Dutch DPA Says No Cookie Walls Because of GDPR Consent
The Dutch Data Protection Authority Autoriteit Persoonsgegevens (“AP”) issued an interpretation of the General Data Protection Regulation (GDPR) declaring that websites must remain accessible for users refusing tracking cookies. AP also said it would intensify its compliance monitoring around cookie walls and had sent letters to some parties about their use of them.
The AP investigation began when it received complaints from website visitors about their inability to access web pages after refusing tracking cookies. AP concluded that the consent obtained by a cookie wall was not freely given. Because website visitors can not access the website without giving permission, they do not have free choice to accept or reject the tracking cookies.
AP applied the consent standard from GDPR to the cookie consent for tracking technologies in determining whether it was valid. It did not object to the use of technology for the proper functioning of the website and general analysis of the visit – it applied the guidelines to more thorough monitoring of website behavior and data sharing.
The new interpretation highlights a difference between GDPR and the ePrivacy Directive in this regard. Article 25 of the ePrivacy Directive indicated that specific website content may be conditional on the well-informed acceptance of a cookie used for a legitimate purpose. However, the ePrivacy Directive was written more than a decade ago and has been the subject of advanced discussions to revise it in recent years with replacement by the ePrivacy Regulation. There is still no final publication of the new regulations or timetable on the required implementation of ePR.
The United Kingdom’s Information Commissioner’s Office last year criticized the Washington Post for its use of a cookie wall on its lowest subscription plan and free content in another sign that data protection authorities consider such forced consent invalid. However, no action was taken against it because of potential jurisdictional issues.
Consent management and forced consent is not just an issue with cookies – it has been one of the key issues in both the CNIL decision to fine Google over its Android platform and the German antitrust regulator (FCO) decision to order a halt to certain of Facebook’s data practices.
However, not all DPAs may see the cookie wall the same way as AP. The ICO decision on the Washington Post stands at odds with a decision by the Austria DPA that found consent was properly obtained when the alternative from the newspaper was a small monthly fee. The regulator found six euros a month was not a significant negative consequence and the individual could choose other news sources. If other regulators choose to adopt this approach, allowing a small monthly fee as an alternative to tracking, it could become an alternative form of cookie wall.
Other Relevant Posts:
Consent Required by Danish DPA for Customer Service Call Recording under GDPR
EDPB Releases GDPR Guidance on Contractual Necessity Lawful Basis
Poland and Denmark Issue First GDPR Fines (covering Transparency and Data Minimization)
Third-Party Data Sharing In Focus Again with Finland DPA Investigation
Dutch DPA Issues Policy on GDPR Fines
EDPB Issues Opinion on Intersection of GDPR and ePrivacy
Summary of Ireland’s Data Protection Commission Annual Report
EU Issues Third Proposal of ePrivacy Regulation Changes in February
Romanian Presidency Offers ePrivacy Regulation Compromises
CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent