Your cookie consent or your life!
When consent is no longer freely given
Consider for a moment how many websites you visit every day. There is a good chance that you will bump into a ‘cookie wall’. To be clear: with a ‘cookie wall’, I mean a full screen that blocks your access to the website you want to visit, and on which you are ‘kindly’ requested to first accept all cookies before you can visit the website. There has been much discussion about the admissibility of these cookie walls. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has published an opinion, in which it states that this type of cookie wall is not allowed. The reason for this is that consent is not “freely given”. Many companies, but also some lawyers, disagree with the Dutch Data Protection Authority. According to them, many websites depend on advertising revenues, and they believe that they should be able to decide for themselves if they want to allow someone access on their website, or not. But who is right?
In order to answer this question, I will get to the core of the discussion: when is cookie consent “freely given”, and when is it not? And what does this mean for cookie walls?
What is “freely given consent”?
What is actually “freely given consent”? The European privacy law, the General Data Protection Regulation (GDPR), contains an extensive definition of “consent”:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
A “freely given” (voluntary) consent is just one of the conditions for a valid consent under the GDPR. In other words: if you did not give your consent voluntarily, the consent is not legally valid.
The GDPR contains more rules for consent. For example, you must:
- Be able to prove that consent has been given;
- Present the request for consent in a comprehensible, easily accessible form, and in plain language;
- Make a clear distinction between the request for consent and other matters (such as general terms and conditions);
- The given consent can always be withdrawn;
- Making withdrawing consent as easy as giving it; and
- Check whether the consent is given freely, and is really necessary.
Although all requirements for “consent” are worth discussing, I will only discuss the condition of “freely given” here.
In order to have “freely given” consent, you have to ask yourself five questions:
- Do I really need consent?
- Does this person have the choice to refuse consent?
- Can this person control the consent given (is it possible to withdraw it easily)?
- Can you confirm that consent cannot be forced?
- Can you confirm there are no adverse consequences if consent is not given by this person?
If you can all answer above questions with “yes”, then the consent is truly freely given. In all other cases, the consent is probably not entirely voluntary, and therefore not valid under the GDPR. The concept of “freely given consent” seems so simple at first sight. In practice, it is not that easy to meet all requirements, due to different (commercial) interests.
I see that many organizations think that they need “consent” for processing all their personal data, but this is not true. But once you go for “consent”, then you cannot force this “consent”, otherwise the consent is not valid, and you lose your legal basis. Without a legal basis, your data processing is in violation of the GDPR.
Are cookie walls allowed or not?
Let’s get back to the cookie wall. The Dutch Telecommunications Act (Telecommunicatiewet) says that certain cookies that have a privacy impact, such as “tracking cookies”, require a prior consent. With “tracking cookies”, a website places a small piece of text (code) on your computer and read it later. For example, it gives you a unique user ID, and then keeps track which websites you are visiting and what you are clicking on. Based on that, the website can show you “personalized” advertisements. The idea is: the more personal the ads are, the bigger the chance that you click on it (“click thru rate”). More clicks means more money for the website.
Many websites have based their business model on maximizing advertising revenue. So they have a big interest in making sure that website visitors “accept” these tracking cookies, whether they like it or not. Many websites offer just one option: “accept all cookies”. You cannot click away the cookie wall or say “no”. But what if you (as a website visitor) do not want to see personal advertisements, but still want to visit the website? Then it is often: no consent, no access.
However, refusing access to a website, if you do not want to accept tracking cookies, is a negative consequence. You may feel forced to accept the tracking cookies anyway. In my opinion, you can hardly call that a voluntary choice. Tracking cookies are often not necessary; most websites work perfectly fine without them.
A commonly heard counterargument is that there are enough websites, so you can freely choose to go to other websites. Actually, whenever I see a cookie wall, I often decide not to visit the website, as a matter of principle. I wonder: Are websites actually losing advertising revenue because of ‘runaway’ visitors?
Apparently not, because I see these cookie walls almost everywhere. The more websites apply these cookie walls, the less free choice of websites we have. Sometimes I just (unhappily) “agree” with tracking cookies, just to be able to visit a certain website. Considering my level of irritation during those moments, I would call this an “unwanted consent”, which is not a valid consent under the GDPR.
Who asks for “yes”, should also accept “no”
The conclusion is: If you ask for a consent, you must also be able to accept a “no”. For tracking cookies, you simply have to offer a choice (to accept or not accept), without the threat of negative consequences (such as blocking access to the website). Only when a choice is completely voluntary, the consent can be truly “freely given”.
Do you want to know more about the rules for your website or online platform, or about e-commerce law in general? Leave a message below, or contact me.