Skip to content

Cookie “banner”, “barrier” and “wall”

The House of Data Imperiali bulletins are excerpts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Cookie “banner”, “barrier” and “wall”

The EU Commission’s proposal for the new ePrivacy regulation did not explicitly refer to the circumstances that practice has identified with the terms “cookie banner”, “cookie barrier” and “cookie wall”. 

The version of Parliament approved by the LIBE commission provides for the prohibition of “cookie walls” in the wake of what is indicated by the EDPB in the 05/2020 guidelines; while the version of the EU Council of 10 February 2021 entrusts the regulation of “cookie walls” to recital (20aaaa).

All three of these terms represent methods used by website operators to respond to the requirements of the information and user consent, referring to the use of cookies or similar trackers.

Cookie banner

The use of cookies must be brought to the attention of the user. If such use requires the user’s consent, this must be preventive and informed. To meet the precedence requirement, the user’s consent must be collected before injecting a cookie or accessing the information contained therein.

To fulfill the requirement of “informed” consent, the information on the use of cookies must be provided before the consent is collected and, consequently, also before the use of the cookie.

This legal requirement – confirmed in the document wp208 of the WPArt29 and by the decision of the CJEU on the Planet49 case – entailed the need for website operators to publish a digital sign (banner) on the landing page that contained some essential minimum information (purpose, categories of recipients), together with the mechanism for collecting free and informed consent. The additional information to be released (for example, name of the identifier, retention period, consent withdrawal method) are then contained in a further detailed document (cookie policy) linked to the banner with a hypertext link.

Cookie banner function

The cookie banner – which according to few authorities is mandatory only when using cookies for which consent is required – is the basic solution to respond to the requirement of the user’s prior and informed consent. For this solution to be adequate, the banner must be correctly configured; that is, specifically, it must contain:

  • the content of the short privacy notice
  • the link to the extended notice (cookie policy)
  • the technical method for obtaining consent and for refusal/withdrawal.

Each of these elements, if not well conceived, can invalidate any consent given or, in any case, make the use of cookies or other online trackers illegitimate. The adequacy of the banner does not depend on mere formal compliance, assuming instead an effective correspondence between the chosen mechanism and what it puts in place. This discrepancy between what is apparent and the actual underlying functionality – as found by many international studies and research – is far from being a remote possibility.

Cookie barrier

The term “cookie barrier” is sometimes used as a synonym for “cookie wall”, other times in an autonomous and distinctive way. The option depends on the reference element of the term “barrier”: that is, if it relates alternatively to:

  • the user’s choice
  • the consent of the same

in the sense that the barrier is removed if (a) the user makes the choice or (b) the user consents to the installation of cookies.

Only in the second case “cookie barrier” and “cookie wall” become synonyms.

Conversely, the term “cookie barrier” means that method by which the digital sign constitutes an insurmountable barrier for the user’s navigation that can only be removed following the choice made by the user: that is, the banner-barrier obliges the user to choose whether to accept or reject cookies, otherwise he is not allowed to continue browsing.

Some have concluded for its illegitimacy as the user’s right not to express himself would also be inherent in the range of freedom of consent, from which a method that would force him to choose would not be legitimate. Recital (32) of the GDPR states that the request for consent must not be “unduly interfering with” the use of the service for which it is provided: blocking access to the site / app until the user expresses his / her choice regarding consent, could indeed constitute undue interference.

According to the CNIL, «(t)he situation in which the user does not express any positive choice must be distinguished from the situation of refusal. In the absence of any manifestation of choice (neither acceptance nor refusal), no trackers requiring consent must be written» (proposal for a Recommendation on cookies, 2020, §38).

For others, however, the legitimacy of the “cookie barrier” would depend exclusively on the consent collection mechanism: if transparent, free, balanced between consent and denial, the “barrier” would be legitimate.

Cookie wall

The “cookie wall” (also called “tracking wall”) implements a different form of barrier, placed by the following alternative: either you accept the use of cookies or you do not access the site.

The version of the ePrivacy regulation approved on 26/10/2017 by the EU Parliament in first reading, carried an explicit prohibition for cookie walls [art. 8 (1) (1) (b)], welcomed by the EDPB which ruled in the same sense (guidelines 05/2020, §39).

The CNIL had done the same but its provision was reformed on this point by the Council of State because the CNIL could not have declared its illegitimacy in general in the absence of specific provision of law.

The cookie wall is considered in violation of the requirement of “free” consent enshrined in the GDPR [art. 4 (11) and 7 (4)]; flaws that affect the freedom of consent are:

  • situations of imbalance
  • conditionality
  • detrimental effects.

Recital (43) of the GDPR clarifies that consent cannot be freely given «where there is a clear imbalance between the data subject and the controller, (…) and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.». The recital concerns public authorities, but it also includes companies in a dominant market position (eg in the area of relevant social networking services, as in the case of Facebook).

There is conditionality when the release of consent is linked to the provision of a service or the execution of a contract. The Recital (43) of the GDPR highlights that consent is not free «if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance».

An example of a detrimental effect is precisely the cookie wall in which the data subject is unable to refuse or withdraw consent without suffering prejudice [recital (42) of the GDPR).

After previous versions of the Council which had removed the clarification of this prohibition – with the expressed regret of the EDPB – the final proposal approved on 10 February 2021 tackles the issue again trying to move within the narrow margins of recitals (42) and (43) of the GDPR.

 

The newly proposed recital in the version approved by the Council reads as follows:

«In contrast to access to website content provided against monetary payment, where access is provided without direct monetary payment and is made dependent on the consent of the end-user to the storage and reading of cookies for additional purposes, requiring such consent would normally not be considered as depriving the end-user of a genuine choice if the end-user is able to choose between services, on the basis of clear, precise and user-friendly information about the purposes of cookies and similar techniques, between an offer that includes consenting to the use of cookies for additional purposes on the one hand, and an equivalent offer by the same provider that does not involve consenting to data use for additional purposes, on the other hand. Conversely, in some cases, making access to website content dependent on consent to the use of such cookies may be considered, in the presence of a clear imbalance between the end-user and the service provider as depriving the end-user of a genuine choice. This would normally be the case for websites providing certain services, such as those provided by public authorities. Similarly, such imbalance could exist where the end-user has only few or no alternatives to the service, and thus has no real choice as to the usage of cookies for instance in case of service providers in a dominant position.

To the extent that use is made of processing and storage capabilities of terminal equipment and information from end-users’ terminal equipment is collected for other purposes than for what is necessary for the purpose of providing an electronic communication service or for the provision of the service requested, consent should be required. In such a scenario, consent should normally be given by the end-user who requests the service from the provider of the service».