On 1 October 2019, the Court of Justice of the European Union (CJEU) handed down a critical decision regarding how to obtain consent online. The CJEU ruled that pre-checked consent boxes for storing cookies are not legally valid, thereby reinforcing the requirements contained in the General Data Protection Regulation (GDPR).
The CJEU considers that pre-checked consent boxes (or cookie banners that tell you a cookie has already been placed and invites you to click ‘ok’) are not sufficient to comply with the GDPR. Following this ruling, companies risk large fines under EU privacy laws if they do not obtain valid consent for online tracking.
The CJEU also confirmed that consent requirements apply to the processing and storage of all information, and not just an individual’s personal data. Users must be provided with information that includes the cookie duration (how long the information gathering will last) and whether or not third parties have access to them. In this way users are able to give consent in an informed way, understanding the functioning of the cookies and the consequences related to providing consent.
Unfortunately, the CJEU judgment does not address the requirement under the GDPR that consent must be ‘freely given’: meaning that the court did not give their opinion on so called ‘cookie walls’. A cookie wall is a pop-up on a website that blocks a user from accessing the website unless they consent to the placing of tracking cookies or similar technologies.
The approach of other Member States
Some Member States did, however, address the issue earlier this year. According to the Dutch Data Protection Authority (DPA) the use of a cookie wall results in a ‘take it or leave it’ approach (March 2019). The Dutch DPA states that this practice is not compliant with the GDPR - there is no real or free choice because there are no alternatives available and there is no option to pay instead. The user cannot refuse to give permission without negative consequences, as the user would be denied access to the website. Users should have a real choice to accept or reject cookies, and if they reject, access should still be granted.
The Dutch DPA suggests a ‘Cookie-or-Pay Wall’ as an alternative. In this case consent is not the only option for accessing the website, because payment can be used instead. The Austrian DPA shares this opinion (November 2018), and permitted an Austrian newspaper to continue using a Cookie-or-Pay Wall, due to the existence of alternatives and the fairness of the subscription price.
On the other hand, the UK Information Commissioner’s Office (ICO) expressed the view that a Cookie-or-Pay Wall does not comply with the GDPR (November 2018). They explain that the choice to give consent for cookies is not a free choice if the only alternative is payment. While their statement is not legally binding, it does provide a good litmus test of how the ICO may react to UK websites with cookie walls.
A suggested way forward
Assuming that cookie walls are not GDPR compliant, we are left with the following options for websites /apps:
- Offer a service with no ads and thus no need for consent (this is not really an option for a business);
- Offer a paid alternative, as per the Cookie-or-Pay Wall (assuming this is considered a compliant approach);
- Only offer “paid access”, i.e. “Paywall”, without a free/ad-based option (some newspapers have opted for this approach, but it usually only works for the very top tier of services and high-end publications).
Assuming that both cookie walls and Cookie-or-Pay Walls are not compliant with the GDPR, not many options are left. However, this does open up the possibility to two alternative options using Non-Personalized Ads (NPA):
- The NPA Cookie Wall (i.e. consent for personalized ads or forced consent for non-personalized ads);
- The NPA Cookie-or-Pay Wall (i.e. consent for personalized ads or consent for non-personalized ads, or pay).
The NPA Cookie-or-Pay Wall provides for a low privacy risk option for users and an ad based revenue model (albeit not optimal) where consent for ad tracking is not needed.