Pass the Cookies—or Give the Cookies a Pass?
GDPR is overwhelming.
The headlines have faded, and the panic has dulled. But GDPR's requirements remain very real and challenging to understand and implement. If you're still struggling, you're not alone.
Estimates have varied widely—from as few as 7% to about 60%—of US companies who expected to achieve compliance by the May 25th deadline. Even the most optimistic estimate leaves 40% failing to meet the compliance deadline. And even some large businesses just gave up, at least for awhile. The LA Times, the Chicago Tribune, and Tronc Inc. (which owns the New York Daily News, the Baltimore Sun, the Orlando Sentinel, and the San Diego Union-Tribune) blocked all European access to their websites. Europeans are greeted with toll booth images. These images that block access—at least until users give consent—has seemed to be a logical path to GDPR compliance.
European sites have used this strategy for years, greeting website visitors with something called a "Cookie Wall." It's like a landing page that requires visitors to accept the site's cookies before accessing any site content. American developers have begun to adopt this strategy, but the European Data Protection Board (EDPB), an extension of the GDPR, says no.
A Cookie Wall is not GDPR-compliant
A cookie wall is also known as a tracking wall—and it's not the same thing as just using cookies. Instead, cookie walls or tracking walls are "modal dialogs that require people to give consent to be tracked in order to access a website." Unless a visitor gives that consent, he or she is blocked from accessing the website's content.
Cookie walls seem to be a strategy for GDPR compliance since they do the job of getting user consent. For example, look at how one WordPress plug-in advertises itself:
"The Cookie Wall for WordPress is a plugin to comply with the EU law. Instead of offering a way to continue browsing without cookies, which possibly means loss of income for publishers. this cookie wall only accepts a confirmation."
Remember that phrase: "this cookie wall only accepts a confirmation."
Keep that in mind while we look at a hypothetical off-line example.
Imagine that a new store opens up in the mall. We'll call it "The Best Price Store." It looks attractive, and it advertises great value and good prices. So of course, you want to visit.
But when you arrive at the store, you see a sign. It says the store has an "Admission Price: Your information." You must consent to allow the store to collect personal information about you, or you are not allowed to enter the store.
If this actually happened at your local mall, people would probably protest. They might claim that the mall is public property, and that they have a right to shop without an invasion of privacy.
The store might reply that people are not obligated to shop at the new store. If they didn't want to accept the store's terms, they were welcome to shop someplace else.
But in our fictional example, the GDPR would apparently side with the protesting public.
Here's the problem:
That requirement—you can't shop here unless you give us your information—is like a cookie wall. Remember that phrase: "it only accepts a confirmation." If you don't consent, you can't enter. Consent is a condition of access. That's the crux of the issue. GDPR requires that consent must be freely given, so conditional consent does not meet GDPR requirements.
The EDPB made its position on cookie walls very clear in this statement: "access to services and functionalities must not be made conditional on the consent of the user to the processing of personal data or the processing of information . . . meaning that cookie walls should be explicitly prohibited." (Emphasis added; Click here to access the pdf file of the EDPB statement.)
There you have it. No cookie walls.
Yes, and sometimes you must. If your site sets up user roles, for example, cookies are essential. But you have to use them according to GDPR requirements if your site has the potential to reach anyone in the EU. (Which basically means—if it's on the web.)
As we stated in our previous blog about the GDPR, your decisions and actions should be based on qualified legal counsel. But we can give you a summary of what GDPR requires.
- Access to your site cannot be made conditional on a user accepting cookies. GDPR has specifically prohibited cookie walls.
- Users can be given the option to access your site either with or without cookies.
- Cookie data can be completely anonymized to meet standards outlined in the GDPR document (pdf).
- When cookies that collect personal data are essential, users must have the opportunity to freely give informed, explicit consent. So before users click the "I agree" button, you are required to explain clearly—
- What personal data will be collected
- Why that data is needed
- How the data will be processed and used
- How/where the data will be stored
- How long the data will be kept and when it will be deleted.
It sounds complicated, but just one or two well-written sentences will do the job. Any statement would, of course have to be personalized, but just as an example—
As long as you meet these requirements—go ahead! Pass the cookies!
Thanks for sticking with us through this blog. We think you deserve a coffee break now—with cookies, of course.
If you need help with your website, contact us. We can help!