Cookie walls – what’s allowed and what isn’t?

Some websites leave users with no choice. Even before they start browsing, a cookie banner blocks access – and only reveals the page once the user has clicked on “Accept” or “Okay”. There is no option to decline.
What is behind this procedure? Is it actually legal? And what distinguishes a cookie wall from a paywall?

This cookie wall leaves the user no option: they either agree to the use of  their data or they cannot access the website’s content.

Cookie walls are no more than a gatekeeper of sorts. The predicament is that the user can either accept the website operator’s specifications – in this case, allowing marketing cookies and other tracking technologies – or the user simply can’t access the site’s content. This situation is known as the “take it or leave it” approach.

Cookie walls are a technical barrier on a website that users can only pass if they submit information. Typically this is accepting or refusing being tracked by web technologies. In some cases, users have to decide whether to let their personal information be processed by the website or risk being denied access to the site’s content.

The ultimate goal of using a cookie wall is collecting and processing as much user data as possible. This information is then used to create detailed profiles that can be re-sold to other companies.

From a publisher’s point of view, this approach is quite understandable. After all, publishers must fund their content, to which profits from advertising contribute a large part.

a) No user choice

 
A cookie wall without privacy options does not offer the user the possibility to select or deselect certain categories of cookies. The user doesn’t have an overview as to which of their data is collected and stored. Nor can they actively change options in the privacy settings or give or withdraw their consent for certain services or general data collection.

❗This approach is not GDPR-compliant, as the user does not receive any granular settings options or information concerning the data processing services used. In addition, under the GDPR access to a service such as a website must be given even if the user refuses consent. Users cannot be discriminated against if they refuse consent for the use of their data.  

b) Providing user choice

Instead of having the cookie banner pop up discreetly in the lower third of the website, for example, this variant is ultimately a somewhat more aggressive method of querying the user’s preferences. A Consent Management Platform (CMP) is used, but the banner appears centrally on the website. The background is often hidden and is not displayed until the user makes settings selections. The crucial difference from the other type is that with this type of cookie banner, the user really has a choice, and they can use the website’s services even if they do not consent to the processing of their personal data.

❗This approach is GDPR-compliant, provided that the cookie banner meets all      the requirements for collecting valid consent. You can find out more about this in our Knowledge Hub by checking out 7 criteria of a GDPR-compliant consent.

There are two main types of cookies:

• Essential cookies: These are used to perform the basic functions of the website, like storing one’s purchases in the shopping cart. As a rule, these types of cookies may be set without the user’s explicit consent, as otherwise the website would not be able to perform its basic functions.
• Marketing cookies: These cookies collect personal data about the user and their browsing behavior in order to further process them either anonymously or in an identifiable manner. In order to process this data in a GDPR-compliant manner, user consent must be obtained before data is collected. Ideally, this is done via a Consent Management Platform (CMP).

In principle, a website provider does not have to make a website accessible to every visitor. The issue, however, is whether the cookie banner is allowed to exclude individuals. In other words, should website visitors have the right to continue to use the website or access content if they have refused the processing of their data? Can that be considered comparable to preventing access to content if users haven’t paid for it?

Essentially, we’re talking about “voluntary” concepts within the data protection space. According to the GDPR, data subjects should be free to choose whether they consent to the use of personal data or not. But is this really a choice and voluntary if it means that users won’t be able to use a website?

According to the European Data Protection Board (EDPB) and the French data protection authority CNIL, websites may not make accessibility dependent on whether or not the user consents to the use of tracking or advertising cookies. 

Right in the preface of the guidelines, it is highlighted that obtaining consent through the use of a cookie wall, as well as when a user simply scrolls through the site, violates the GDPR. The Federal Commissioner for Data Protection in Germany takes the following position:

“There are still websites that impose tracking on users through their website design. The updated guidelines make it abundantly clear once again that consent cannot be forced. Most cookie walls, and the assumption that the “continuing to surf a site” means consent, contradict the aspect of voluntariness and violate the General Data Protection Regulation. I wish that responsible parties would draw the right conclusions from this legislation and at last offer privacy-friendly alternatives.” 

The answer is clear: no. Cookie walls are illegal ways for website operators to collect users’ data through the manipulative appearance of asking for consent. The EDPB, an independent supervisory body composed of representatives of EU national data protection authorities, published specific guidelines on May 4, 2020, discussing the validity of consent. 

These guidelines classify cookie walls as an illegal and invalid means of obtaining consent from users to process their data:

“Access to services and functionalities shall not be conditioned on a user’s consent to store or access information already stored in a user’s terminal device” (EDPB Guidelines 05/2020, page 11).

• voluntarily given
• informed
• granular
• explicit indication of the user’s wishes
• revocable

The user must therefore provide clear acceptance for the use of trackers and cookies and actively give consent to the processing of personal information by the website. 

Passive behavior in the form of opting out of consent that has already been pre-selected, or simply scrolling past or clicking away from a window, cannot therefore be considered valid consent.

You can find further information at: “Die aktuellen Guidelines der EDSA zur DSGVO-konformen Einwilligung”.

In order to build trust, it is important to offer website users a truly granular choice. Apart from choice, it is also crucial to inform users consistently and transparently about which cookies and tracking services are in use and which partners the website operator is working with. Using a professional Consent Management Platform (CMP) is a good way to do that.  

Consent management platforms enable website operators to forego the use of the cookie wall and rely on user preferences.

Website users can choose to filter their consent for data collection and processing. This enables website operators to comply with the legal requirements of relevant data protection authorities.

The user must be able to choose where to provide their consent depending on the different categories of cookies:

• Essential cookies
• Marketing cookies
• Analytical cookies
• Functional cookies
• Personalization

While essential cookies do not require consent, visitors can differentiate between the use of these and the other categories of cookies, and in this way specifically protect their data.

By providing users with choice, websites in turn comply with both the data protection requirements of the GDPR and the supervisory authorities in regards to the further processing of personal information.

The rights and the privacy of website visitors are respected through granular consent, enabling users to actively give their consent for certain cookies as well as to gain access to the website’s features and content. This allows users to participate in promotions and events or to purchase services and products.

At the end of the day, cookie walls always put the following questions into the spotlight:

As a website operator, how do I want to handle my users and their data? What goals or what business model am I pursuing? And which type of practice will pay off in the long term?

Here are some answers: If the service that a website provides is so good that many users are willing to pay for it, that’s a good case for the use of a paywall. Here, users have the transparent choice of paying for the content directly, or with their data. 

Using center-placed banners on websites that offer a clear choice (through a Consent Management Platform) can also make sense if the content on the website is attractive. Whether a hidden background behind the wall ultimately deters or attracts users is determined by the interaction data that a compliant Consent Management Platform will provide to users.

Usercentrics, for example, offers its customers extensive functionality to precisely analyze user behavior with the Consent Management Platform, enabling direct action to improve interaction rates. You can find out exactly how this works here. 

How transparently – or not – website operators collect and process user data is increasingly becoming the focus of consumer attention. And brings a complex issue to the forefront: trust.

Use of a cookie wall, which only releases content if the user consents to the processing of their data, is considered illegal according to current EDPS guidelines on how to collect user consent. But there is one more thing at play. Visitors also lose trust in websites that do not play fair when it comes to data protection.

Not to mention that due to the constant cookie notices, tracking information and advertisements, customers may lose interest in the website and not even take up the offer or service in the first place. 

However, if website visitors are given the choice to actively filter cookies by means of a data compliant cookie banner, things could look quite different.

By using a Consent Management Platform, website operators can not only comply with the EDPS guidelines, among other legal frameworks, but also create a happy customer base. Not only do users now have access to the topics and services that interest them, but they can also build trust in the company thanks to a transparent data protection strategy. A deal that pays off for both sides in the long run, because a good service or strong content will always attract users.