On Thursday 7 March, the Dutch DPA published new guidance on the use of so-called 'cookie walls' on websites. Cookie walls only allow access to a website on the condition that the user first gives its consent for the placement of cookies (or similar tracking devices) on his or her computer or communication device.
This interpretation sharply deviates from earlier guidance given by the Dutch government and the telecommunications regulator. Netherlands law provides a specific prohibition for the use of cookie walls on the websites of public bodies and authorities. Initiatives to enact a broader prohibition in the law did not make it as the lawmaker considered that private parties should have the right to set certain conditions for allowing access to their website based on the 'freedom to contract' principle.
With Thursday's opinion, the Dutch DPA also bans cookie walls from all other commercial, ideological and charitable websites. Although the Dutch DPA does not have the final word on the interpretation of the GDPR-associated state law provisions, this new guidance does create legal uncertainty and risk for many operators of websites that are available in the Netherlands.
The Dutch DPA explains in its internet statement that it is of the opinion that cookie walls do not satisfy the requirement of consent to be given 'freely', as the consequence of not giving consent is that the website in question will not be accessible. This, in turn, would be 'detrimental' to the user within the meaning of the GDPR.
This interpretation of the GDPR is not only deviating from Netherlands law to date, the approach also seems to be not entirely in line with guidance provided by other data protection regulators in Europe (the Austrian regulator, for example, has recently rejected a complaint that consent obtained through a cookie wall was not 'freely' given). Hence, it seems time for the European Data Protection Board to, as per the consistency mechanism, provide clarity on the admissibility of cookie walls in Europe.
The English translation of the Dutch DPA guidance is provided below. The original Dutch text can be found here.
Websites must remain accessible if tracking cookies are refused
The Dutch Personal Data Authority has published normative guidance today that websites that only grant visitors access if they consent to the placement of so-called 'tracking cookies' (or other similar techniques of tracking and recording user behavior) do not comply with the General Data Protection Regulation (GDPR). The Dutch DPA received dozens of complaints from website visitors who, after refusing tracking cookies, were unable to access the web pages they wanted to visit. The Dutch DPA will intensify its monitoring of cookie compliance and has already approached a number of parties specifically on this matter.
'The digital tracking and recording of surfing behavior on the internet via tracking software, or via other digital methods, is one of the largest processing operations of personal data, because almost everyone is active on the internet. In order to protect privacy, it is therefore important that parties ask website visitors to consent in a proper manner', said Aleid Wolfsen, chair of the Dutch DPA. 'In this way, people can consciously and properly exercise their right to protect their personal data. If websites request consent for tracking cookies and access to the website or service is refused if these cookie are not accepted, people are put under pressure to provide their personal data, which is unlawful.'
Consent is required
Under the GDPR, organizations must have a legal basis to process personal data. If companies wish to track people using tracking cookies, tracking software or other digital techniques, organizations must gather the users' consent to do so. This is for a reason; website visitors must be able to trust that their personal data will be protected properly, according to the rules of the privacy laws.
Many websites therefore ask consent prior to placing 'tracking software' such as tracking cookies, tracking pixels or fingerprinting. Consent will not be required for functional and analytical cookies. Monitoring and analyzing the behavior of website visitors and sharing this information with third parties may only be done with the user's consent. This consent must be freely given.
For so-called 'cookie walls' on websites (no consent means no access to the website), consent has not been freely given, because visitors cannot access the website without providing their consent. Under the GDPR, consent is not 'freely' given if individuals have no genuine and free choice, or if they cannot refuse to give consent without adverse consequences.
Investigation and enforcement
With the publication of this normative guidance, the Dutch DPA regards it as the organizations' task and responsibility to adapt their practice on cookie usage where necessary. The Dutch DPA has sent guidance to the organizations it received the most complaints about. In this letter, the Dutch DPA also announced that it will be intensifying its monitoring in the short term to see whether the standard is being applied correctly in the interests of protecting privacy.