On 7 March 2019, the Dutch Supervisory Authority (“S.A.”) created quite some buzz in the online Dutch (advertising) industry: websites that only give visitors access to their site if they agree to tracking cookies (or similar technologies) do not comply with the GDPR. This also means that the so-called cookie walls that are placed on websites, preventing visitors access to websites if they do not consent to tracking cookies, are not allowed in the view of the Dutch S.A.

The Dutch S.A. motivates this as follows:

  • There is no ‘freely given’ consent in the case of a cookie wall. The GDPR states that consent is deemed not to be given freely if the person concerned has no real or free choice, or cannot refuse or withdraw his consent without adverse consequences.
  • The principle of a cookie wall comes down to ‘take it or leave it’ and is therefore not a ‘real’ or ‘free’ choice. Although consent to place cookies can be refused at cookie walls, this is not possible without detrimental consequences, because the refusal means that the website can not be visited at all.
  • Therefore, the Dutch S.A. concludes that if a website is asking the visitor for consent through a cookie wall to place tracking cookies and the user is denied access to the website after refusing its consent, the Dutch S.A. considers such practice unlawful.

What is the advice of the Dutch S.A.? First of all, the Dutch S.A. reminds us that no consent is required for placing functional cookies and non-privacy sensitive analytical cookies. In this respect, the Dutch S.A. states: when asking visitors to consent to cookies, website visitors can make a distinction between on the one hand functional cookies and/or non-privacy sensitive analytical cookies, and on the other hand tracking cookies, thus allowing the website visitor to access the website without consenting to tracking cookies. This means that the website visitor who does not want to be ‘tracked’ can still access the website. Simply put, website visitors must be provided the possibility to refuse tracking cookies (e.g. through an information bar or pop-up with a clear choice between ‘yes’ and ‘no’). If a visitor refuses such cookies, then this user must still be able to access the website.

Lastly, the Dutch S.A. states that it has already intensified its monitoring activities and sent a number of specific parties a (warning) letter. Therefore, Dutch website providers are strongly recommended to review and, where necessary, appropriate their cookie mechanisms in line with the recommendations of the Dutch S.A.