no consent via cookie walls

In the new guideline on consent under GDPR the European Data Protection Board (EDPB) has stated that so called „cookie walls“ invalidate consent. Users can‘t freely give consent in case the content or functionality is hidden behind e.g. an overlay which only allows users to accept the use of cookies to get to the content.

EDPB sates:

Paragraph 39: „In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls).“

Paragraph 40: „… A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given. „

Paragraph 41: „This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.“

According to EDPB this also applies to situations in scope of the e-Privacy Directive (see footnote 25 on page 11 of EDPB guideline on consent).

Consequences:
– check your websites for such cookie walls as far as they are subject to GDPR, see Art. 3 section 2 GDPR
– in case you have applied cookie walls and your website is in scope of GDPR, change cookie banner or whatever you use to a legal possible version,
– in case your website in not in scope of GDPR check the applicable law in this regard and repeat this regular, as it is to expect that other jurisdictions will develop in the same direction

Risk
If you use cookie walls and users click on e.g. „accept“ or „accept cookies“ you do not have consent and therefore your processing in this regard is not allowed (see Art. 6 sec. 1 GDPR: „Processing shall be lawful only if…“).

Competent authorities therefore can use their powers to change this situation up to „to impose a temporary or definitive limitation including a ban on processing“, see Art. 58 section 2 lit. f GDPR. Which in essence would mean your website is off the internet.

Competent authorities also could impose administrative fines under Art. 83 GDPR. We all have learned in the past two years that authorities do use this power and fines are heftier than before GDPR. As cookie walls are easily detectable by automatic software checking on websites (e.g. crawlers), and authorities for long have learned to use them, it is foreseeable that some data protection authorities in Europe will use these tools to check on websites in their jurisdiction and act.

Any person (not only users or data subjects) potentially has a right to compensation and liability under Art. 82 GDPR.

In the moment it is still debatable if warning letters or cease and desist orders by competitors are possible, the courts – at least here in Germany – do have different opinions on that in the moment. Still it seems that a slight majority of courts say that these legal instruments are possible.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert