Dutch Watchdog: Website Cookie Walls Violate GDPR

GDPR Compliance

The Dutch data protection agency (DPA) said when a website forces a user to agree to a cookie policy, or a “wall,” in exchange for access, that request is not compliant with the data protection law in Europe.

The DPA said it had received numerous complaints, according to a report in TechCrunch, from internet users who couldn’t access websites after they didn’t accept the request to let the website track cookies.

In response, the agency published clear guidelines about the issue. Without naming names, the DPA said it contacted the companies with the most violations, and asked them to make the necessary changes to be General Data Protection Regulation (GDPR) compliant.

The GDPR, which was enacted in May of 2018, requires consent for collecting personal data, and stipulates that the request be specific, informed and freely given.

Many websites rely on consent through allowing cookies, which often shows targeted ads based on search history.

The DPA said users need to be asked before tracking cookies are placed on a device, and that permission to do so needs to be explicit and gotten freely, as a choice.

Which means that access in exchange for data doesn’t really constitute that. The DPA says, “Permission is not ‘free’ if someone has no real or free choice. Or if the person cannot refuse giving permission without adverse consequences.”

The original statement is in Dutch, but TechCrunch translated it using Google Translate.

“This is not for nothing; website visitors must be able to trust that their personal data are properly protected,” the DPA said. “There is no objection to software for the proper functioning of the website and the general analysis of the visit on that site. More thorough monitoring and analysis of the behavior of website visitors and the sharing of this information with other parties is only allowed with permission. That permission must be completely free.”