EDPB and cookie walls: major breakthrough still awaited

26.05.2020 - The European Data Protection Board (EDPB) is far from being flexible. Similar to its predecessor, the Article 29 Working Party (WP), EDPB is rather formalistic in interpreting the provisions of GDPR and frequently imposes standards that are rather difficult to meet in practice.


Iurie Cojocaru

The European Data Protection Board (EDPB) is far from being flexible. Similar to its predecessor, the Article 29 Working Party (WP), EDPB is rather formalistic in interpreting the provisions of GDPR and frequently imposes standards that are rather difficult to meet in practice.

Therefore, when it came to taking sides in the long-debated cookie walls matter, it was not a big deal to guess what side EDPB would take.

As you know, the cookie wall is a mechanism whereby the access to the content of a website or an app is denied until the user accepts the non-necessary cookies (such as, for example, tracking cookies).

Even before EDPB issued on 4 May 2020 its Guidelines 05/2020 on consent (EDPB Guidelines), we had the position of the WP alluding that the cookie walls would not be in line with the requirements of a freely given consent.

Actually, the EDPB Guidelines are a slightly updated version of the WP Guidelines WP259 rev.01 on consent as last revised and adopted on 10 April 2018 (WP Guidelines). The EDPB Guidelines only add several provisions on cookie walls and consent through scrolling and swiping, while maintaining everything else from WP Guidelines.

Unsurprisingly, as regards scrolling and swiping in the website, the EDPB held that it does not represent a valid consent since it may not be deemed as a clear affirmative action. Moreover, it would be difficult to withdraw such consent.

But let us go back to cookie walls.

From WP to EDPB

The WP Guidelines seemed to provide an answer to those who claimed that a user put in front of a cookie wall has a freedom of choice.

According to cookie walls supporters, the user may either consent to cookies or obtain a similar content from another controller (e.g., another website or even a printed newspaper). As a response, the WP made it clear that a controller “cannot argue that a real choice exists between its service that includes consenting to the use of personal data […] and an equivalent service offered by a different controller […]” (this provision was taken over by paragraph 38 of the EDPB Guidelines).

WP continued by saying that there is no freely given consent where the freedom of choice is made dependent on whether other market players provide equivalent services. This would imply, continued WP, that in order to make sure that the consent obtained on its website is still valid, the controller has the obligation to monitor that other market players do not alter the quality of their services. This view of WP was also now taken over in EDPB Guidelines.

Why equivalent services are so important here? It appears that WP made reference to the GDPR rule provided under article 7 paragraph 3 of GDPR that the refusal to provide consent must not be detrimental to individual. If the quality of services offered by other market players is worse than yours, WP seemed to say, you cannot claim that the user refusing to provide his/her consent does not suffer any damage by this refusal.

But what if the alternative is not the service of another market player, but that of the same market player? What if a website operator offers the same content against paid subscription, an alternative to the cookie consent, assuming that the price is not too burdensome? This mechanism is sometimes called a hybrid cookie-or-pay wall, a more elaborate variant of a simple cookie wall. And the WP did not provide an answer on this in its WP Guidelines.

Unfortunately, the new EDPB Guidelines does not provide an answer to this matter either.

Polyphony of data protection authorities on hybrid walls

There has been no unitary approach to cookie-or-pay walls from the part of EU data protection authorities. In November 2018, we had two diametrically opposing views on such hybrid walls coming from the data protection authorities of UK (ICO) and Austria (DSB).

The ICO optic was that the hybrid cookie-or-pay wall used by Washington Post was not in line with GDPR rule of the freely given consent. The US newspaper offered access to its full online content for a fee of USD 9 per month, allowing the user to switch off non-necessary cookies. The other two alternatives (free access to limited website content and unlimited access against a fee of USD 6 per month) implied the need to consent to cookies.

The argument of ICO was that the user does not have a genuine choice and control when asked to consent to cookies (stipulated under recital 42 of GDPR). The UK authority also brought into discussion the article 7 paragraph 4 of GDPR (Article 7-4), but without elaborating on its correlation with the principle of genuine choice and control.

In short, Article 7-4 says that if you condition the provision of a service or the conclusion of a contract by the consent of the individual, you have to check if the data processing for which you require the consent is necessary for such provision of service/conclusion of contract. If the processing of data is necessary for the provision of service/conclusion of contract, you still cannot be absolutely sure that the consent is freely given, since the wording of Article 7-4 (i.e., “inter alia”, “utmost account shall be taken”) implies that the conditionality-necessity is only one of the criteria based on which the freely given consent is assessed.

On the other hand, the DSB case concerned an online media publisher who posted daily journalistic articles on various matters. The publisher offered users the option to benefit from full access to website content if they consented to advertise cookies and online tracking. In the absence of consent, the users may still have benefited from full access to the website in exchange for a 6 EUR/month subscription (paid as of the second month), without being subjected to any advertising cookies or online tracking.

The DSB held that there is a freely given consent here, relying on Article 7-4 and also affirming that there is a genuine choice and control (switching from a cookie-based service to a subscription-based one). As for the requirement of the absence of negative consequences in case of refusal to consent, the Austrian authority took the view that an alternative payment of EUR 6 per month starting from the second month of subscription is not disproportionately expensive.

There are certain aspects which remained unanswered by ICO and DSB, as the authorities do not explain the interaction between Article 7-4 and the requirements of genuine choice and control and of the absence of negative consequences.

What is still not clear…

When the EDPB Guidelines have been adopted, we were expecting that EDPB would clarify the relations between various conditions and rules on freely given consent and, of course, that it would provide a clear cut answer on the hybrid cookies-and-paywall. Sadly, no such answers were given.

As mentioned earlier, EDPB, similar to WP, expressly compares the quality of services of a controller to the quality of services of another controller, but no reference is made to the same services of the same controller, provided either by cookie consent or by payment subscription. Following the view of EDPB, if the service provided by cookie consent is the same (and therefore, of the same quality) as that provided against paid subscription, would this mean that my hybrid cookie-or-pay wall is in line with the requirement of a freely given consent?

The seemingly absolute provisions on cookie walls from EDPB Guidelines leave room for interpretations, as they do not exclude the paid subscription alternative: “In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls).” (paragraph 39 of EDPB Guidelines)

The possibility of recourse to cookie-or-pay walls mechanism may result more clearly from the provision of paragraph 40 of EDPB Guidelines: “A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button”. Actually, in the case of cookie-or-pay walls, there is such a possibility of access, by paying a fee.

…and what is clear

With all the question marks left regarding hybrid cookies-or-paywalls, the EDPB Guidelines clarify that the other cookie walls which do not offer another (even paid) possibility to access full content of websites and apps without cookie consent are not in line with freely given consent rules.

In this express ban of cookie walls, EDPB Guidelines follow the approach of the Dutch data protection authority and the French data protection authority (CNIL) which reached the same conclusion in March 2019 and, respectively, in July 2019.

From the perspective of EDPB Guidelines (as taken over from WP Guidelines), it would also result that it is still not GDPR-compliant offering partial access to website to users who do not consent to non-necessary cookies, as this partial access may signify an “altered service” mentioned in the aforesaid paragraph 38 of EDPB Guidelines.

What to expect next

For those considering the use of hybrid cookie-or-pay walls, answers are still pending even with the latest EDPB Guidance. A helping hand may come from the Court of Justice of the EU or even from the text of the ePrivacy Regulation, when this will be completed.

In any case, in an environment where the number of printed publications is dramatically decreasing and the publishers seek to diversify sources of financing for their online activity, in order to make sure their businesses survive, an extremely strict interpretation on cookie walls (in the sense of prohibiting even the hybrid cookie-or pay walls) would clearly represent a negative financial impact for such online publications. In this situation, the migration of publishers to an exclusive paywall model (i.e., accessing the content only based on payment) is a possible, but less optimistic scenario.

There is still not much clarity on how the condition-necessity rules of Article 7-4 of GDPR have to be applied together with the requirements on genuine choice and control and on absence of negative consequences. Considering the impact of its guidances, we would like to see EDPB abandoning its usual caution and going in more details and providing more pragmatic clarity on this.

It is yet to be seen if those jurisdictions where the cookie walls were at least tolerated will have a change of perspective following the EDPB Guidelines. On the other hand, the EDPB Guidelines may represent a compass (even if a trembling one) in those jurisdictions where the national data protection authorities and the courts of law have yet to adopt a position on this matter.

In this respect, let us not forget that the opinions of EDPB do not have a mandatory nature. We have noticed by now cases when national data protection authorities and courts of law disregard the positions adopted by EDPB (or by its predecessor, the WP).