10 min read
Cookie walls have been a highly debated issue when it comes to the General Data Protection Regulation (GDPR) compliance. Users are essentially given two options – accept cookies or leave the site.
While it’s a beneficial way for companies to acquire user consent for tracking, it raises questions of whether consent isn’t coerced. There have already been multiple cases where companies have been fined for cookie walls under the GDPR, from giants like Facebook to smaller organizations like Aranow.
Continue reading to learn all about cookie walls and their legality to understand when they’re not allowed under different regulations.
Free plan availableBeginner friendlyWhat is a cookie wall?
A cookie wall is a cookie popup, also referred to as a tracking wall, that requests users on a website to accept cookies in order to get access to it. Under the GDPR, such mechanisms do not count as valid consent because it’s not freely given.
For example, here’s a cookie wall that appears once you decline all cookies on the Healthline website:
It shows that a version without tracking cookies is unavailable at the moment. The website only provides 10 random articles that are unoptimized or visual-free.
Meanwhile, some sites that rely on advertising as a means of funds, like news websites, put out content behind paywalls. A paywall means that you should either accept all cookies or pay for the access. For instance, here’s what it looks like once you open The Nouvel Obs website:
This website gives you two options – you can either accept all cookies and continue or subscribe for at least €29.99/year.
Does the GDPR allow cookie walls?
Cookie walls are not compliant with the GDPR or the ePrivacy Directive except when they offer alternative access or a genuine choice for consent. This means that under the GDPR, cookie walls do not constitute consent because they are not freely given and can coerce users into agreeing to tracking in order to access content.
The GDPR Article 7(4) states that “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Meanwhile, the ePrivacy Directive Article 5(3) also acknowledges that consent must be clearly and fully informed. While it doesn’t specifically state anything about cookie walls, the similar requirements to the GDPR, like freely given consent, imply that it depends on whether there’s a power imbalance or coercion.
Cookie walls under the EDPB
The European Data Protection Board (EDPB) has already confirmed in their guidelines on consent (3.1.2 Conditionality) that consent under cookie walls is not a genuine choice and therefore isn’t valid.
The same goes for the “consent or pay” models. According to the EDPB Opinion of the Board (Art. 64), this model comes with a risk of deception, coercion, or pressure to exercise free will. Paywalls do not provide users with a real choice and can constitute an imbalance of power.
Cookie walls in different countries
The stance on cookie walls is similar in most countries that have strict data privacy regulations. Here are a few examples of how cookie walls are viewed in different countries:
- France. The decision by the Council of State ruled that tracker walls cannot be banned in 2020. Therefore, the French Data Protection Agency (CNIL) evaluates cookie wall legality based on fair alternative access, reasonable pricing, and similar cases.
- United Kingdom. Cookie walls are not illegal in the UK if they meet specific criteria, including providing users with a free and fully informed choice, according to the International Commissioner’s Office (ICO). There shouldn’t be a power imbalance and it should be easy to withdraw consent at any time.
- Italy. According to the Italian Data Protection Authority (GPDP) guidelines, cookie walls are unlawful unless the website gives users access to “equivalent contents or services without consenting to the installation and use of cookies.” Compliance is assessed on a case-by-case basis.
Cookie walls under the CCPA
The California Consumer Privacy Act (CCPA) doesn’t explicitly state anything about cookie wall usage. However, cookie walls could be viewed as a form of coercion.
Under the CCPA (FAQ G.), users have the right to non-discrimination. It means that businesses are not allowed to prohibit services or provide a different quality or price because the user opted out of data selling.
The alternative to cookie walls
If you want to prioritize GDPR compliance and avoid hefty fines, it’s better to use a cookie banner. It helps websites ensure transparency and gather valid consent from users. Here’s an example of how it could look like:
- Inform users about data collection. A cookie banner lets you provide a short statement about your site’s data collection practices and provides resources for further information, like the privacy policy or cookie policy.
- Provide consent management options. Under the GDPR, you should provide consent management options so users can easily choose what specific types of cookies they want to agree or reject.
- Add a reject option. According to GDPR Article 7(3), it should be as easy to withdraw consent as it was to give it. So, a cookie banner lets you add an additional button to reject all or accept required only.
- Allow website access. A cookie banner provides users with access to the website no matter how they manage their consent options. This ensures that consent is freely given, informed, unambiguous, and valid.
Free plan availableBeginner friendlyDark patterns to avoid in cookie banners
Some companies leverage cookie banners to coerce users into agreeing to data tracking. Such measures aren’t compliant with the GDPR and should be avoided at all costs unless you want to face large GDPR fines. Here are the common dark pattern examples that are not GDPR-compliant:
- Pre-ticked consent options. Pre-ticked consent management options make consent not freely given because they don’t constitute an active affirmative action. For example, if you want to reject consent on the Candle World website, you have to un-tick boxes of cookies you want to reject.
- Not adding a reject option. It’s not allowed to avoid adding a reject button unless cookies are strictly necessary. For example, here’s the cookie banner on the Odoro website. It doesn’t provide cookie management options but is still compliant because it uses essential cookies only. In cases where third-party cookies are used, a banner like this would be non-compliant with the GDPR.
- Automatic consent upon scrolling. Continuing the browsing of a website does not imply affirmative action. Therefore, it’s not a valid consent form under the GDPR.
- Using difficult language. It’s necessary to write the information on the cookie consent in plain and very simple language so that any user can understand it.
Frequently asked questions
A ‘soft’ cookie wall is a cookie popup that gives you more consent management and cookie preference options. They don’t block access to the website and allow users a level of control over their private data usage.
Yes, cookie walls are illegal as per GDPR and EDPB regulations because they demand users to give their consent in exchange for access to the website.
No, cookie walls aren’t GDPR-compliant because they do not provide freely given consent based on a genuine and informed user choice.
