Netherlands

[NL] Cookie walls: Dutch Privacy Authority declares that websites must remain accessible if tracking cookies are refused

IRIS 2019-5:1/21

Mandy Erkelens

Institute for Information Law (IViR), University of Amsterdam

In a press release of 7 March 2019, the Dutch Data Protection Authority (DPA) declared that websites must remain accessible for Internet users who refuse to give consent to the placement of tracking cookies. Websites that only grant access to their site after visitors have given consent do not comply with the free consent standard set by the General Data Protection Regulation (GDPR).

In the Netherlands, cookie placement is regulated under the Dutch Telecommunications Act (Telecommunicatiewet). Under article 11.7a of this Act, consent is required to store or to receive access to information on the devices of end-users that is deemed to have a significant impact on the privacy of the end-user. This provision also covers the placement of tracking cookies. Such cookies track the online behaviour of users and enable websites to create digital profiles that can be used for targeted advertisement. Since the analysis of the online behaviour of Internet users equals the analysis of personal data, consent is always required for the placement of tracking cookies (see IRIS 2015-5/29).

Under the GDPR, consent constitutes one of the six legal grounds for the lawful processing of personal data. However, one of the conditions for this legal ground to be valid is that consent needs to be freely given. Consent is not freely given if the data subject does not have a real or free choice or if the data subject cannot refuse consent without adverse consequences. In the press release, the DPA announced how this condition should be explained with regard to cookie walls. A cookie wall is a pop-up that is displayed to inform Internet users about the use of tracking cookies on a website and to ask consent for placement of these cookies. This pop-up does not have a decline option. The Internet user can only accept the placement of tracking cookies and proceed in order to view the content of the website. According to the DPA, Internet users who encounter a cookie wall do not have a real or free choice regarding whether or not to give consent. Although Internet users can refuse to accept the placement of tracking cookies, they cannot make this decision without adverse effects. If they refuse, they will not gain access to the website. Consequently, the DPA states that under these circumstances Internet users are being put under pressure to share their personal data. The DPA therefore concludes that the condition of free consent cannot be fulfilled when a website is using a cookie wall.

In view of this analysis, cookie walls are not allowed under the GDPR. The DPA stated in its press release that it requires websites to adjust their practice by keeping content and services accessible when tracking cookies are refused. The press release concluded with the announcement that in - response to the complaints received by the DPA - several organisations have been directly informed of the reasoning for this legal standard. The DPA furthermore announced that it would intensify its auditing in the upcoming period in order to check whether the standard has been correctly interpreted.