The Dutch Data Protection Agency (DPA) announced on Thursday that “cookie walls” violate the EU’s GDPR.
What is a “cookie wall”? Ever since May 2018 you most definitely have come across a cookie notice that doesn’t let you pass until you agree to its conditions taking your consent out of the equation. If you thought this was in violation of your GDPR rights, you were right and last week the Dutch DPA was on your side on the matter.
The DPA had received numerous complaints from internet users who had had their access to websites blocked after refusing to accept tracking cookies. This is why they took it upon themselves to publish guidance on the issue.
The GDPR is very specific on the topic of consent as a legal basis for processing personal data — requiring it to be specific, informed and freely given in order for it to be valid under the law. The guidance published by the Dutch DPA doubles down on this making it clear that users must be asked for consent in advance for any tracking software to be used — such as third-party tracking cookies, tracking pixels etc. — and that that consent must be freely obtained.
“Permission is not ‘free’ if someone has no real or free choice. Or if the person cannot refuse giving permission without adverse consequences.” as the DPA puts it.
They also emphasise that they’ll be stepping up monitoring, contacting the most-complained-about organisations instructing them to make effort in complying with GDPR regulations.
Some organisations like the Internet Advertising Bureau (IAB) claim the ePrivacy Directive (which is in the process of being updated) trumps GDPR on this issue, citing that it “also includes recital language to the effect of saying that website content can be made conditional upon the well-informed acceptance of cookies.”
“Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.” – Recital 25, ePrivacy Directive (2002)
Raising issues with enterprating the meaning of the law specifically with the points about “specific website content” and the one about “legitimate purpose”, making the explanation rather invalid as TechCrunch explain.
Resolving this issue will certainly set a precedent for the future. Meanwhile, Opera’s Opera Touch browser has bypassed this issue with a cookie dialog blocker, surely prompting other companies to step up their game in UX design.