind of “service” website visitors are looking for. 

Add to that, returning to present day Europe, the Dutch DPA has put out very clear guidance demolishing cookie walls.

The only sensible legal interpretation here is that the writing is on the wall for cookie walls.

The IAB’s Matthiesen disagrees, of course.

“Law’s complicated and [the definition of an information society service is] not as simple as that statement,” he said debating this point. “When a browser connects to a website it’s making technically a request on the things that are being loaded. So it is technically requesting the content that is loaded on the site.”

“The website is the property of the website owner. There are fundamental rights attached to property too,” he added. “There is nothing in the GDPR that says I must make my website’s content available to people. I am perfectly fine to determine the conditions under which I am making my property available.

“You’re not entitled to it. I can’t force you to accept tracking, right, maybe. The way in which you aren’t forced is that you don’t have to use my property. That is the fundamental disagreement between the position [that cookie walls can’t be used] and mine [i.e. that they can].”

He suggested it will be up to the European Court of Justice to provide legal clarity on the issue — assuming any Dutch websites targeted by the regulator to take down their cookie walls choose to bring a legal challenge.

This report was updated with comment from the DPA and the IAB.