Cookie Wall: Is it GDPR Compliant?

Cookie wall has been a hot topic ever since the arrival of the General Data Protection Regulation (GDPR) in 2018. While many saw the stricter cookie rules in the EU as the dawn of a privacy-first approach, some publishers and advertisers saw it as an impediment and resorted to cookie walls. Court rulings and regulators have had many back and forths regarding the legality of cookie walls. This blog will clarify what you can and cannot do with regard to cookie walls.

A cookie wall sometimes called a ‘tracking wall’ is a cookie popup that asks users of a website to accept cookies before they can access the website. If they do not give consent, users don’t get access. 

Article 4(11) GDPR defines consent as 

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Based on the definition of consent, cookie walls do not constitute valid consent because it does not give users a free choice with regards to cookies. Hence, cookie walls are not GDPR compliant.

EDPB on cookie wall

In May 2020 the European Data Protection Board (EDPB) updated the guidelines on consent under the EU General Data Protection Regulation (GDPR). 

The EDPB guidelines clarify that consent given via cookie walls is not freely given and therefore does not constitute valid consent. The updated guidelines include the following explanation:

This is in line with the position already taken by various European data protection supervisory authorities including France’s CNIL (National Commission on Informatics and Liberty). 

ePrivacy Regulation and cookie wall

The draft ePrivacy Regulation, a core element of the data protection regime in the EU does not mandate a blanket prohibition on cookie walls.  The draft notes that access to a free service can be made conditional on accepting cookies, provided that the service provider offers an equivalent option that does not require the acceptance of cookies. This means websites can use cookie walls if they offer the user the choice for an alternative cookie-less service.

CNIL’s prohibition of cookie wall

In 2019, issued cookie guidelines in which it banned the use of cookie walls in a general and absolute manner and noted that cookies walls are not an acceptable practice in terms of data protection and do not comply with the GDPR. In 2020, the French Council of State (Conseil d’Etat) overruled this guideline and said that the CNIL  exceeded its powers and is not competent to impose such a blanket prohibition since it only issues soft law (non-binding guidelines).

In 2021 CNIL went back on the decision stating that walls can only be used if they don’t hinder the user’s freedom to decline consent. CNIL noted that while they do not ban cookie walls, since cookie walls are likely to undermine the freedom of users to consent, the lawfulness of cookie walls must be assessed on a case-by-case basis.

ICO on cookie wall

The UK’s regulator Information Commissioner’s Office (ICO) notes that under certain circumstances cookie walls are inappropriate. This mean, websites cannot make ‘general access’ conditional, such that users have to accept non-essential cookies.

However, the ICO uses Recital 25, of the ePrivacy Directive to justify cookie walls in certain circumstances. Cookie walls are acceptable for specific website content when used for legitimate purposes. ICO clarifies that legitimate purpose refers to providing a service the user explicitly requests and does not include third parties such as analytics services or online advertising.

Other regulators of the EU member states such as the Spanish AEPD, Belgian DPA, Dutch DPA and the Irish DPC have also chimed in and noted that cookie walls do not constitute valid consent because the user is not presented with a real choice.

Cookie banners and popups can be the GDPR compliant alternatives to cookie walls. For cookie consent to be valid under the GDPR, it should be:

• Freely given — The user should have a genuine choice to accept and reject cookies.
• Specific and informed — You should explain the use of cookies, the purposes for which they are used, and how the user can withdraw consent at any time.
• Unambiguous and affirmative — Consent should be given via a clear and positive action, such as clicking on the ‘Agree button’.

CookieYes cookie consent solution, trusted by over 1 million websites worldwide will help you collect, manage and record cookie consents to comply with multiple privacy laws like the GDPR, ePrivacy Directive, CNIL, LGPD, CCPA and more.

With CookieYes, you can easily obtain GDPR compliant cookie consent.  You can:

• Display a cookie consent banner or cookie popup on your website 
• Give users full control to accept, decline or change cookie settings on the banner
• Customize the banner for desktop and mobile devices for accessibility
• Show cookie table (with name, type, purpose and duration) for full disclosure of cookies 
• Show auto-translated banner to users as per their browser language
• Auto-block third-party cookies till the user gives consent
• Record all user consents for proof of compliance
• Add a callback widget for the banner so users can revoke consent at any time
• Generate a cookie policy with detailed disclosure of cookie use and link it to your cookie banner
• Scan your website for cookies to auto-update your cookie list and cookie policy 

While cookie walls don’t represent a “freely given consent”, there are other dark patterns in design that nudge users to make privacy-unfriendly choices. The EDPB and regulators from EU member states have variously asked websites to steer clear from such patterns that are not compliant with GDPR consent. These dark patterns include:

• Pre-ticked boxes: Websites cannot use pre-ticked boxes to obtain user consent because they do not represent a free choice, nor does the user take any affirmative action to give consent in such cases.
• Consent on scroll: Continuing to browse a website or inactivity with regard to a cookie banner cannot be considered as consent given by the user and is not valid under the GDPR.
• Notice-only banner: Banners that do not give users the option to accept and reject cookies cannot be means to obtain valid GDPR consent unless your website only uses strictly necessary cookies.  
• Lack of a ‘Reject’ button: Cookie banners should give users the option to reject cookies and it should be as easy to decline consent as it is to give consent.
• Bundled consent: Cookie consent cannot be bundled with other terms and conditions or privacy notices. You should also give users the granular option to give consent for cookie categories.
• Confusing language: You cannot use double negatives and confusing language to get users to accept cookies. Cookie usage should be clearly stated in plain language.

NOYB (Non of Your Business), the European privacy rights group, filed complaints against the cookie paywalls of seven major German and Austrian news websites for cookie paywalls. 

An increasing number of websites in the EU are asking users to either agree to their data being processed or sign up for paid subscriptions. NOYB noted that users have no free choice in such a model and that saying no to data sharing or tracking is not only time-consuming but also pricey.

While the use of cookie walls would depend on the guidelines by your lead supervisory authority, in general, cookie walls do not represent valid consent under the GDPR. 

If you need to avoid these dark patterns and save yourself from GDPR fines, then cookie consent banners are the compliant way. CookieYes can help your website cookie compliant in just 3 steps. Sign up for free, copy the cookie banner code, paste it on your website and you are done.

What is ‘soft’ cookie wall?

Cookie walls usually give the user no choice but to accept cookies and continue to the website or decline cookies and leave the website. The ‘soft’ cookie walls will give users more choices such as changing cookie preferences. This means the user has some control over how cookies are used on the website. 

Are cookie walls GDPR compliant?

No. Cookie walls are not GDPR compliant. Based on GDPR’s definition. Consent should be freely given. In the case of cookie walls, users are left with no choice but to agree to the use of cookies to access a website and its services. Therefore, cookie walls do not constitute GDPR compliant consent.

Are cookie walls illegal?

Cookie walls that demand ‘consent’ in return for accessing a website, are illegal as per the GDPR and EDPB guidelines. However, some regulators of EU member states have contested a blanket ban on cookie walls and allow their use on a case-to-case basis. You can check with the guidelines of the respective lead Data Protection Authority (DPA) that your business/website comes under, for clarity.

What is a cookie banner?

A cookie banner is a notification that is displayed when a user visits a website which tells users about the cookies used on the website. After the GDPR, cookie banners are used to request consent from users for deploying cookies on their browsers. Users have the choice to accept or decline the use of cookies. 

What is a paywall?

A paywall is a mechanism in which access to a website is restricted to users who have paid to subscribe to the site. Often paywalls restrict full access to certain services or content on a website to non-paying users. Paywalls are often used by news publications and digital magazines that give access to content for paying members only.

What is a cookie paywall?

Cookie paywall or ‘consent or pay’ is a mechanism where users can access a website free of charge if they consent to the use of cookies. If users do not consent, they may alternatively access the website if they pay. Cookie paywalls are often used by online publishers who use an advertising-based revenue model.

What are some cookie wall examples?