Cookie Walls – are they GDPR Compliant?
Walls of all types are generally built to block, divide, or an enclose an area; cookie walls have become an increasingly popular mechanism utilized by websites in an effort to block content and force website visitors to provide consent. New consent guidelines from the European Data Protection Board (“EDPB”) state that these cookie walls are a violation of the General Data Protection Regulation (“GDPR”). Specifically, the guidelines state that:
- In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a visitor to the storing of information, or gaining of access to information already stored, in the terminal equipment of a visitor (e.g., cookie walls); and
- Simply scrolling or swiping a website does not amount to giving consent for tracking visitors. If a website enables tracking cookies as soon as visitors scroll the webpage without agreeing to an “Accept Cookies” button, a violation of GDPR has occurred.
Does that mean I can’t use a cookie wall?
If you want to be compliant with GDPR, you can’t use a cookie wall to force consent for European Union (“EU”) visitors to your website. GDPR includes consent as one of six lawful bases that data controllers can use when processing people’s personal data. In order for consent to be legally valid under GDPR, consent must be clear and informed, specific and freely given. Cookie walls that demand consent in order to view website content are contrary to the “freely given” part of this criteria, and are therefore invalid.
Does the EDPB provide examples of what they consider to be invalid consent?
They do! The EDPB includes the below example to show that cookie walls do not constitute valid consent; the “Accept Cookies” button does not present the visitor with a genuine choice:
Example 6a: A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given. This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.
If a visitor scrolls through my site, does that mean they’re consenting?
No! Scrolling on a website or digital service cannot be interpreted as consent. The EDPB makes this clear by stating “actions such as scrolling or swiping through a webpage or similar visitor activity will not under any circumstances satisfy the requirement of a clear and affirmative action.” The EDPB guidance indicates one reason for its position is the difficulty with which a visitor could withdraw consent in a manner as easy as granting it; it’s just not possible.
I have a cookie wall on my site, what should I do now?
First, you should understand the risks. Any websites still trying to use tracking cookies the moment a site visitor scrolls the page are risking regulatory enforcement, and that gets expensive. GDPR fines can be as high as €20M or 4% of global revenues (even if your business isn’t based in the EU). If you’re using a cookie wall for your EU visitors, you’re putting yourself at significant financial risk. That means you need a compliant solution, one which clearly and accurately requests consent and offers a similarly easy route to opt-out and/or manage consent.