The Dutch Data Protection Authority (the "Dutch DPA") has issued guidance stating that so-called "cookie walls" are not compliant with the General Data Protection Regulation (the "GDPR"). The guidance is not legally binding, but is indicative of the enforcement position that the Dutch DPA is likely to adopt.

In guidance issued on 7 March 2019 (in Dutch) (the "Guidance"), the Dutch DPA explained that the use of "cookie walls" to restrict users' access to a website until they have accepted "cookies" (or other technological methods of tracking a user's behaviour when accessing the website) will not be deemed compliant with the requirements of the E-Privacy Directive (which regulates, among other things, the use of cookies) and the GDPR (which regulates the processing of personal data).

Cookies and Cookie Walls

A "cookie" is a small text file that may be installed on a website user's device when that user accesses a website. Some types of cookies are required in order for a website to function properly (e.g., to keep track of a user's shopping basket on a retailer's website) while others will collect information about the website user, such as their IP address, user preferences, name, email address and movements across websites, but are not strictly required for a website's operation (e.g., most cookies used for advertising or analytics purposes).

Under Article 5 of the E-Privacy Directive (implemented in the UK via the Privacy and Electronic Communications (EC Directive) Regulations 2003), cookies (or any other form of information stored on the devices, or "terminal equipment", of users) may only be used if: (i) the website operator has provided clear and comprehensive information about the purpose for which the cookies are used; and (ii) the affected user has consented to such cookies being used. The E-Privacy Directive defines consent by reference to Directive 95/46/EC (which was the previous EU data protection regime before the GDPR). Article 94(2) of the GDPR states that all references to Directive 95/46/EC are now read as references to the GDPR, so the definition of consent for these purposes is effectively the definition provided in the GDPR.

The GDPR states that consent must be freely given, specific, informed and unambiguous. It must also involve some form of positive action by the user (e.g., clicking a button or ticking a box) to indicate consent. Silence, inactivity, and failure to opt-out, are not valid forms of consent for these purposes.

One method of obtaining valid consent is to implement a banner that appears when a website user accesses a website, informing the user that the website uses cookies (typically with a link to the website's cookie policy) and asks for the user's consent to the use of those cookies. While users may not click on the banner, it has been largely accepted (including by the UK Information Commissioners Office ("UK ICO")) that a website owner can infer consent to the use of cookies if the banner is unambiguous and highly visible to the user, and the user, having seen the banner, continues to use the website. This is different from the method of obtaining consent to which the Dutch DPA referred in its Guidance, which involves directing users to a splash page (or so-called "cookie wall") that prevents users from accessing a website unless, and until, they have first provided their consent to the use of cookies, and may include a button allowing the user to decline to give their consent which directs them away from the website.

Guidance Issued by the Dutch DPA

As noted above, the definition of consent in the GDPR requires (among other things) that consent must be "freely given". This means that there must be no element of compulsion on the user in persuading him or her to give his or her consent. In addition, Article 7(4) of the GDPR states:

"When assessing whether consent is freely given, utmost account shall be taken of whether… the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that [service]".

The Dutch DPA, in its Guidance, has formed the view that if a website user provides their consent to the use of cookies via a "cookie wall" then such consent has not been validly obtained under the GDPR because that consent was not "freely given". This is because, if the user chooses not to provide consent, then the user suffers a detriment, as he or she cannot make use of the website (i.e., the provision of the website to the user is conditional upon the user's consent). The Guidance goes on to state that in light of the conclusion reached: (i) organisations should adapt their methods of obtaining consent to cookies; and (ii) the Dutch DPA will begin to monitor website operators more closely to see if their methods of obtaining consent are in line with the requirements of the GDPR and the Guidance.

Impact on Businesses

While businesses should be aware of the Dutch DPA's Guidance, it is worth noting that there is some inconsistency in the positions taken by EU DPAs on this issue. In particular, the Austrian DPA issued a decision (in German) on 30 November 2018 finding that consent had been freely given via a "cookie wall" in the case of an Austrian newspaper that had given users the option to either: (i) accept cookies and receive full access to the website; (ii) refuse cookies and receive a limited access to the website; or (iii) pay a fee for a monthly subscription without accepting cookies. Conversely, the Belgian DPA issued its own guidance (in French) in 2015, stating that blocking a user's access to a website, on the basis that the user had not consented to cookies, was not a compliant solution.

It is unclear whether other DPAs in the EU will now reconsider their approach to cookie walls and issue revised guidance on this topic. For example, the UK ICO's most recent guidance on the use of cookies was released in May 2012 and does not explicitly deal with "cookie walls", as separate from cookie banners and other methods of obtaining consent to cookies.

Businesses should therefore watch for any further developments in this area, particularly those businesses based in the Netherlands, which the Dutch DPA will be monitoring more closely. In addition, businesses that currently use cookie walls to obtain consent may want to consider pre-emptively updating their method of obtaining consent (e.g., by switching to a cookie banner), if this can be achieved without disproportionate effort.