On 7 March 2019, the Dutch Data Protection Authority (DPA) issued guidance on the use of cookie walls on websites, focusing in particular on cookie walls which make access to websites conditional on consent to the use of tracking cookies. This guidance builds on pre-GDPR guidance on the use of cookie walls by the (publicly funded) Dutch Broadcasting Organisation, NPO, and has been received with some scepticism by Adtech industry stakeholders in the Netherlands.
The Netherlands has consistently taken a strict approach to the so-called 'EU cookie law', which implements the ePrivacy Directive. In general, for example, the 'soft' opt-in ("by continuing to use this website, you consent to…") is not allowed. This new guidance on the use of cookie walls is very much in the same tradition.
2013 Dutch DPA guidance on cookie consent
In 2013, the Dutch DPA issued its first set of guidance on the use of mandatory cookie consent to access a particular website. This guidance dealt specifically with the use of a cookie wall on the websites of NPO, but was generally understood to apply to all similar cookie walls. On their websites, NPO offered visitors no other choice but to consent to the use of all types of cookies, including advertising and tracking cookies.
If the user refused consent, access to the website was denied. According to the DPA, any consent given under these conditions was invalid because it was not freely given and because the information on the (publicly funded) websites was not available elsewhere. NPO therefore had a monopoly position which meant that visitors effectively had to 'pay' for publicly funded information with their personal data.
Since the 2013 guidance, NPO and other publicly funded organisations have changed their approach to the use of cookies and no longer require consent to access their websites. Other commercial websites have, however, continued their use of cookie walls. This practice looks set to change with the 2019 DPA guidance.
2019 Dutch DPA guidance
The 2019 guidance essentially builds on the earlier NPO guidance, prohibiting the use of cookie walls by any website (regardless of its funding source) on the grounds that they cannot gather GDPR consent. Under the GDPR definition of consent (which now also applies to the ePrivacy Directive and implementing Member State legislation), consent must be freely given, specific, informed and active.
According to the DPA, consent given through cookie walls cannot be considered to be freely given as Article 7(4) GDPR requires that when assessing whether or not consent is freely given, utmost account should be taken of whether the provision of a service is conditional on consent to the processing of personal data that is not necessary for the performance of that service. Consent is presumed not to be freely given in such cases.
The Dutch DPA stresses that consent is not required for functional cookies or non-invasive analytical cookies. Tracking cookies do, however, require consent and are rarely necessary for the performance of a specific service. Requiring consent – even only for tracking cookies – as a condition for entering a website, means the website visitor does not have genuine choice and control over how their data is used. In the Dutch DPA's view, when a website requests consent to tracking cookies, and denies access to the website/app or to a service if consent is refused, this breaches the GDPR. Access to a website should always be possible without consent to the use of tracking cookies.
What is the way forward?
Since 7 March 2019, the Dutch DPA has been actively urging websites to change their approach in response to complaints from data subjects and is expected to take further enforcement action (although it will issue warnings before potentially moving to issuing fines if the warnings are ignored).
The 2019 guidelines are regarded by many in the Netherlands as an overly strict interpretation of the GDPR. Some are seeking to argue that mandatory consent to cookie walls only breaches the GDPR where the information or service behind the cookie wall is not available elsewhere without a consent requirement. They argue that where a visitor to a website or app insists on accessing it regardless of availability elsewhere without a cookie wall, consent through a cookie wall should be regarded as freely given. Whether or not the Dutch DPA will agree remains to be seen but appears doubtful.