May 212019

Dutch Supervisory Authority Opines on Use of Cookie Walls

Lauren Cuyvers and Wim Nauwelaerts
, , , , ,

Recently, the Dutch Supervisory Authority (the “Autoriteit Persoonsgegevens” or “Dutch SA”) has taken the position that the use of so-called “cookie walls,” whereby website access is made conditional upon the provision of consent to tracking cookies, is not compliant with the EU General Data Protection Regulation (“GDPR”).

Since the entry into application of the GDPR, many websites accessible from the EU have implemented mechanisms (including cookie banners) allowing users to consent to the use of cookies. Pursuant to the e-Privacy Directive 2002/58 (“e-Privacy Directive”), companies must obtain consent for placing cookies that are not “strictly necessary”. The Dutch SA had received complaints from website visitors indicating that some websites refuse website access to visitors who do not accept the use of tracking cookies or other technology allowing the tracking of user behavior online. According to the Dutch SA, use of online tracking technology is one of the most invasive data processing activities considering that virtually everyone is active on the internet and therefore potentially subject to online tracking. It is therefore key to obtain valid consent from website users before engaging in any tracking activity.

Under the GDPR, consent must meet several conditions. It must be freely given, informed, specific, unambiguous and result from a clear affirmative act (such as clicking “accept” in a cookie banner). According to guidance from the Article 29 Working Party (the predecessor of the European Data Protection Board, “WP29”), consent is not freely given if there is a risk of deception, intimidation, coercion or significant negative consequences if the individual chooses not to consent. The Dutch SA found that the condition of “freely given” consent is not met if users feel compelled to give consent at the risk of not being granted website access. According to the Dutch SA, “free consent” implies that users are provided with a real choice whether to accept tracking cookies or not. Thus, the Dutch SA’s position is that, when users in the EU do not accept tracking cookies, website access must still be granted. The Dutch SA has indicated that it will continue to actively verify whether websites are compliant.

Earlier this year, the Austrian Supervisory Authority (“Austrian SA”) adopted a more flexible approach with respect to the “free” provision of consent. In response to a complaint, it found that an online newspaper website that offered a “paid subscription model” as an alternative to accepting advertising tracking cookies, was compliant with the GDPR. The Austrian publisher in question had set up a website which gives users the option to either (i) consent to tracking cookies and gain full website access, (ii) not give consent and only gain partial access to website content, or (iii) not give consent, but pay a monthly subscription fee of 6 EUR to receive full access to website content (and avoid being tracked). The Austrian SA pointed out that media companies have relied on advertising for decades, and that this is often their only source of revenue in the context of online publishing. It concluded that the requirements of “free” or “voluntary” consent should not require media companies to provide their services (such as access to media content) free of charge. The Austrian SA substantiated its decision by reasoning that because the subscription fee requested was relatively low (6 EUR for full access), and individuals as such were not faced with significant negative consequences if they chose not to accept tracking cookies, consent should be considered “freely given” and thus compliant with GDPR.

Interestingly, the UK Supervisory Authority, the Information Commissioner’s Office (“ICO”), has taken yet another view in this regard. According to the ICO, individuals must be offered a complimentary alternative to accepting cookies and should be able to opt out from cookies at all subscription levels (including when users do not wish to sign on and pay for monthly subscriptions).

With at least three different approaches and interpretations at the EU Member State level, there is a clear lack of alignment that undermines companies’ efforts to comply with both the GDPR and e-Privacy rules. Data Matters will continue to watch these developments, in hope that the GDPR’s cooperation and consistency mechanism will help remedy this situation with a view to providing legal clarity across the EU.

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Wim Nauwelaerts

wnauwelaerts@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.