Header graphic for print
Global Media and Communications Watch The International Legal Blog for the Tech, Media and Telecoms Industry
Posted in Cybersecurity, Data Protection & Privacy, International/EU privacy, Policy & Regulation, privacy and security litigation Joke Bodewits

Dutch Data Protection Authority States Cookie Walls Violate GDPR

On 7 March 2019, the Dutch Data Protection Authority published guidance (in Dutch) that it considers “cookie walls” to violate the GDPR. A cookie wall is a pop-up on a website that blocks a user from access to the website until he or she consents to the placing of tracking cookies or similar technologies.

Under current Dutch cookie law, functional and analytical cookies can be used without consent. Tracking cookies like those used for advertising may only be used if a visitor has given consent. According to the Dutch DPA, the use of a cookie wall results in a “take it or leave it” approach. The Dutch DPA explains that this practice is not compliant with the GDPR as consent resulting from a cookie wall is not freely given, because withholding consent has negative consequences for the user as the user is not allowed access to the website. In view of the Dutch DPA, websites should offer users a real choice to accept or reject cookies. Users who decide not to consent to the placing of tracking cookies should still be granted access to the website (e.g., in exchange for payment).

The guidance was issued following many complaints the Dutch DPA received about this practice. The Dutch DPA has sent a letter to several companies about their cookie walls. The Dutch DPA announced that it will carry out further verifications and intensify its enforcement to ensure that the GDPR is correctly applied in this area.

The Dutch DPA has received criticism for taking a too strict approach. However, the view seems to align with the current draft ePrivacy Regulation update which states that “making access to the website content provided without direct monetary payment conditional to the consent of the end-user […] would normally not be considered disproportionate” (recital 20).