The Dutch Data Protection Authority (the "Dutch DPA") has issued guidance stating that so-called "cookie walls" are not compliant with the General Data Protection Regulation (the "GDPR"). The guidance is not legally binding, but is indicative of the enforcement position that the Dutch DPA is likely to adopt.
Cookies and Cookie Walls
A "cookie" is a small text file that may be installed on a website user's device when that user accesses a website. Some types of cookies are required in order for a website to function properly (e.g., to keep track of a user's shopping basket on a retailer's website) while others will collect information about the website user, such as their IP address, user preferences, name, email address and movements across websites, but are not strictly required for a website's operation (e.g., most cookies used for advertising or analytics purposes).
Under Article 5 of the E-Privacy Directive (implemented in the UK via the Privacy and Electronic Communications (EC Directive) Regulations 2003), cookies (or any other form of information stored on the devices, or "terminal equipment", of users) may only be used if: (i) the website operator has provided clear and comprehensive information about the purpose for which the cookies are used; and (ii) the affected user has consented to such cookies being used. The E-Privacy Directive defines consent by reference to Directive 95/46/EC (which was the previous EU data protection regime before the GDPR). Article 94(2) of the GDPR states that all references to Directive 95/46/EC are now read as references to the GDPR, so the definition of consent for these purposes is effectively the definition provided in the GDPR.
The GDPR states that consent must be freely given, specific, informed and unambiguous. It must also involve some form of positive action by the user (e.g., clicking a button or ticking a box) to indicate consent. Silence, inactivity, and failure to opt-out, are not valid forms of consent for these purposes.
Guidance Issued by the Dutch DPA
As noted above, the definition of consent in the GDPR requires (among other things) that consent must be "freely given". This means that there must be no element of compulsion on the user in persuading him or her to give his or her consent. In addition, Article 7(4) of the GDPR states:
"When assessing whether consent is freely given, utmost account shall be taken of whether… the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that [service]".
Impact on Businesses
Businesses should therefore watch for any further developments in this area, particularly those businesses based in the Netherlands, which the Dutch DPA will be monitoring more closely. In addition, businesses that currently use cookie walls to obtain consent may want to consider pre-emptively updating their method of obtaining consent (e.g., by switching to a cookie banner), if this can be achieved without disproportionate effort.