DPA: Cookie Walls Violate GDPR
A Data Protection Authority said last week that when websites use cookie walls in exchange for access to a site, they're failing to comply with the GDPR.
Cookie walls, mechanisms on websites that allow visitors access - as long as they consent to having their browsing tracked - do not comply with the General Data Protection Regulation (GDPR).
That's according to the Dutch Data Protection Authority, which on Thursday published a lengthy statement [in Dutch] breaking down its stance on the divisive technology. According to the DPA, a/k/a Autoriteit Persoonsgegevens (AP), the placement of a cookie wall on a site doesn't conform to the principles of consent of GDPR.
According to the DPA, if a user wants to access the content of a site, they’re forced to give their consent to tracking cookies. That means users don't really have a choice; permission isn't free and can't be given because there's no access to the site without it.
The DPA goes on further, saying in this scenario, under the Algemene verordening gegevensbescherming, or General Data Protection Regulation, a user has no real or free choice.
"In short, if a website is (partly) asked for permission for tracking cookies and access to the website, app or other service is not possible, the AP thinks it is illegal," the DPA wrote in translated guidance last week.
Under GDPR organizations need to request permission – and obtain proper user consent – before tracking users.
The Dutch DPA claims it has gotten dozens of complaints from citizens unable to access websites because they've refused to be tracked. The DPA said it will continue monitoring websites to ensure they comply and that it has sent out letter to specific parties for failing to comply.
“The digital tracking and recording of Internet surfing behavior via tracking software or other digital methods is one of the largest processing of personal data, because virtually everyone is active on the internet. To protect privacy, it is therefore important that parties request permission from website visitors,” Aleid Wolfsen, chairman of the DPA, said last week. “In this way, people can deliberately and appropriately use their right to the protection of personal data. If a website is asked for permission for tracking cookies and if it is not possible to access the website or service if they refuse access to the website or service, people under pressure will receive their personal data and that is unlawful.”
The issue isn't completely black and white; the DPA says that in its eyes some cookies are exempt from GDPR's consent compliance provisions, including functional cookies like
1. Cookies necessary to carry out communication
2. Cookies that are strictly necessary for a service requested by the user (for example a cookie that is necessary to settle at a web shop or to log in to internet banking)
And what it calls non-privacy-sensitive analytical cookies:
3. Cookies used to obtain information about the quality and/or effectiveness of a service provided (for example a website)
GDPR, which went into effect last May, has had quite the impact on data protection. We learned last month that there had been nearly 60,000 data breaches reported to data protection authorities throughout Europe since the regulation went into effect, according to a report released the law firm DLA Piper last month. According to the same report Netherlands had the most breaches per capita with 89.8 breaches per 100,000 people, with Ireland and Denmark hot on its heels.