A cookie wall is a pop-up that prevents users from accessing a website or service unless they consent to tracking, normally for marketing or analytics purposes. Sometimes, a cookie wall offers an alternative to tracking: payment.
On 20 Feb 2023, the Danish data protection authority (DPA) decided that two companies were allowed to use cookie walls.
In this blog we consider what the law says about cookie walls, and look at the Danish DPA’s guidance for using cookie walls legally.
Are cookie walls legal under the GDPR?
Cookie walls are a controversial topic under the EU General Data Protection Regulation (GDPR). Some DPAs have said cookie walls are prohibited under the GDPR, including the Belgian DPA and, arguably, the European Data Protection Board (EDPB) itself.
Why might cookie walls be a problem under EU law?
Under the EU’s ePrivacy Directive, you need consent for non-essential cookies. “Consent” is defined by the GDPR, which states that consent must be:
- Freely given
- Given via a clear, affirmative action
- Easy to withdraw
A recital (a non-legally binding part of the law) also says that a person must not experience any detriment if they withdraw consent.
Some interpret this as prohibiting cookie walls. If a user only consents to tracking to avoid a fee, are they really providing “freely given” consent? If withdrawing consent means that the user has to pay, isn’t this a “detriment”?
However, the Danish DPA suggests that these cookie walls are allowed under the GDPR as long as they meet certain conditions.
Proceed with caution, however. Not all authorities share the Danish DPA’s view—and the regulator’s interpretation of the GDPR might not stand up in court.
Danish DPA’s cookie walls guidance
What makes a cookie wall GDPR compliant, in the Danish DPA’s opinion? The regulator provides four criteria.
This guidance assumes your cookie wall provides a “tracking version”, for which users consent to cookies, and “paid version”.
If you’re using a cookie wall, the Danish DPA says that the paid version of your service must not be substantially different from the “tracking” version.
For example, suppose the paid version offers “significantly more content” than the tracking version. In this case, the Danish DPA suggests that consent might not be considered voluntary.
Arguably, the Danish DPA has this example the wrong way around. If users get access to more content if they consent to tracking, this incentive might pressure them into providing involuntary consent.
In any case, the message is clear: Offer two similar services to “tracked” and “paying” users.
When using a cookie wall, the Danish DPA says that the paid version of your services should not be unreasonably expensive.
The user must be offered a real choice between tracking and payment. If your paid version is too expensive, this could mean your users do not have genuine freedom of choice.
The Danish DPA emphasizes that companies have broad discretion to set their own prices. The role of a DPA is not to specify the price of a given service. On this basis, it’s hard to imagine how the DPA could enforce this guidance.
However, the Danish DPA’s advice is that you should not set the price so high as to make the paid version an unrealistic alternative to tracking.
Limited to what is necessary
The Danish DPA emphasizes that the principle of “data minimization” applies when using cookie walls. Don’t collect personal data unless you need it for a specific purpose.
If you are requesting consent for a “tracked version” of your services, be clear about what this means.
For example, you should disclose that you will place cookies on the user’s device, explain why, and provide all the other necessary information under the GDPR’s transparency rules.
When a user consents to tracking in order to bypass a cookie wall, don’t assume that the user is consenting to any other uses of their personal data. Don’t collect more personal data than is necessary for the purposes you have specified.
Limited processing after payment
Once a user had paid, be careful to limit how you process their personal data.
If you’re offering a paid version, you’ll need to process some personal data to facilitate this. For example, the user’s name, email address, and payment information.
You might also need to collect personal data to offer paid users certain features. For example, a personalized news service based on their interests.
These core services are what users are paying for and do not require their consent. You should not collect more personal data than is necessary to meet these specified and legitimate purposes.
You can still request consent to tracking (for marketing and analytics) from paid users – even if their access to your service is not conditional on this consent. But this is a separate legal basis for processing and should be strictly optional.