Updated January 15, 2020.
A cookie wall is a way for websites to deny users access if they don’t consent to all cookies and trackers present on that website.
It’s a barrier of sorts that puts the user in a “take it or leave it” situation, where they must either opt in to marketing cookies and similar tracking technology, or risk being denied access altogether to the website.
However, a cookie wall is an ambivalent thing – the legality of them are up for discussion, with some data protection authorities in the EU already deeming them unlawful.
In this blogpost, we look at all things cookie walls:
A cookie wall is a website’s self-made border that restricts access to it for users who don’t consent to all of the cookies and similar tracking technology present and ready to be activated on the domain.
It’s a “take it or leave it”-scenario that a website sets up for users so that it can ensure to activate all cookies and trackers and get as much data as possible, even if it is against the free will of its visitors.
Some websites may use a cookie wall in fear that granular consent will break their websites, if users are left with the choice to consent to only some cookies rather than others. Later in this blogpost, we will debunk this myth.
In essence, a cookie wall is a particular kind of cookie consent banner that might look like the benign ones you normally see on the Internet, only a cookie wall leaves no option for the user to select or de-select certain categories of cookies, like marketing cookies that typically harbor myriads of private data trackers from ad tech companies.
A cookie wall, like the one pictured here, forces users to consent to being tracked by third party ad tech companies like Google and Facebook as a quid pro quo for access to a website.
Cookie walls exists on myriad sites throughout the web, even on many news sites that people rely on for their daily information (and reporting on privacy issues, ironically).
Imagine that you’re trying to buy a newspaper, but you can only read it if you disclose everything in detail about your closest relationships and family to the stranger selling it, and dozens of other third parties.
Or imagine that you’re trying to enter a supermarket, but the only way you can go shop is by taking off your clothes, handing over your wallet and social security number before entering.
It sounds absurd, but it’s comparable to the situation that a cookie wall puts an end-user in, when it demands as payment for access that they relinquish control of their own private data and hand it over to ad tech companies who create eerily detailed profiles on individuals and sell these in real time bidding schemes on the behavioral futures markets.
Most websites in the world have first and third-party cookies embedded in their source code. They range from necessary cookies that are fundamental to the operation of a website to statistics cookies that often use anonymized data to give insight into how a website performs.
Then there are marketing cookies that are placed by ad tech companies entirely for the purpose of collecting personal data in order to target users in behavioral advertising schemes (and for other ominous ends).
Cookie walls work by denying entrance to a website for users unless they give full consent to all cookies.
The many different types of cookies have many different purposes – some are straight-up privacy infringing, which is why the European data protection legislations – the General Data Protection Regulation and the ePrivacy Directive – are in place to control and regulate how these cookies and trackers are allowed to be used by companies, organizations and websites.
The GDPR mandates that data controllers obtain the prior consent of users before any processing of their data is allowed to take place. Consent is one of six legal bases for processing personal data in the EU and the most widely used for websites and companies across the world.
And so, the cookie consent banner was born as a way for data controllers to be GDPR and ePR compliant by acquiring user consents for data processing.
A cookie wall is a hybrid cookie banner that obtains something like a user consent but leaves out any choice for the user to granulate their consent to certain types of cookies rather than others. It works by blocking access unless a user clicks ‘o.k.’ to all cookies and trackers.
Well, not really.
The GDPR defines valid consent as being freely given and warns that consent will be invalid if it is conditioned upon the exchange of a service to which the data processing is not necessary.
In other words, a cookie wall is right on the edge of illegal – with some privacy experts like Dr. Johnny Ryan of Brave protesting actively against the use of them.
And rightly so, as they skew the situation of consent for users and disturb the fundamentals of consent as spelled out in the GDPR.
In fact, Dr. Johnny Ryan from the privacy browser Brave issued a formal complaint to the Irish DPA in April 2019 against IAB Europe’s own cookie wall on their website, forcing visitors to accept tracking by Google and Facebook, among others.
IAB Europe refused to answer the questions subsequently asked by the Irish Data Protection Commission arising from Dr. Ryan’s complaint.
Back in July 2018, only a few months after the GDPR took effect, the European Data Protection Board (EDPB) issued a statement that cookie walls should be prohibited under the new ePrivacy Regulation, expected to be finalized some time in 2020.
The GDPR has a specific definition of what constitutes valid consent, found in its Article 7.
Websites must comply or be in violation of the law and risk heavy fines (up to €20 million or 4% of a company’s annual global turnover).
The GDPR doesn’t really talk about cookies specifically – apart from one mention in over eighty pages. It does, however, raise the standard of consent from previous privacy legislation, such as the ePrivacy Directive (with its national implementations across the EU) that does deal with cookies and trackers.
According to the GDPR, consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
In essence, the GDPR spells out clearly that users in the EU must have clear and active choices upfront, before any cookies are set and any of their data processed.
Three EU data protection authorities have ruled cookie walls illegal in 2019.
When it comes to the legality of a cookie wall, the part of the GDPR’s definition of consent (as seen above) that is most pressing to dwell on is the part that specifies that a valid consent must be freely given.
A cookie wall forces users to decide between visiting a website by accepting all cookies and trackers, or to leave with their privacy intact.
This distorts the situation of consent for the user, and therefore invalidates the part of consent about being given freely.
Consent is not freely given, if it is forced as a condition for access to a site that doesn’t need all cookies activated to provide the user the service of merely allowing them access, as specified in Article 7 of the GDPR.
This has prompted several European data protection agencies to come out with new guidelines, in which they state squarely that a cookie wall is non-compliant with the GDPR.
In spring 2019, the Dutch DPA AP ruled that cookie walls are in violation of the GDPR, exactly because visitors to a website need to give their consent freely, i.e. not coerced by a cookie wall that demands a price for access to the domain.
The Dutch DPA summarized their decision by saying that a cookie wall creates a “take it or leave it”-situation for users, where they either have to give their consent to all cookies and trackers on a website or leave it without having been able to access it.
This, according to the Dutch DPA, constitutes an invalid form of consent, since the users won’t have a free and real choice to accept or reject certain cookies over others. Websites are not allowed to deny access to users who decide not to consent to cookies and trackers.
In other words, cookie walls are illegal in the Netherlands.
Applying the standard for consent of the GDPR to the national implementations of the ePrivacy Directive (in Britain the PECR), the British ICO decided that no cookie categories except necessary are allowed to have pre-ticked checkboxes.
In this updated guidance, the ICO also specified that using a cookie wall to restrict access to a site until users consent is not GDPR (and PECR) compliant.
“Using a blanket approach such as this is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard”.
However, the ICO also acknowledges that there isn’t a unified ban on cookie walls in the EU, i.e. that it is a matter of interpretation of the GDPR, and that there are practical considerations around the use of partial cookie walls.
The ICO “will be seeking further submission and opinions on this point from interested parties”.
Lastly, the French data protection authority CNIL also updated their guidelines in in the summer of 2019 and issued the same opposition to cookie walls as the British and Dutch DPAs.
CNIL ruled that websites have to “leave the possibility to users to access the service even in case of refusal to consent”.
In other words, a cookie wall is non-compliant with the GDPR in France as well.
The use of cookie walls, CNIL says, is non-compliant because it does not constitute valid consent, as the consent obtained through a cookie wall is not freely given, as both the British ICO and Dutch AP agreed on as well.
Yes, cookie walls are banned in both the Netherlands, the UK and France.
It is considered a shady practice in the rest of Europe, and is very likely to be outlawed formally in the ePrivacy Regulation in 2020, pending any unforeseen watering-down of the new EU privacy law.
At Cookiebot, we believe in a granular consent solution. This empowers the user with real GDPR compliant consent options. It builds trust between the visitors and the website – something that a cookie wall risks betraying.
Granular consent through Cookiebot’s consent banner enables real GDPR compliance for websites.
Through our granular consent solution, websites can offer real, freely given choice for their visitors through our highly customizable consent banners, which gather user consent and manages the activation of the cookies on your website in GDPR compliance.
By allowing users to choose for themselves which cookies and trackers they will allow a website to set on their devices, a website not only operates in compliance with the GDPR’s requirement for a legal basis for processing personal data.
It also respects the privacy and autonomy of the individuals behind the screen, behind the term “user” or “data subject” – the real human beings, whose intimate, private lives can be severely infringed through data collection by third party trackers.
Respect for the dignity of privacy and sincere regard for the autonomy of other individuals is hard to legislate on, it is more than law… it is culture.
Cookiebot works hard every day to help websites become compliant with the world’s data protection laws, but we also work hard every day to create a culture of privacy and autonomy on the Internet.
Try Cookiebot for free today to become compliant, but, you know… for that other thing too.
For a private and free future.