Cookie walls used by websites, app, and services to force their visitors to accept tracking cookies before being able to gain access do not comply with EU's General Data Protection Regulation (GDPR) said the Dutch Data Protection Authority (DPA) in a statement published on Thursday.

This is based on GDPR's requirements which ask companies to first request permission before being able to track people with cookies, tracking software or other digital methods.

The GDPR also forbids the use of other techniques and tools such as Javascripts, Flash cookies, HTML5-local storage and/or web beacons for tracing users while browsing the web without valid consent for ad targeting or other similar purposes.

"The digital tracking and recording of Internet surfing behavior via tracking software or other digital methods are one of the largest processing of personal data, because virtually everyone is active on the internet. To protect privacy, it is therefore important that parties request permission from website visitors ", says Aleid Wolfsen, chairman of the DPA.

Placing tracking cookies requires valid user consent

The Dutch watchdog's statement also explained in detail GDPR's regulation regarding tracking cookies:

Many websites therefore require permission in advance for the placement of various 'tracking software' such as tracking cookies, tracking pixels or fingerprinting. There is no objection to software for the proper functioning of the website and the general analysis of the visit on that site. More thorough monitoring and analysis of the behavior of website visitors and the sharing of this information with other parties is only allowed with permission. That permission must be completely free.

A DPA spokesperson also gave a statement to TechCrunch regarding the subject of cookie walls and their GDPR compliance, saying that "Cookie walls are non-compliant with the principles of consent of the GDPR. Which means that any party with a cookie wall on their website has to be compliant ASAP, whether or not we will check that in a couple of months, which we certainly will do."

While the DPA does acknowledge that some cookies called functional cookies or non-privacy-sensitive analytical cookies are exempt from GDPR's consent requirements as detailed in its cookie wall analysis, tracking cookies which by definition are not necessary for the proper functioning of a website, app, or service need to be used with the users' permission.

Cookie wall example (Image credits: Albert Skibinski)

Why cookie walls are not GDPR compliant

The GDPR defines permission as "a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data" and says that "the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."

Seeing that, in the case of cookie walls, users are forced to give their consent for tracking cookies if they want to access the content, GDPR's requirement of freely given permission is clearly not met.

As the DPA argues in the statement:

With so-called 'cookie walls' on websites (no permission means no access) the permission is not given freely, because website visitors do not get access to the website without giving permission. On the basis of the GDPR, permission is not 'free' if someone has no real or free choice. Or if the person can not refuse giving permission without adverse consequences.

GDPR showed its benefits in less than a year

The GDPR is a user and data privacy regulation that came into effect in the European Union on May 25, 2018, and it is designed to regulate data protection of EU residents, as well as the export of personal data outside the EU and EEA areas.

According to an analysis by Cisco, more than 59,000 data breach notifications have been reported to Europen Data Protection Authorities (DPAs) by privately-owned and public organizations since EU's GDPR was enacted.

Also, a European Commission joint statement issued in January said that Data Protection Authorities (DPAs) across Europe received 95,180 complaints regarding mishandling of personal data, while companies announced a record number of 41,502 data breaches.

Last but not least, companies who did not comply with the new data protection regulations received record fines, with Google being hit with a €50 ($56,8) million financial penalty in January by the French Commission Nationale de l'informatique et des Libertés (CNIL).

The €50 million fine was imposed for violating transparency and information obligations required by the GDPR, and for not requesting user consent for processing data collected for ads personalization purposes.