The Cookie Wall Must Go Up. Or Not?

One of the next big items
in Europe will be the expansion of “ePrivacy,” (which, among
other things, regulates the use of cookies on websites). While the
ePrivacy reform is still being worked on by EU lawmakers, one of
the items the ePrivacy Regulation is expected to update is the use
of “cookie walls.” Recently, the Austrian and UK data
protection authorities (DPAs) issued enforcement actions
involving the use of cookie walls, albeit with different findings
and conclusions.

Cookie Walls

A cookie wall blocks individuals from accessing a website unless
they first accept the use of cookies and similar technologies. The
practice of using cookie walls is not prohibited under the current
ePrivacy Directive.

However, the European Data Protection Board (EDPB), the
successor to the Article 29 Working Party, has issued a non-binding
opinion that the use of cookie walls should be prohibited under new
EU ePrivacy rules. The
EDPB argues
that cookie walls run contrary to the General Data
Protection Regulation (GDPR): “In order for consent to
be freely given as required by the GDPR, access to services and
functionalities must not be made conditional on the consent of a
user to the processing of personal data or the processing of
information related to or processed by the terminal equipment of
end-users, meaning that cookie walls should be explicitly
prohibited
.”

However, the negotiations around the upcoming ePrivacy
Regulation are still ongoing, so it is unclear whether cookie walls
will be explicitly prohibited in the final version.

The Facts

Two recent cases in Europe related to the online offerings of
newspapers: the Austrian newspaper Der Standard in Austria
and the United States’ Washington Post in the UK.

For each newspaper online, individuals are presented with the
choice of either a free-access option with cookies or a paid-for
access option without cookies. There is no free-access option
without cookies.

The Austrian DPA’s view

The Austrian DPA dismissed a complaint in November 2018 by an
individual who had argued that Der Standard’s cookie wall
rendered the individual’s consent not freely given and thus
invalid under Article 7(4) GDPR.

The Austrian DPA indicated that cookie walls are not
prohibited; Der Standard’s cookie wall provides a degree
of choice that results in freely given consent. First, an
individual is in full control of the situation
– Der Standard only places cookies after the
individual makes the conscious and informed decision to allow the
placement of cookies. Second, the individual can withhold consent
by either entering into a paid subscription or
leaving Der Standard’s website.

In addition, the Austrian DPA noted that the price of a paid-for
access option without cookies should be taken into consideration.
If the price is too high, it means that the paid option becomes a
negative consequence of withholding consent to cookies, which could
invalidate the individual’s consent; here, the Austrian DPA
considered Der Standard’s prices to be “not
unreasonably high.” In fact, giving consent to cookies results in
a positive outcome for the individual, because they gain unlimited
access to the newspaper’s articles.

The Austrian DPA did not, however, discuss what would happen if
an individual withdrew their consent to a cookiewall. This suggests
that there were no concerns in this particular case about whether
an individual can validly withdraw consent. (In practice, when an
individual withdraws consent, DerStandard’s
website simply presents the cookie-wall again.)

The UK DPA’s approach

According to a reported statement, available here,
the UK DPA – the Information Commissioner’s Office (ICO)
– took a markedly different approach to the Austrian DPA. Towards
the end of 2018, the ICO was reported to have issued a warning to
the Washington Post. Given that the Post operates
out of the United States, and therefore not within the ICO’s
direct jurisdiction, the ICO could only issue a statement (rather
than trigger any enforcement action). Nevertheless, even though it
does not have the same standing as an enforcement action, the
ICO’s statement is a good litmus test of how the ICO may react to
UK websites with cookie walls.

The ICO purportedly viewed the consent of the Post’s
readers to be finely linked to their ability to access
the Post’s website, because accepting cookies is
the only way to access the articles (apart from paying a monthly
fee). In light of this setup, the ICO concluded that
the Washington Post was in breach of the GDPR
principles because it did not give individuals “a genuine
choice and control over how their [personal] data are used
.”
This, according to the ICO, meant that consent to cookies cannot be
freely given and is therefore invalid under Article 7(4) of the
GDPR.

How Should Organizations React?

In the context of ePrivacy and its ongoing updates, there is no
clear regulatory consensus around the prohibition of cookie walls.
The different approaches taken by the UK and Austrian DPAs do not
signal accord (or even coordination) amongst the DPAs on cookie
walls’ impact on consent. This is surprising, given that this is
exactly the sort of area where harmonization over interpretation of
the GDPR is expected. It would therefore be helpful for the EDPB to
step in and clarify these discrepancies.

In the meantime, organizations should keep a close eye on
ePrivacy developments, particularly to monitor for further
developments on potential prohibitions of cookie walls or other
cookie practices.

The post
The Cookie Wall Must Go Up. Or Not?
appeared first on Socially Aware Blog.

Source: FS – Social Media Blogs 1
The Cookie Wall Must Go Up. Or Not?