One of the next big items in Europe will be the expansion of “ePrivacy,” (which, among other things, regulates the use of cookies on websites). While the ePrivacy reform is still being worked on by EU lawmakers, one of the items the ePrivacy Regulation is expected to update is the use of “cookie walls.” Recently, the Austrian and UK data protection authorities (DPAs) issued enforcement actions involving the use of cookie walls, albeit with different findings and conclusions.
Cookie Walls
A cookie wall blocks individuals from accessing a website unless they first accept the use of cookies and similar technologies. The practice of using cookie walls is not prohibited under the current ePrivacy Directive.
However, the European Data Protection Board (EDPB), the successor to the Article 29 Working Party, has issued a non-binding opinion that the use of cookie walls should be prohibited under new EU ePrivacy rules. The EDPB argues that cookie walls run contrary to the General Data Protection Regulation (GDPR): “In order for consent to be freely given as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited.”
However, the negotiations around the upcoming ePrivacy Regulation are still ongoing, so it is unclear whether cookie walls will be explicitly prohibited in the final version.
The Facts
Two recent cases in Europe related to the online offerings of newspapers: the Austrian newspaper Der Standard in Austria and the United States’ Washington Post in the UK.
For each newspaper online, individuals are presented with the choice of either a free-access option with cookies or a paid-for access option without cookies. There is no free-access option without cookies.
The Austrian DPA’s view
The Austrian DPA dismissed a complaint in November 2018 by an individual who had argued that Der Standard’s cookie wall rendered the individual’s consent not freely given and thus invalid under Article 7(4) GDPR.
The Austrian DPA indicated that cookie walls are not prohibited; Der Standard’s cookie wall provides a degree of choice that results in freely given consent. First, an individual is in full control of the situation – Der Standard only places cookies after the individual makes the conscious and informed decision to allow the placement of cookies. Second, the individual can withhold consent by either entering into a paid subscription or leaving Der Standard’s website.
In addition, the Austrian DPA noted that the price of a paid-for access option without cookies should be taken into consideration. If the price is too high, it means that the paid option becomes a negative consequence of withholding consent to cookies, which could invalidate the individual’s consent; here, the Austrian DPA considered Der Standard’s prices to be “not unreasonably high.” In fact, giving consent to cookies results in a positive outcome for the individual, because they gain unlimited access to the newspaper’s articles.
The Austrian DPA did not, however, discuss what would happen if an individual withdrew their consent to a cookiewall. This suggests that there were no concerns in this particular case about whether an individual can validly withdraw consent. (In practice, when an individual withdraws consent, DerStandard’s website simply presents the cookie-wall again.)
The UK DPA’s approach
According to a reported statement, available here, the UK DPA – the Information Commissioner’s Office (ICO) – took a markedly different approach to the Austrian DPA. Towards the end of 2018, the ICO was reported to have issued a warning to the Washington Post. Given that the Post operates out of the United States, and therefore not within the ICO’s direct jurisdiction, the ICO could only issue a statement (rather than trigger any enforcement action). Nevertheless, even though it does not have the same standing as an enforcement action, the ICO’s statement is a good litmus test of how the ICO may react to UK websites with cookie walls.
The ICO purportedly viewed the consent of the Post’s readers to be finely linked to their ability to access the Post’s website, because accepting cookies is the only way to access the articles (apart from paying a monthly fee). In light of this setup, the ICO concluded that the Washington Post was in breach of the GDPR principles because it did not give individuals “a genuine choice and control over how their [personal] data are used.” This, according to the ICO, meant that consent to cookies cannot be freely given and is therefore invalid under Article 7(4) of the GDPR.
How Should Organizations React?
In the context of ePrivacy and its ongoing updates, there is no clear regulatory consensus around the prohibition of cookie walls. The different approaches taken by the UK and Austrian DPAs do not signal accord (or even coordination) amongst the DPAs on cookie walls’ impact on consent. This is surprising, given that this is exactly the sort of area where harmonization over interpretation of the GDPR is expected. It would therefore be helpful for the EDPB to step in and clarify these discrepancies.
In the meantime, organizations should keep a close eye on ePrivacy developments, particularly to monitor for further developments on potential prohibitions of cookie walls or other cookie practices.