The GDPR is a European regulation that has revolutionized the way companies handle personal data. A crucial aspect of the GDPR is informed consent, which requires companies to obtain explicit user authorization before collecting and using their data. In this context, tools like cookie banners have become essential to ensure compliance.
What are cookie walls?
Cookie banners are notifications that appear on a website the first time a user accesses it, informing them about the use of cookies and requesting their consent. These banners are usually positioned at the top or bottom of the page and provide an option to accept or reject cookies. Cookie banners are designed to be discreet and non-intrusive, allowing the user to continue browsing the site even if they do not provide consent.
What are cookie walls?
The cookie wall is a version of the cookie banner, but with a significant difference. While the cookie banner allows users to give granular consent, meaning they can choose which types of cookies to accept and which to reject, the cookie wall does not offer any choice.
It’s a "take it or leave it" approach. By not allowing any selection, the cookie wall becomes more like a "wall" than an interactive tool. With this method, the user cannot access the site’s content without clicking “OK” or “Accept all cookies.”
And what about cookie paywalls?
Cookie paywalls, on the other hand, are an even more restrictive type of cookie banner.
A paywall prevents access to certain online content, allowing it to be viewed only after accepting cookies, making a payment, or subscribing to a service.
This system is widely used by newspapers and magazines to monetize their digital content.
What happens if you click reject and subscribe?
When faced with a cookie paywall, the user is not completely free to choose whether to accept or reject the cookies. To continue browsing the site, the only option is to accept the cookies. If the user wishes to reject the cookies, they must subscribe to a service offered by the site.
In this scenario, the user is indirectly pushed to accept the cookies or purchase a subscription, compromising their autonomy of choice and questioning the validity of the consent obtained for the use of cookies.
What does the GDPR stipulate?
The GDPR requires that user consent must be free, informed, specific (for each purpose of data use), and unambiguous.
To be GDPR compliant, the cookie banner must adhere to these four fundamental principles:
- It offers users the option to accept or reject cookies and possibly select which types of cookies to accept (granular consent).
- Cookies are disabled by default, except for technical cookies. According to the principio di privacy by design e by defaultprinciple of privacy by design and by default, cookies must be disabled by default until the user decides to accept their use.
- The user has the option to change their settings at any time.
- The banner is visible and easily accessible without obstructing the site’s navigation.
- It contains a link to the cookie policy that explains in detail the use of cookies.
Thus, according to privacy regulations, the cookie banner must always allow the user to accept or reject cookies without influencing them toward a particular choice.
So, are cookie walls and cookie paywalls legal?
“Large online platforms will not be able to meet the requirements for valid consent if they present users with a binary choice between consent to the processing of personal data [...] and the payment of a fee [...]. Large online platforms should bear in mind the need to avoid turning the fundamental right to data protection into a feature that data subjects have to pay to enjoy.”
Source: EDPB Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms
According to the guidelines of the European Data Protection Board (EDPB) and the GDPR, cookie walls and paywalls are not considered legal. Cookie walls prevent access to a website unless the user accepts all cookies, including tracking cookies, which makes the consent invalid as it is neither free nor informed.
On the other hand, cookie paywalls force the user to choose between consenting to the use of their data for targeted advertising (tracking cookies) or paying a fee to continue browsing the site. According to the EDPB, access to information and online services should not depend on a person's willingness to pay for their privacy.
In summary, the following are considered illegal:
- The obligation to accept cookies in order to view a website’s content (cookie wall).
- The obligation to choose between accepting cookies or paying a fee to access a site’s content (cookie paywall).
In this context, the Digital Service Act and the Digital Markets Act emerge as legislative pillars, working together with the EDPB guidelines to create a coherent regulatory framework aimed at protecting consumers in the digital age.
What are the consequences for sites using cookie walls and paywalls?
As we mentioned earlier, using cookie walls on your website is considered illegal and non-compliant with privacy regulations. Therefore, websites that use this type of cookie banner may face a range of consequences, including:
- Financial penalties: The GDPR provides for fines of up to 20 million euros or up to 4% of the company's global annual turnover, whichever is higher.
- Reputational damage: The use of non-compliant practices can harm the company’s reputation, leading to a loss of trust among users and customers.
- Obligation to comply: Data protection authorities may order the site to modify its practices to align with regulations, which can involve additional costs and resources to implement the necessary changes.
- Legal actions: Users may take legal action against the site for privacy violations, resulting in further legal costs and compensation.
How to configure a website to comply with privacy regulations?
To configure a website to comply with privacy regulations, it is important to:
- Modify cookie settings: Remove any mechanism that forces users to accept cookies to access content. Ensure that users can browse the site even if they reject non-essential cookies.
- Implement a compliant cookie banner: Create a cookie banner that clearly informs users about the types of cookies used, their purposes, and offers the option to accept or reject cookies in detail.
- Update the privacy policy: Ensure that your privacy policy is up-to-date and includes detailed information on the use of cookies, user rights, and how to manage cookie preferences.
By using Avacy, you can implement a GDPR-compliant cookie banner in a few steps. In a simple and guided manner, Avacy allows you to create a cookie banner that complies with regulations and all the necessary legal documentation.
Conclusions
In conclusion, cookie walls and cookie paywalls are controversial tools in the landscape of personal data management and informed consent. Despite their prevalence, especially among large online platforms, European privacy regulations like the GDPR and EDPB guidelines consider them non-compliant. These tools violate the fundamental principles of free, specific, and informed consent, forcing users to choose between giving up their privacy and accessing digital content.
To avoid penalties and legal actions, it is essential that companies configure their websites to comply with privacy regulations, offering users the ability to accept or reject cookies without compromising access to content.
Tools like Avacy can facilitate this process by offering simple and guided solutions to create compliant cookie banners and adequate legal documentation.