Take-it-or-leave-it cookie walls don't comply with the General Data Protection Regulation, the Dutch data protection authority has said.
Cookie walls - meaning you can't come in unless you eat them - also known as tracking walls, are some of the most severe strategies used by companies to slurp folks' data and stalk them around the web. Essentially, those websites that employ them throw up a notification page which prevents netizens from accessing any of the website's contents unless they agree to tracking.
The Autoriteit Persoonsgegevens (AP) issued a statement on the topic yesterday, off the back of what it said were multiple complaints from people who had been unable to access websites they wanted to after they refused cookies.
The AP said it would intensify its monitoring of proper compliance, and that it had sent the organisations subject to the most complaints a letter to warn them about their activities, although it didn't name the worst offenders.
Under the GDPR, the AP said, organisations need a basis for processing personal data – and if they want to use tracking cookies or other software they need to request permission from the users.
It noted that it wasn't objecting to software required for the proper functioning of the website or general analysis of visitors to the site – but that more thorough monitoring of visitors needed permission.
This permission must be, as set out in the the GDPR, completely freely given. By contrast, cookie walls – where you can't get access without giving it – permission is not freely given because there isn't a genuine choice.
Aleid Wolfsen, chair of the AP, said that, since virtually everyone is active on the internet, tracking and recording of web browsing is one of the biggest personal data slurps going.
He added that if someone is unable to access a site without agreeing to tracking, they are thus put under pressure to share their data – and that this is unlawful.
Concerns about tracking walls and what is often called forced consent are not new. In November 2018, The Washington Post got a slapped wrist from the UK's Information Commissioner's Office after a complaint that the only way to switch off tracking, cookies and ads was to pay $9 a month.
The ICO's case manager said this doesn't offer users a "genuine choice and control over how their data is used", meaning that "consent cannot be freely given and is invalid".
And in March 2018, a couple of months before the GDPR came into force, a study from a group of Dutch academics found that about 60 per cent of people surveyed felt it was "not acceptable" to use tracking walls, with slightly more thinking it was "not fair".
The GDPR did bring with it more cookie banners – some 62.1 per cent of 6,759 websites assessed by academics in a study published on arXiv last summer had cookie consent notices in June, which was up from 16 per cent in January.
But as the AP's ruling shows, many sites are still employing a take-it-or-leave-it approach to cookies and tracking. The next stage will be to see whether European data protection agencies take enforcement action. ®