If you spend time on the internet, you’ve probably come across a cookie wall or a paywall. In this post, we’ll explore whether, under the GDPR, using either method is legally allowed or not. Before we dive into the legal requirements, though, let’s go over what these methods actually are.
A cookie wall is a pop-up that blocks your navigation on a website, asking you to accept cookies. The main difference between a cookie banner and a cookie wall is that a cookie wall won’t allow you to navigate the site if you refuse to accept cookies, even the ones that aren’t strictly necessary.
👉 The cookie wall is a mechanism where the user has only one option to access the website: accept the processing of the cookies. The cookie wall is generally prohibited.
Since this can affect publishers’ ability to earn, some within the industry have tried to make use of the current “grey area” to shift the landscape to one that is more profitable. One example of this is the so-called “paywall”.
👉 The paywall is a method where the user is given another option to access the content, for example, to pay or subscribe instead of giving consent for the use of cookies.
While legislations may vary slightly between EU countries, in general, cookie walls are most likely not allowed as they can be considered contrary to the GDPR’s requirement for “freely given” consent.
The Data Protection Authorities of different EU countries have issued their opinion on paywalls as well.
As we mentioned in the previous paragraph, the Italian DPA stated that cookie walls are unlawful except when the website provides the option of accessing equivalent content or services without giving consent to cookies.
As regards paywalls, the Garante published a press release to inform that it’s analyzing this solution as implemented by some Italian publishers.
The French CNIL indicated that the paywall system is a valid solution as long as the subscription to the site has a modest and fair cost so that it does not constrain the user’s free choice. The fairness of the cost should be evaluated on a case-by-case basis.
The DSB issued a decision about the “pay or okay” system adopted by an Austrian media outlet. The system gives users a choice between paying for a subscription or allowing all their data to be processed. DSB said that this choice doesn’t give users real freedom to consent. They also said they are worried about the idea of “blanket consent” where people who can’t afford to pay are forced to give their consent anyway. However, the DSB did not make a decision about whether the “pay or okay” system or the subscription fee of 8 euros per month (96 euros per year) is fair or not.
The key takeaway from the DSB’s decision is that if a “pay or okay” system is used, users should have the option to give granular consent instead of just a general one. It’s important to note that the DSB reached this decision specifically because users were only given a choice between paying or allowing all their data to be processed without the option for more granular consent.
The Spanish DPA indirectly shared its position, implying that cookie walls can be used as long as the user has been clearly informed of the two available options for accessing the service:
In response to the formal request of the DPAs of Norway, the Netherlands, and Hamburg, the European Data Protection Board (EDPB) issued an Opinion that offers new guidance. The EDPB emphasizes the need for large online platforms to offer consumers alternatives that preserve their privacy. Specifically, it advises that when devising alternatives to current models, platforms should provide a truly equivalent option that does not require consumers to pay a fee.
When a fee-based alternative is provided, platforms should also consider offering a complimentary option, such as using contextual advertising or allowing users to select their preferred advertising types, rather than relying on intrusive behavioral advertising. This approach, where advertising relies minimally or not at all on personal data, aligns closely with GDPR standards for obtaining valid consent and underscores the importance of offering genuine choices to users.
In simpler terms, this could imply providing users with three options rather than the limited binary choice:
The Opinion mainly focuses on large online platforms but also seems to set a general standard that could apply to various digital services.
Further guidelines are expected to be developed. This development could significantly influence how consent-based practices are enforced throughout the EEA, promoting a uniform approach to privacy and consent.
A cookie wall is a pop-up that blocks the navigation on a website, asking you to accept all cookies. A cookie wall doesn’t allow you to navigate a site if you refuse to accept cookies.
The one below is an example of a cookie wall, even though it’s just a partial one. In fact, this one doesn’t block the navigation of the whole website, but just a piece of content that needs cookies to load. However, the functioning is the same: you can’t access the website or content if you don’t accept cookies.
It depends. For some European Data Protection Authorities, it is considered a valid alternative when the cost is fair; instead other DPAs don’t consider the paywall as a valid alternative to cookies.
According to the European Data Protection Board, when a fee-based alternative is provided, platforms should also consider offering a third option, such as contextual advertising or allowing users to select their preferred advertising types.
While legislations may vary slightly between EU countries, in general, cookie walls are most likely not allowed as they can be considered contrary to the GDPR’s requirement for “freely given” consent.
A cookie banner is a pop-up that asks users for consent to cookies. A cookie banner allows you to accept all cookies, reject them, or accept only the strictly necessary ones.
A cookie wall works in the same way, but it blocks the navigation of the website if you don’t accept all cookies, even those that aren’t strictly necessary.
Our Privacy Controls and Cookie Solution has specific consent recovery features that give publishers the freedom to place the accept button in a subscription pop-up or other elements in cases you might choose to use methods like paywalls.