Here's a breakdown of the changes, as well as some guidance on what you need to do to fully comply with the new rules and requirements.
- 1. GDPR Basics
- 1.1. Cookies
- 1.2. Consent
- 2. Cookie Walls Rules
- 2.1. How the New Rules Were Made
- 2.2. The New Guidelines
- 3. How Not to Respond
- 3.1. Other Legal Bases
- 3.2. Nudging
- 3.3. Outright Blocking EU Users
- 3.4. Adapting to the New Guidance
- 3.5. Strictly Necessary Cookies
- 3.6. Offering a Choice
- 3.7. Displaying Cookie Consent Options
- 4. Summary
The GDPR limits the ways in which it's legal to process personal data in the European Union. To break that down:
- Processing means any use of personal data, including collecting, using, or disclosing the data
- Personal data means any information that relates to an individual who can be identified (known as the data subject)
- The GDPR applies if the individual is in the EU, the organization processing the data (or controlling the processing) is established in the EU, or the processing itself happens in the EU
Breaching the GDPR can lead to financial penalties. In many cases the maximum fine is the greater of €10 million or 2% of annual worldwide turnover. For the most serious cases, the maximum is the greater of €20 million of 4% of annual worldwide turnover.
In most cases, cookies come under the GDPR classification of "personal data." This isn't restricted to cases where the text of the cookie literally contains personal data such as a date of birth. Instead it also covers cases where the existence of the cookie makes it possible to associate other personal data with an individual.
In the simplest terms, if a cookie is unique to a specific computer, it's highly likely to come under the GDPR. This likelihood is particularly strong if the cookie is persistent, meaning it remains on the user's computer after they close their browser.
The GDPR allows six legal bases under which it's lawful to process personal data. With cookies, this will almost always mean the basis of consent.
For such consent to be valid, it must be:
- Active: The user took a positive step to give consent rather than it being implied, inferred or a default option
- Specific: The consent must clearly relate to a specific type of processing
- Meaningful: The consent must be informed, with the user understanding their options and consequences
- Freely given: The user must make a genuine choice to give consent and not be unduly influenced or forced into doing so
Cookie Walls Rules
Some website operators responded to the GDPR by making it impossible to access any content on the site without first consenting to all cookies the site wanted to issue. This was commonly referred to as a "cookie wall."
This example from deVolkstrant (retrieved in June 2020 and translated via Google Translate) shows a cookie wall. The user has no clear way to access the site without clicking to agree to accept cookies:
In 2020, new guidelines made clear that cookie walls were no longer acceptable under the GDPR.
How the New Rules Were Made
Under the GDPR, each EU country has at least one data protection authority responsible for overseeing enforcement of the regulation. These authorities are all represented on the European Data Protection Board, which is responsible for making sure rules are applied consistently across the EU, giving guidance on the rules, and resolving any inconsistencies or disputes between national authorities.
In 2019, the Netherlands' data protection authority (Autoriteit Persoonsgegevens) reported that it had received "dozens of complaints" about cookie walls. It concluded that cookie walls did not constitute meaningful consent. It updated its guidance for Netherlands data controllers and contacted the companies about whom it had received the most complaints to warn them to change their practices.
In 2020, the European Data Protection Board updated its guidance to confirm and clarify the position on cookie walls.
The New Guidelines
The EDPB's guidance already stressed that if consent to data processing is tied to the provision of a service, then the consent should not be considered freely given, and thus is not valid for the purposes of the GDPR.
The updated guidance stresses that:
"In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)."
The guidance goes on to give the example of a site that makes it impossible to access content without clicking a button marked "Accept cookies." It says that in this example, the user does not have a genuine choice and thus the consent cannot be freely given.
How Not to Respond
Other Legal Bases
At first glance, you might think that a simple way round these rules is to use on the other legal bases for processing data under the GDPR, such as "legitimate interests." However, the way the GDPR works with other EU rules means this is not a workable solution.
As well as the GDPR, cookies are covered by the EU ePrivacy Directive. This preceded the GDPR but both remain in force. (Note that a Regulation has immediate legal force throughout the EU while the measures of a Directive are implemented by each country through domestic laws.)
The ePrivacy Directive requires advance consent to use any cookies other than those which are strictly necessary to provide a requested service.
The way the GDPR and ePrivacy Directive interact means that if a particular cookie requires consent under the ePrivacy Directive, then consent is the only a valid basis under the GDPR. In turn, if the consent isn't valid, the processing has no legal basis and thus breaches the GDPR.
It may be tempting to respond to the cookie wall ban by doing the bare minimum to comply, namely to offer an option to continue on to the site without consenting to tracking cookies, but to downplay this option.
Ways of doing this could include:
- Making the button or text link for refusing consent smaller than the one for giving consent
- Making the button or text link for refusing consent less prominent than the one for giving consent
- Using negative or unfavorable language for the refuse option and positive language for the consent option
- Making the refuse option more burdensome to access, for example by requiring multiple clicks
Bosch arguably nudges the user by offering an obvious option to consent to (non-essential) marketing cookies, but doesn't explicitly highlight that closing the window will let them continue without giving consent:
Using such techniques is at best a risk for data processors. At the moment it's not specifically banned in the European Data Protection Board's guidance.
However, data protection authorities investigating a complaint may conclude that such "nudging" breaches two key principles of the GDPR: that processing be done fairly, and that it be done transparently.
"Nudging" techniques that steer the user towards reducing privacy may be particularly likely to be judged as breaching the GDPR in cases involving children.
Outright Blocking EU Users
Another possible response to the cookie wall ban might be to simply block all EU users from accessing the site.
It might seem that as long as the site operator and the physical processing are both outside the EU, this removes any risk of carrying out processing that comes under the GDPR and risks a breach.
The Orlando Sentinel uses this approach:
The most obvious drawback of this approach is that you are blocking hundreds of millions of potential users from your site. Another drawback is that methods of identifying users as being in the EU such as analyzing an IP address may not be 100% reliable.
It's important to note that this definitely isn't an area where you should try to game the system. If your site indicates you intend to serve customers in the EU, you will come under the GDPR regardless of any workarounds you use.
Indications can include listing shipping times to particular countries, using languages that are solely or mainly used in particular European countries, or listing prices in European currencies.
Some sources have argued that the process of gathering location data, inferring location and associating this data with a user to geoblock constitutes automated profiling, which is heavily restricted by the GDPR. However, this argument has not been established or vindicated by any significant rulings or official guidance.
Adapting to the New Guidance
Strictly Necessary Cookies
The only exception is "strictly necessary" cookies. These include:
- Cookies needed for functions the user inherently requests, such as when they place items in a virtual shopping cart
- Cookies needed for the basic operation of the site, such as ones which allow the site to balance traffic across multiple servers
Note that the definition of "necessary" does not mean it is needed in order to serve the interests of the website operator and its business.
Although no consent is required for strictly necessary cookies, it's good practice to acknowledge their existence and give an overview of what they do.
Edinburgh University does this well:
Offering a Choice
With the new rules in place, the absolute bare minimum to comply with the GDPR is to give users two choices:
- Reject all cookies except those which are "strictly necessary" and then proceed to the site
- Accept all cookies
The other extreme would be to list every cookie the site uses and let the user accept or reject them one-by-one. This can be very unwieldy, however.
The best middle ground is to list cookies by categories and let users give or withhold consent on a category-by-category basis. Examples include:
- Strictly Necessary
- Preferences: Cookies which store information about the user to customize and improve the service they get from the site. (Examples include storing the user's location so that the site can automatically show local movie theater listings on future visits.)
- Statistics: Cookies which track information such as which pages users visit, in which order, and how long they spend browsing.
- Marketing: Cookies which track the user's activity online. This data often goes to advertisers to build up a pattern of the user's behavior and interests.
Other ways of categorizing cookies include:
- Whether they are session cookies or persistent cookies
- Whether they are designed to cover the individual or to be aggregated
- Whether they will be used solely by the site, the data will be passed on to a third party, or the cookie is operated by a third party
Perhaps surprisingly, researchers have found that the more categories of cookies a site covers in consent options, the more likely users are to simply reject everything.
Displaying Cookie Consent Options
When showing a cookie consent options menu, you need to balance giving enough information and avoiding overwhelming the user.
One way round this is to list the options and then either a drop-down or pop-up screen that goes into more detail, or link to a dedicated web page explaining the options.
AstraZeneca uses a "double drop-down." Users can first expand a category to find out more details about a type of cookie and how many the site uses. They can then expand individual cookie listings to get precise technical details:
Remember that each element of consent must be an active choice by users.
A 2019 court ruling on the ePrivacy Directive (which works alongside the GDPR and establishes a precedent) says any consent checkboxes must be unchecked by default. This avoids the risk of the user simply clicking an "Agree" button by mistake and unintentionally giving consent for a particular cookie use. Similarly, slider toggles should be switched off by default.
The Telegraph leaves each category's slider toggle set to withholding consent by default. Note there is no toggle for Essential Cookies as it is legitimate to offer no choice about accepting these:
Let's recap what you need to know about cookie walls.
- The GDPR applies if a website operator or a site user are in the EU, or if data is processed in the EU.
- Under the GDPR, processing personal data, including most cookies, is restricted to specific circumstances known as legal bases. The most common and relevant is that the user has freely given meaningful consent.
- Some sites made it mandatory to consent to all cookie use before accessing a website, a set-up dubbed a "cookie wall."
- A national data protection authority ruled that cookie walls weren't acceptable under the GDPR. This ruling has been adopted across the EU in official guidelines.
- The logic of the ruling was that not allowing users to access a site without giving consent meant they didn't have a genuine choice and thus the consent was not freely given.
Several possible solutions to the cookie wall ban have significant drawbacks:
- Relying on legal bases other than consent doesn't usually work. Most cookies are covered by another European law, the ePrivacy Directive. If this directive requires consent (which is the case for all but strictly necessary cookies), then consent is the only acceptable basis for processing under GDPR.
- Offering an option to accept or reject cookies but "nudging" the user to accept, for example by making that option more prominent, is likely to breach key GDPR principles.
- Banning EU users from accessing the site altogether can be unwieldy, unreliable and bad for business.
- The best option is to give a genuine choice about cookies, respecting this choice and allowing users to access the site even if they reject non-essential cookies.
- Giving an all-or-nothing choice or, at the other extreme, requiring a decision about every cookie individually, are sub-optimal solutions.
- The best approach is to allow consent choices on a category-by-category basis. This could be based on technical measures such as persistent or session cookie, or first or third party. However, the most useful for users is categories based on purpose and function such as "preferences," "statistics" and "marketing."
- If you use checkboxes or toggles for users to indicate consent, they must be switched off or left unticked by default, requiring the user to actively tick or switch them on.