The Dutch data protection authority on 7th March 2019 issued an opinion[1] on the use of so called “Cookiewalls”, deeming such practice as unlawful in light of the GDPR and announcing intensified audits in regards to the right implementation of cookies in the coming period.[2]
European regulation of Cookies
The first regulation of cookies at European level was introduced by the ePrivacy Directive[3] in Article 5 para. 3. This first attempt of regulation required the operator of a website to provide the data subject “with clear and comprehensive information in accordance with Directive 95/46/EC” as well as “the right to refuse”, a so called opt-out. In 2009 the ePrivacy Directive was amended by changing the opt-out to a clear opt-in (consent) requirement. In addition, the new amendment provided for an exception to the extent that this new requirement “shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication […], or as strictly necessary in order for the [operator] […] of [a website] […] explicitly requested by the user to provide the service.”
Dutch regulation of Cookies
The Netherlands transposed Art. 5 para. 3 ePrivacy Directive into Article 11.7a of the Dutch Telecommunications Act (hereinafter TA) in May 2012, which was amended in 2015.[4] The TA in line with the Directive, requires in paragraph 1 that the data subject is “provided with clear and comprehensive information” and “has given consent” before installing or accessing cookies. Paragraph 3 provides for the exception of consent, when the installing or accessing of cookies “has the sole purpose of executing the communication” or “is strictly necessary to deliver the […] service requested by […] the user”. In addition, Article 11.7 TA extends this exception for the purpose of obtaining “information about the quality or effectiveness of a delivered information society service”, “provided that this has no or minor impact on the privacy of the user”.
This latter exception seems to reflect the opinion of the Article 29 Working Party that “cookies that are strictly limited to first party anonymized and aggregated statistical purposes” should be exempt from the consent requirement.[5]
Finally, the TA also addresses Cookiewalls in paragraph 5 of Article 11.7a in that it prohibits any Dutch organization –established under public law– of making the “access […] conditional upon consent […]”. This provision was included into the TA in its amendment in 2015, in consequence to several reports and opinions published by the Dutch DPA about the use of Cookiewalls by NPO, the Dutch Public Broadcaster.[6]
Opinion by the Dutch DPA
In its opinion[7] published on 7th March 2019, the Dutch DPA seems to pick up where it left off. The DPA states that its opinion is a reaction to the “dozen[s] of complaints from website visitors” it has received, who have been denied access to a website after refusing to accept tracking cookies.
As shown above, Cookiewalls are not explicitly prohibited by Article 11.7a of the Dutch TA, at least for private companies. The DPA interestingly also does not refer to the TA but rather links its argumentation to the GDPR and the Regulation’s requirements for valid consent. The DPA challenges that the permission by data subjects who enter websites that are hidden behind a Cookiewall, is not given “freely” if the data subject has no real choice or cannot refuse giving permission without experiencing adverse consequences.[8]
According to the authority’s understanding, the deny of access to a website as a result of the data subject’s refusal to accept tracking cookies, accounts to adverse consequences for the subject and is thereby unlawful. Hence, any consent given by the data subject to bypass a Cookiewall would not be valid and thus in breach of Article 11.7a para. 1 Dutch TA.
Remarks
As a result, companies that operate their website behind a Cookiewall will over the course of next year likely have to face more complaints by data subjects and audits by the Dutch DPA. Although, the DPA bases its opinion on a valid legal point, I find it difficult to justify the outcome in light of services that rely on tracking and advertisement as their business model. This also leaves me to believe that if a website operator parallelly to offering its service behind a Cookiewall offers tracking free access against payment, the opinion of the DPA would become less substantiated. Ultimately, we will hopefully have more clarity once the new ePrivacy Regulation passes its drafting stage and comes into force or if a complaint makes its way up to the Court of Justice of the European Union (CJEU).
[1] The DPA calls it an „explanation”.
[2] Dutch DPA: https://www.autoriteitpersoonsgegevens.nl/nl/nieuws/websites-moeten-toegankelijk-blijven-bij-weigeren-tracking-cookies#subtopic-2077 (last checked: 08.03.2019).
[3] Directive 2002/58/EC.
[4] In more detail, see Eleni Kosta, The Dutch regulation of cookies, European Data Protection Law, (2016) pp. 97-102.
[5] Article 29 Data Protection Working Party, ‘Opinion 04/2012 on Cookie Consent Exemption (WP194)’ (2012), p. 11; see also Eleni Kosta, The Dutch regulation of cookies, European Data Protection Law, (2016).
[6] In more detail Eleni Kosta, The Dutch regulation of cookies, European Data Protection Law, (2016).
[7] You can find the opinion (in Dutch) here: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/
normuitleg_ap_cookiewalls.pdf (last checked: 08.03.2019).
[8] The GDPR defines consent in Article 4 nr. 11 as “freely given, specific, informed and unambiguous indication of the data subject’s wishes”.