European Data Protection Board backs ban on 'cookie walls'

The European Data Protection Board (EDPB), established under the General Data Protection Regulation (GDPR), said the use of so-called "cookie walls" should be prohibited under new EU e-Privacy rules.

A new e-Privacy Regulation was proposed by the European Commission in January 2017, but the text has yet to be finalised by EU law makers. While the European Parliament agreed its negotiating position last autumn, the Council of Ministers has yet to do so. Both the Parliament and Council must agree on the wording for the rules to be introduced into law.

Earlier this month, new proposals (83-page / 665KB PDF) published by the Bulgarian presidency of the Council contained plans which would enable website operators to make access to their sites "conditional on the consent to the storage of a cookie or similar identifier", although it said in some cases this approach "may be considered to be disproportionate", including where there are "few or no other options but to use the service".

The EDPB said, though, that permitting the use of 'cookie walls' would run contrary to the GDPR.

"In order for consent to be freely given as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited," it said.

The EDPB gave its view that the EU's existing e-Privacy consent requirements apply to the use of "every tracking technology" and not just 'cookies'.

Ann Henry, an expert in data privacy at Pinsent Masons, the law firm behind Out-Law.com, said the statement from the EDPB clearly demonstrates that compliance with GDPR is "the new reality for digital marketeers".

Henry said: "'Cookie walls' won’t be permitted in any guise. Service providers must obtain consent employing whatever technical tools are required to obtain it. That applies across the board whether you are operating a website or are an app provider." 

"Given the clear message from the EDPB in this statement, the advice to any digital marketer has to be for them to place their energies and resources into determining how they can comply with the new consent regime," she said.

The watchdog also took issue with proposals that would allow the processing of 'metadata' to take place without individuals' consent in certain circumstances. Metadata is information that is connected to communications which does not include the content of those communications. Such information can include numbers called, websites visited, geographical location or the time and date a call was made.

The EDPB said: "There should be no possibility under the e-Privacy Regulation to process electronic communications content and metadata based on open-ended grounds, such as ‘legitimate interests’, that go beyond what is necessary for the provision of an electronic communications service. Furthermore, there should be no possibility under the e-Privacy Regulation to process electronic communications metadata for the performance of a contract, meaning that there should not be an exception based on the general purpose of the performance of a contract, as the Regulation lays down which exact processing is permitted to this end, such as processing for billing purposes."

"The EDPB wishes to emphasise that electronic communications metadata can still be further processed without consent after it has been genuinely anonymised," it said.

In its statement, in which it said the update of the EU e-Privacy regime "is an important and necessary step that has to be concluded rapidly", the EDPB also backed plans outlined by MEPs to require privacy options to be turned on by default within software settings, and for software providers to offer "a technical solution for websites to obtain a valid consent".

"[The new e-Privacy rules] should explicitly apply to operating systems of smartphones, tablets, or any other ‘user agent’, in order to ensure that communications applications can take into account the choices of their users, no matter what technical means are involved," the EDPB said.

"Moreover, privacy settings should facilitate expressing and withdrawing consent in an easy, binding and enforceable manner against all parties, and users should be offered a clear choice upon installation, allowing them to give their consent if they wish to do so. Additionally, web site and mobile applications should be able to obtain a GDPR compliant consent through the privacy settings," it said.

The EDPB is a made up of representatives of national data protection authorities across the EU and the European data protection supervisor. The body has replaced the Article 29 Working Party which previously provided opinions and guidance on matters relating to EU data protection and e-Privacy laws. The proposed new e-Privacy Regulation envisages a similar future role for the EDPB.