Cookie walls

Offering a free, autonomous, and informed choice is the foundation¹ of data collection and thus of a cookie banner. If your visitor allows or rejects cookies, it should be based on complete and accurate information. Your visitor must also be free to make a choice: accept or reject. This is precisely the foundation you disrespect with a cookie wall. Unfortunately, they’re not uncommon. While writing this post, I encountered three within minutes.

The Digital Services Act, a recent European legislation, emphasizes creating a safe and reliable online environment. Dark patterns - user interfaces carefully designed to mislead users into making certain choices - are explicitly prohibited. So, too, are cookie walls, because they lack the option to reject cookies.

Read more about dark patterns and nudging: two deceptive techniques that are now banned under the Digital Services Act.

“Oh, but that’s for the Googles of this world!” you might think? This Act applies to anyone with an online presence, from Gamma to Google, from AVA to Apple, the website of the balloon shop around the corner, and the site of a small NGO: the rules apply to everyone.

Forcing your website visitors to accept all cookies is not allowed. Simple as that. Everyone has the right to a free, autonomous, and informed decision. Did you know that the Dutch regulator, the Autoriteit Persoonsgegevens (AP), already published its judgment in 2019 that a cookie wall does not comply with the GDPR?² Our own GBA provides unequivocal information: it’s not okay.³

Before we move on to cookie walls versus paid services, please take a look at the screenshot below. On one page, GDPR assessment services from a consultant sit alongside a cookie wall. It doesn’t get much crazier than that.

Pay-or-ok model

“Don’t accept cookies? Then you have to pay to access my site.” Is that allowed?

Eat cookies or pay, also known as the pay-or-ok model, is something you sometimes encounter. Some sites want to place extensive marketing cookies as part of an advertising revenue model. You can refuse, but not without consequence: you have to pay for the service the site offers.

The tech site Tweakers used this model for a while.⁴ A year later, they abandoned this approach.⁵ They wrote the following about it: “Behind the scenes, it took a lot of effort. We had to find a technical partner that supports dynamic banners without tracking, and of course, we had to convince our advertisers of the necessity of this step. We also had to completely reorganize all processes around purchasing, booking, and delivering banners. This all took time, hence the wait. But now it’s done, and we’re very happy about it.” Very impressive!

The key question remains: can you truly give free consent if the alternative is payment? No, you don’t have a free choice in such a situation. By the way, you can be commercially successful without forcing marketing cookies.

The tech company Sentry wrote an interesting article about this. The European Data Protection Board has also commented on the pay-or-ok approach, and new guidelines are expected.

In our neighboring countries, opinions vary. The Netherlands and France take a more lenient or stricter approach. The Digital Services Act brings more clarity: a cookie wall is not allowed, and coercing cookies due to unfavorable alternatives is also not allowed. It’s also not a customer-friendly approach, with a high chance of abandonment. So, don’t choose a cookie wall for your site. It’s not convenient, it’s not customer-friendly, and it’s not allowed.

Legitimate interest

"We can secretly impose cookies on you. That’s our right!" Or is it not?

Do you recognize this situation: on a cookie banner, you can adjust settings. The visitor’s consent is requested, with the default value set to ‘no’. But just below that, there’s a second option for a subset of cookies referring to legitimate interest, the legal basis for processing necessary for your company’s interests and for which no consent is required. And this value is set to ‘yes’. The visitor must scroll through the entire list and turn off legitimate interest everywhere. Maybe your cookie banner is set up like this?

It gets even trickier: Google Analytics is checked with the argument of legitimate interest.

Is this an approach you can use? The answer is a resounding ‘no’.

There are two good reasons to avoid this method:

1. The lack of the required free, autonomous, and informed choice. If you click ‘reject cookies’, you don’t see the tab with legitimate interest settings, and those cookies get quietly placed. The justification? You didn’t object.

2. Legitimate interest is an exception, not the rule. Using it systematically in cookie banners doesn’t align with its intended purpose.

5 tips for a GDPR-proof cookie banner

Looking for the best approach for your cookie banner? Follow these rules:

1. Choose a standard cookie banner, not a cookie wall.

2. A paid alternative to cookies is not a good idea.

3. Legitimate interest belongs in data processing, not in a cookie banner.

4. Avoid dark patterns. Read our blog post on this topic.

The Digital Services Act is clear and enforced in all countries. Embrace the new guidelines and show your stakeholders that you respect them! This is also Craftzing’s vision for sustainable digitization. Compliance isn’t an extra but the foundation of online business. It’s called compliance by default.

By Yves Braeckman

As Head of Compliance I work on finding a balace between performing online interactions and respect for privacy in the broadest sense. The goal is to gain stakeholders’ confidence while creating durable digital solutions. Already today - but even more so in the years to come - compliance forms a cornerstone for any online activity.