The European Union’s (EU) attempt to tackle the problem of illegal cookie walls has gained momentum with the enforcement of data protection rules such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Cookie walls, designed to quickly force users to accept tracking cookies, have become a controversial aspect of online privacy, leading to the formation of the European Cookie Banner Taskforce in 2021.
Despite existing regulations banning mandatory cookie practices, such as the 2002 ePrivacy Directive and the GDPR, the proliferation of annoying cookie banners has persisted. The ePrivacy Directive, created two decades ago to address the challenges of cookies, is still a relevant tool to combat unlawful practices. EU efforts to address the issue gained momentum with several rulings against abusive cookie practices, including the landmark 2019 ruling by the Court of Justice of the European Union.
Enforcement and Fines
National data protection authorities, such as France’s CNIL, have played a crucial role in enforcing cookie-related regulations. CNIL’s fines against tech giants Google and Amazon underscore the seriousness of non-compliance. In response to the changing landscape, CNIL updated its recommendations in 2020 and initiated investigations in 2021, issuing formal notices to organizations that violated cookie requirements.
Max Schrems and noyb.eu
Privacy activist Max Schrems, along with his organization noyb.eu, actively joined the campaign against illegal cookies. Schrems highlighted how some companies intentionally complicated privacy settings and blamed the GDPR for cumbersome cookie banners. The noyb.eu investigation found that many websites did not have a simple “reject” option, used misleading design elements and did not make withdrawing consent easy.
Report of the European Cookie Banner Taskforce
The creation of the Cookie Banner Taskforce in 2021 aimed to coordinate efforts across the EU. However, the task force report, published in January 2023, acknowledges the challenges of illegal cookie requests but does not provide strong and clear recommendations. It emphasizes an approach based on individual cases to assess potential abuse, leaving room for ongoing complaints and judgments.
Legal Implications and Regulatory Actions.
The EDPB’s May 2020 guidelines unequivocally state that cookie walls are an illegal way to obtain user consent within the EU. The GDPR’s requirements for valid consent – freely given, specific, informed and unambiguous – clash with the coercive nature of cookie walls, where access to services depends on general consent. National data protection authorities (DPAs) in the EU have also expressed their views.
In 2019, the Dutch DPA ruled against cookie walls, saying they violate the GDPR by not giving users a real choice when giving consent.
The UK’s Information Commissioner’s Office (ICO) determined in 2019 that general approaches such as cookie walls are unlikely to represent valid consent under the higher GDPR standard.
: CNIL’s 2019 guidelines were against cookie walls, and although a legal challenge in France has changed some aspects, fundamental opposition remains.
: The Spanish DPA, AEPD, ruled in 2020 that cookie walls without alternatives to consent are inadequate, especially in cases where users are denied access to exercise legal rights.
Italian Garante Per La Protezione Dei Dati Personali
: In 2020, the Italian DPA clarified that cookie walls are generally illegal, with exceptions considered on an individual basis.
The EU’s proactive stance against illegal cookie walls demonstrates its commitment to protecting users’ privacy. Despite some notable successes in enforcement and the creation of the Cookie Banner Taskforce, challenges remain. The reluctance to issue stronger, more definitive recommendations in the task force report raises questions about the effectiveness of the current regulatory framework. As the EU continues to grapple with ongoing privacy concerns, stakeholders look forward to further developments that could shape the future of online user consent and data protection.