All Blog Posts

EDPB and Cookie Walls

The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how you as a website owner must obtain and store cookie consents from your visitors from the EU.

Updated March 22, 2020.

A cookie wall is a way for websites to deny users access if they don’t consent to all cookies and trackers present on that website.

It’s a barrier of sorts that puts the user in a “take it or leave it” situation, where they must either opt in to marketing cookies and similar tracking technology, or be denied access altogether to the website and its services.

However, the European Data Protection Board’s (EDPB) guidelines on valid consent from May 2020 rule out cookie walls as a valid way for websites of obtaining user consent to personal data processing and cookie use.

In this blogpost, we look at all things cookie walls:

  1. what is a cookie wall?
  2. EDPB guidelines: are cookie walls legal?
  3. how do cookie walls work?
  4. and what is an alternative, valid way of obtaining user consent?

A cookie wall is very much what it sounds like: it’s a wall around a website that users can only get through by accepting cookies and trackers on the domain, most of which will be processing their personal data.

A cookie wall is a “take it or leave it”-scenario that a website sets up for users so that it can ensure to activate all cookies and trackers and get as much data as possible, even if it is against the user’s wishes.

Some websites may use a cookie wall in fear that granular consent will break their websites, if users are left with the choice to consent to only some cookies rather than others. Later in this blogpost, we will debunk this myth.

In practice, a cookie wall is a particular variation of the cookie banner that users are used to interact with on the Internet today. Only, a cookie wall leaves no real option for the user to select or deselect certain categories of cookies, like marketing cookies that typically harbor myriads of private data trackers from ad tech companies. This means that the cookie banner, which is supposed to be an interactive solution enabling granular consent for the user, becomes instead a cookie wall – and the only way through is to click OK.

A cookie wall made with non-correct implementation of Cookiebot CMP. - Cookiebot
A cookie banner implemented in a way that forces a bundled consent from users, also known as a “cookie wall”. Cookie banners can be implemented in different ways to suit different privacy laws around the world, but in the EU, the above implementation is non-compliant.

Cookie walls exist on myriad of sites throughout the web, even on many news sites that people rely on for their daily information (and reporting on privacy issues, ironically).

Imagine that you’re trying to buy a newspaper, but you can only read it if you disclose everything in detail about your closest relationships and family to the stranger selling it, and dozens of other third parties.

Or imagine that you’re trying to enter a supermarket, but the only way you can go shop is by taking off your clothes, handing over your wallet and social security number before entering.

It sounds absurd, but it’s comparable to the situation that a cookie wall puts an end-user in, when it demands as payment for access that they relinquish control of their own private data and hand it over to ad tech companies who create eerily detailed profiles on individuals and sell these in real time bidding schemes on the behavioral futures markets.

Learn more about GDPR and consent

No! Cookie walls are an illegal way of obtaining user consent of individuals inside the EU.

On May 4, 2020, the European Data Protection Board (EDPB) released new guidelines that clarify the legality of cookie walls and what constitutes a valid consent.

The EDPB is an independent supervisory body made up of representatives from all national data protection authorities in the EU.

It’s the job of the EDPB to ensure a consistent application of the GDPR and ePrivacy directive inside the EU by adopting guidelines and directing national data protection authorities towards coherent enforcement.

The EDPB guidelines 05/2020 effectively rule out cookie walls as a valid means for websites to obtain consent from their users to process their personal data.

The EDPB states clearly in their guidelines that cookie walls are illegal.

Cookie walls work by making access to a service conditional on the consent of users for processing their personal data, and the EDPB state in their guidelines that this does not constitute valid consent.

“Access to services and functionalities must not be made conditional on the consent of a user to the storing, or gaining of access to information already stored, in the terminal equipment of a user” (EDPB guidelines 05/2020, page 11)

This EDPB guidelines rules out cookie walls, since – as we have explained – cookie walls operate by forcing consent from users to store cookies or accessing already stored cookies in exchange for access to services and functionalities.

And so, cookie walls are not compliant with the GDPR, since they do not meet the requirements for a consent to be freely given and on the basis of a genuine choice.

Valid consent according to the GDPR is formed by four aspects:

  • Freely given
  • Specific
  • Informed
  • Unambiguous indication of the user’s wishes

In other words, a valid consent must be a freely given, specific, informed and unambiguous indication that the user accepts your website’s use of cookies and trackers to process their personal data. A valid consent must be a clear and affirmative action on the part of the user.

The GDPR spells out clearly that consent must be freely given, and the EDPB’s guidelines from May 2020 clarify that user consent obtained through cookie walls are invalid, exactly because the consent wasn’t given freely in the first place, since it was conditional to visit the website.

White brick wall with a blue square painted on it - Cookiebot
The EDPB guidelines from May 2020 makes cookie walls illegal.

Most websites in the world have first and third-party cookies embedded in their source code. They range from necessary cookies that are fundamental to the operation of a website to statistics cookies that often use anonymized data to give insight into how a website performs.

Then, there are marketing cookies that are placed by ad tech companies entirely for the purpose of collecting personal data in order to target users in behavioral advertising schemes (and for other ominous ends).

Purple brick wall - Cookiebot
Cookie walls work by making consent a condition of access to a website and its services, denying users entry unless they give full consent to all cookies.

The many different types of cookies have many different purposes – some are straight-up privacy infringing, which is why the European data protection legislations – the General Data Protection Regulation and the ePrivacy Directive – are in place to control and regulate how these cookies and trackers are allowed to be used by companies, organizations and websites.

The GDPR mandates that data controllers obtain the prior consent of users before any processing of their data is allowed to take place. Consent is one of six legal bases for processing personal data in the EU and the most widely used for websites and companies across the world.

And so, the cookie consent banner was born as a way for data controllers to be GDPR and ePR compliant by acquiring user consents for data processing.

A cookie wall is a hybrid cookie banner that obtains something like a user consent but leaves out any choice for the user to granulate their consent to certain types of cookies rather than others. It works by blocking access unless a user clicks ‘o.k.’ to all cookies and trackers.

Cookiebot CMP offers granular consent as opposed to cookie walls. It builds trust between the visitors and the website – something that a cookie wall betrays.

Granular consent means that your users are able to filter their consent between different categories of cookies:

  • Necessary cookies
  • Preference cookies
  • Statistics cookies
  • Marketing cookies

When users land on your website, Cookiebot CMP presents them with an interactive cookie banner that allows them to consent to cookies and not others. Only necessary cookies don’t need user consent to be activated.

Cookieboot Pop Up Banner - Cookiebot
Cookiebot CMP consent banner offering granular consent for full GDPR compliance for your website.

Cookiebot CMP‘s unmatched scanner detects all cookies and trackers and automatically blocks them all, so your users’ personal data will not be processed until they have given their consent.

Our CMP scans your website on a monthly basis and generates a complete cookie declaration of total transparency between your website and its users.

Through the Cookiebot CMP granular consent solution, websites can offer real, freely given choice for their visitors through our highly customizable consent banners that gather user consent and manages the activation of the cookies on your website in GDPR compliance.

By allowing users to choose for themselves which cookies and trackers they will allow a website to set on their devices, a website not only operates in compliance with the GDPR’s requirement for a legal basis for processing personal data.

It also respects the privacy and autonomy of the individuals behind the screen, behind the term “user” or “data subject” – the real human beings, whose intimate, private lives can be severely infringed through data collection by third party trackers.

Respect for the dignity of privacy and sincere regard for the autonomy of other individuals is hard to legislate on, it is more than law, it is… culture.

Cookiebot CMP works hard every day to help websites become compliant with the world’s data protection laws, but we also work hard every day to create a culture of privacy and autonomy on the Internet.

Try Cookiebot CMP free for 14 days… or forever if you have a small website.

For a free and private future.

Before the EDPB adopted guidelines on cookie walls in May 2020, some national data protection authorities throughout the EU had already started ruling on whether cookie walls could be considered legal under the GDPR.

Here is an overview of the national DPAs and their decisions prior to the EDPB guidelines 05/2020.

In spring 2019, the Dutch DPA AP ruled that cookie walls are in violation of the GDPR, exactly because visitors to a website need to give their consent freely, i.e. not coerced by a cookie wall that demands a price for access to the domain.

The Dutch DPA summarized their decision by saying that a cookie wall creates a “take it or leave it”-situation for users, where they either have to give their consent to all cookies and trackers on a website or leave it without having been able to access it.

This, according to the Dutch DPA, constitutes an invalid form of consent, since the users won’t have a free and real choice to accept or reject certain cookies over others. Websites are not allowed to deny access to users who decide not to consent to cookies and trackers.

The British data protection authority ICO also updated their guidelines for the use of cookies in GDPR compliance in the summer of 2019.

Applying the standard for consent of the GDPR to the national implementations of the ePrivacy Directive (in Britain the PECR), the British ICO decided that no cookie categories except necessary are allowed to have pre-ticked checkboxes.

The ICO also specified that using a cookie wall to restrict access to a site until users consent is not GDPR (and PECR) compliant.

“Using a blanket approach such as this is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard”.

The French data protection authority CNIL also updated their guidelines in the summer of 2019 and issued the same opposition to cookie walls as the British and Dutch DPAs.

However, France’s highest administrative authority (the Conseil d’État) ruled that CNIL had exceeded its authority when it decided that blocking access to a website for users who don’t give their full cookie consent was non-compliant by default.

In its decision, the Conseil d’État stated that CNIL cannot legally prohibit cookie walls. It did, however, confirm all other points of CNIL’s guidelines, which had been contested.

In the new guidelines from September 17, 2020, CNIL has rephrased its guidance on cookie walls and states instead that cookie walls are ”likely to infringe, in certain cases, the freedom of consent”.

On March 18, 2021, CNIL also published an FAQ on its cookie guidelines (in French), including details on its guidance on the use of cookie walls.

On the topic, CNIL’s FAQ specifies that the implementation of cookie walls “must be assessed on a case-by-case basis”.

See CNIL’s new guidelines from September 17, 2020 (in French)

In the summer of 2020, the Spanish data protection authority AEPD updated their guidelines on cookie walls.

In similar fashion to the British ICO and the Dutch AP, the Spanish AEPD ruled that cookie walls that do not offer an alternative to consent are not allowed.

In other words, cookie walls are deemed non-compliant by the Spanish AEPD unless an equivalent alternative to access without the user having to give their consent is provided.

AEPD highlights that cookie walls are particularly problematic in cases where users are denied access to a website when trying to exercise a legal right, e.g. to unsubscribe from a service.

Websites in Spain that do not offer a proper and equal alternative to access without consent is in non-compliance with the AEPD’s guidelines on cookie walls.

The AEPD guidelines also specify that continued scrolling on websites does not constitute valid consent, i.e. consent must be an explicit and unambiguous indication of the user’s choice.

The AEPD guidelines were released in July 2020 with a three months grace period and took effect on October 31, 2020.

Read the AEPD guidelines on consent and cookie walls (in Spanish)

On November 26, 2020, the Italian data protection authority Garante Per La Protezione Dei Dati Personali released new guidelines on cookies and cookie walls (in Italian).

As most other EU data protection authorities, cookie walls are also deemed illegal in Italy.

An exception is made if the website offers access to equivalent content or services, but this will be determined by the Italian DPA on a case-by-case basis.

Apart from clarifying that cookie walls are illegal, the guidelines from the Italian DPA also deem scrolling to be inadequate as consent, meaning that consent must be an active, affirmative, explicit action from the user to be valid.

The Italian cookie guidelines also specify different cookies and their properties, how to write a compliant cookie policy, and what constitutes a valid consent banner.

Read the cookie guidelines from the Italian Garante della Privacy here (in Italian)

FAQ

Resources

Learn more about the GDPR and consent

European Data Protection Board

Dutch DPA on cookie walls (in Dutch)

CNIL’s guidance on the use of cookies in France

Dr. Johnny Ryan’s formal complaint against IAB Europe to the Irish Data Commission

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.