A Dutch data protection agency claims that "cookie walls" that require visitors to accept all cookies before accessing a site violate the GDPR


Cookie walls that require a visitor of the website agree that their browsing on the Internet is followed for targeting ads because the "price" of the entry on the site does not comply with the European legislation on data protection said the Dutch data protection agency.

The DPA reported receiving dozens of complaints from internet users whose access to websites had been blocked after refusing to accept tracking cookies. She therefore decided to issue clear guidelines on the subject.

He also indicates that he will intensify the monitoring, adding that he has written to the most denounced organizations (without naming names) – asking them to make changes to make sure that they comply with the GDPR.

The European General Data Protection Regulation, which entered into force last May, strengthens the rules on consent as a legal basis for the processing of personal data – requiring that it be specific, informed and freely given for data protection. that it be valid under the law.

Of course, consent is not the only legal basis for the processing of personal data, but many websites ask internet visitors to give their consent to advertising cookies upon their arrival.

And according to the guidelines of the Dutch DPA, it is clear that Internet visitors must obtain prior permission from the installation of any tracking software, such as third-party tracking cookies; pixel tracking; and browser fingerprints – and that this permission must be obtained freely. So, a free choice must be offered.

So, in other words, a cookie wall "data for access" will not cut it. (Or, as the DPA says: "Permission is not" free "if a person has no real or free choice, or if the person can not refuse to give permission without adverse consequences.")

"It is not for nothing; website visitors must be able to trust that their personal data is properly protected, "he wrote in a clarification posted on his website [translated via Google Translate].

"There is no objection to the software for the proper functioning of the website and to the general analysis of the visit to this site. Further monitoring and analysis of website visitor behavior and sharing of this information with other parties is only permitted with permission. This authorization must be totally free, "he adds.

We contacted the DPA with questions. A spokesperson told us that he could not comment on any complaints, but added, "The cookie walls do not comply with the GDPR consent principles. This means that any party with a wall of cookies on their website must comply as soon as possible, whether or not we verify that in a few months, which we will certainly do. "

In light of this clarification, the cookie wall of the European Internet Bureau (IAB) 's Internet site (Internet) looks like a classic example of what not to do – given that the l? Online Advertising Industry Association brings together several uses of cookies (site-functional, site-scanning cookies and third-party advertising cookies) as part of a single "I ACCEPT" option.

It offers no opt-out option to visitors. (Not even in the "MORE INFO" or privacy policy options shown below.)

If the user does not click on "I accept", he can not access the IAB website. There is no free choice here. It's okay or leave.

By clicking on "MORE INFORMATION", you get additional information on the purposes for which the IAB uses cookies: it is indicated that it does not use the information collected to create "visitor profiles".

However, he notes that he uses Google products and explains that some of them use cookies that can collect information about visitors for advertising purposes. Thus, the tracking of ads is integrated into the provision of the "service" of its website.

Again, the only "choice" offered to visitors to the site is "I ACCEPT" or leave without having access to the website. Which means it's not a free choice.

The IAB told us that no data protection agency had been in touch regarding its wall of cookies.

Asked about her intention to modify the cookie wall in light of Dutch DPA guidelines, a spokeswoman said she was not sure what the team was planning to do – but she asserted that the GDPR does not strictly prohibit making access to a service subject to consent. "also highlighting the Directive (2002) on the protection of privacy which, according to it, applies here, stating that it" also includes a recital wording according to which the content of the website may be subordinate to the informed acceptance of cookies ".

"We will not change the implementation of our cookie banner on this point as the law does not require us to allow people to access our website without consenting to the use of cookies, "Matthias Matthiesen, Director of Privacy and Public Policy IAB, told us in a follow-up call.

The position of the IAB seems to be that the privacy directive overrides the GDPR on this issue.

Although we do not know how they arrived at this conclusion. (The Data Protection Directive, which is more than 15 years old, is also being updated – while the flagship GDPR only came into effect last year.)

Matthiesen cited in this connection a "general principle of law" which, in his view, means that "in a conflict between two rules that cover the same thing, it is the most specific law that prevails" (although assumes that the GDPR and ePrivacy directives conflict when cookie walls are affected.)

The part of the e-Privacy Directive to which the IAB seems to refer is recital 25 – which includes the following line:

Access to specific website content may still be contingent upon the knowledgeable acceptance of a cookie or similar device, if used for legitimate purposes .

However, the "specific content of the website" is barely identical to the full access to the site, that is to say that it is completely blocked by the wall of cookies.

The "legitimate objective" point in the recital also provides a second caveat regarding the subordination of access to the acceptance of cookies – and the text of the recital includes an example of "facilita[ting] provision of information society services "as such.

What are the "information society services"? An earlier European directive defines this legal term as services "provided remotely, electronically and at the individual request of a recipient" [emphasis ours] – suggesting that it refers to the Internet content that the user actually has intends to access (that is, the website itself), rather than ads that follow them behind the scenes when they surf.

Thus, in other words, even under the outdated Data Privacy Directive, a site may possibly require the user's consent for functional cookies in order to access part of the site.

But it's not the same as saying that you can lock an entire website unless the visitor agrees that their browsing is widely followed by advertisers.

This is not the kind of "service" that website visitors are looking for.

Add to that that, returning to present-day Europe, the Dutch DPA has issued very clear guidelines on the destruction of biscuit walls.

The only sensible legal interpretation here is that the writing is on the wall for the cookie walls.

Matthiesen of the IAB is not in agreement, of course.

"The law is complicated and [the definition of an information society service is] not as simple as this statement, "he said while debating this point. "When a browser connects to a website, it technically makes a query on the items being loaded. He therefore technically requests the content loaded on the site. "

"The website is the property of its owner. There are also fundamental rights attached to property, "he added. "Nothing in the RGPD indicates that I have to make the content of my website accessible to people. I am perfectly able to determine the conditions under which I put my property at disposal.

"You are not entitled to it. I can not force you to accept follow-up, okay, maybe. The way you do not have to be, you do not have to use my property. This is the fundamental disagreement between the position [that cookie walls can’t be used] and mine [i.e. that they can]. "

He suggested that the European Court of Justice be responsible for clarifying the law on the matter – assuming that all Dutch websites targeted by the regulator remove their walls of cookies choose to submit a judicial remedy.

This report has been updated with comments from the DPA and the IAB.