Cookie Walls: Are They GDPR Compliant?

A cookie wall is a pop-up that restricts or blocks access to your website until the user accepts your cookie usage.

If you haven’t heard, the use of cookie walls are not compliant with data privacy laws like the General Data Privacy Regulation (GDPR) and ePrivacy Directive in most circumstances.

While you can still use cookie walls on your website without violating the European Union (EU) GDPR, this is only allowed when you fulfill strict conditions.

Furthermore, cookie walls are obsolete under the California Consumer Privacy Act (CCPA).

In this article, we go over what a cookie wall is, discuss its legality and how you can use them in GDPR-compliant ways. In addition, we will present you with alternative ways you can request consent for cookies and remain compliant with relevant data privacy laws.

Table of Contents

What Is a Cookie Wall?
What Does a Cookie Wall Look Like?
Are Cookie Walls Legal in the EU?
Are Cookie Walls Allowed Under the GDPR?
What Does the CCPA Say About Cookie Walls?
Legal Cookie Wall Alternatives
What Not To Do
Cookie Wall FAQ
Summary

A cookie wall is a pop-up on your website that asks your users to accept or deny website tracking and cookies, but if they choose not to consent, it limits or blocks their access to your website.

Cookie walls don’t give your users the option to customize any of the data collection.

What Are Cookies?

Cookies are small text files of data websites like yours leave on users’ browsers, and you can learn more about the different types by checking out our helpful guide all about internet cookies.

Chances are high that your website uses cookies, and some might be considered essential because they are necessary data files that help your website function properly.

But all other cookies your website uses are considered non-essential and require user consent under laws like the GDPR and ePrivacy Directive because they qualify as personal information.

Cookie walls look like pop-up windows that appear as soon as an individual opens your webpage, but they may also appear as banners at the bottom of a screen.

Either way, it typically prompts your user to disable or allow the cookie and tracker settings, as shown in the example below.

Cookie-walls-pop-up-windows

A cookie wall forces your users to agree to cookies to use your website and denies them access to features if they opt out of consent.

By comparison, cookie banners comply with global privacy laws and allow your users to opt-in, opt-out, or withdraw consent for specific cookies and tracking at any time.

If you’re still using cookie walls, we have some news for you — the use of cookie walls in the EU is only allowed when you fulfill strict conditions determined by EU Data Protection Authorities.

You need to examine each EU country’s cookie wall requirements and satisfy their conditions.

Let’s now look at the major EU countries’ and the UK’s criteria for lawfulness of cookie walls.

Are Cookie Walls Legal in France?

Yes, cookie walls are legal in France but must meet specific criteria outlined by the French Data Protection Authority (CNIL).

CNIL provided guidance on cookie walls stating that there is no blanket ban on the use of cookie walls. However, a website can only implement cookie walls if it satisfies the following 5 criteria:

There must be a real and fair alternative to walled content or services
The price of paywall must be reasonable
User account creation must correspond to specified purposes
Pay/cookie walls must correspond to specified cookie purposes
Where an alternative to cookie walls is selected, cookies may only be deposited in limited circumstances

Are Cookie Walls Legal in the UK?

Cookie walls are legal in the UK, but you must follow specific guidelines to use them.

Similar to France, the UK Data Protection Authority, the Information Commissioner’s Office (ICO), does not prohibit the use of cookie walls if you meet certain conditions:

You must provide individuals with a genuine and free choice
Access to your services should not be conditional upon acceptance of cookie walls, unless cookies are necessary for that service

Are Cookie Walls Legal in Italy?

In Italy, cookie walls are not permitted. The Italian Data Protection Authority adopted new guidelines in 2021 that prohibited the use of cookie walls on Italian websites.

European Data Protection Board (EDPB) Update On Cookie Walls

On May 4, 2020, the EDPB updated their guidelines around online user consent.

In its Guidance, the EDPB stated that cookie walls prevent individuals from giving valid consent because they do not have a genuine choice whether to give or refuse consent.

Who is the EDPB?

The EDPB is the body responsible for ensuring entities and businesses consistently cooperate with the GDPR.

According to the board’s guideline updates:

Businesses cannot prevent users from accessing a service due to opting out of cookie consent
Accessing a service cannot be dependent on the use of cookie placement or similar technology on users’ browsers

While the EDPB’s Guidelines are not legally binding, they ensure uniform application of the GDPR across the EU and should be taken into account.

You are allowed to use cookie walls under the GDPR as long as you follow strict guidelines and understand that they do not meet any of the actual privacy guidelines outlined by the law.

In 2018, the GDPR expanded the cookie regulations outlined by the ePrivacy Directive, also called the EU Cookie Law.

The Cookie Law was the original legislation that required websites to get consent from users before storing, using, or retrieving their personal information, which includes the use of cookies.

Under the GDPR, you’re required to give users access to your content even if they choose to opt-out of your use of cookies

You must also ask for affirmative user consent and explain why and how you’re using the data before each cookie is placed on your users’ browsers.

The law defines user consent under article 4, section 11 as:

… freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement in the processing of personal data relating to him or her.”

So while there is no absolute ban on the use of cookie walls in the EU and the UK, you can only implement cookie walls when you satisfy strict conditions.

As we explained above, you need to look into the requirements determined by each EU country before you decide to use cookie walls.

You can use cookie walls under the jurisdiction of the California Consumer Protection Act (CCPA), but neither this law nor the amendments from the California Privacy Rights Act (CPRA) regulate cookie usage except for when minors are involved.

If your website or app falls under the CCPA or the CPRA, understand that cookie walls do not address any of the actual data privacy guidelines or requirements.

For example, the CCPA and CPRA state that you must inform your users about what personal data you track, including through cookies, why, and what you do with the data — but you do this with a cookie policy, not just a wall.

As you can see above, each EU country sets its own standards for legality of cookie walls and these are hard to fulfill. Furthermore, each EU country has different criteria for cookie walls and it may be time consuming to understand those nuances.

Therefore, you should consider alternative mechanisms.

The most common cookie wall alternatives you should consider using on your website are cookie consent banners and cookie consent managers.

Let’s go over each of these in more detail.

Legal Cookie Wall Alternative: Cookie Consent Banner

A cookie consent banner pops up as soon as a user enters your website and does not start using cookies until your users choose to accept, deny, or customize the different trackers.

Unlike cookie walls, cookie banners give your users three options:

Accept all cookies
Deny all cookies
Customize cookies

Under the GDPR and CCPA, you must provide your users with information about:

Your use of cookies
Why you collect them
Who you share the information with
How your users can withdraw consent at any time

So you must link to a cookie policy on your banner.

Below, see an example of our cookie consent banner that pops up whenever a new visitor comes to our site.

As you can see, we link to our cookie policy and consent preference center directly on our banner, following the guidelines outlined by the GDPR and the CCPA.

The screenshot below shows what our cookie options look like if you choose to change your preferences, which you can do at any time.

cookie-preferences-screenshot

We also always link to our cookie consent options in the footer of our website so our users have constant access to their consent controls, and recommend that you do, too.

You can do all of this and more by using our Cookie Banner Generator.

Legal Cookie Wall Alternative: Cookie Consent Managers

A cookie consent manager is an all-in-one compliance solution for businesses and helps your website or app create a cookie consent banner, cookie policy, and manage and track your users’ consent options.

We recommend you use a consent manager because a cookie banner alone is not enough for your website or app to comply with laws like the GDPR and the CCPA.

You can try out our Cookie Consent Manager, which was built by our legal team, data privacy experts, and our product engineers to ensure your business uses cookies in accordance with global data privacy laws.

In just a few clicks, our cookie consent manager can:

Detect, scan, categorize, and auto-block cookies
Customize and create a cookie consent banner to collect consent and offer a preference center for your users
Create a cookie policy with automatic updates and consent logs, generate a Do Not Sell My Info link, and create DSAR forms

You know what else is great about our legal team?

They help us update all of our tools whenever data privacy laws change, so you can trust that our Cookie Consent Manager always complies with the privacy laws that affect you and your business.

What Not To Do

If you rely on cookies and must remain compliant with the GDPR, the ePrivacy Directive, the CCPA, or other regulations impacting cookie usage, you should avoid some common workarounds, like:

Blocking regional users
Sneaky workarounds

Let’s go over what not to do now that you know cookie walls are officially out.

Don’t Try to Block Regional Users

To avoid falling under the GDPR, you might attempt to block all European Economic Area (EEA) countries from using your website, but this is not recommended.

Doing so prevents millions of users from one of the largest economic areas in the world from engaging with your business, and the methods to analyze and identify European IP addresses are often unreliable.

You might try the same thing and block all California residents to avoid CCPA regulations, but doing so is nearly impossible.

We don’t recommend blocking users from your website or app based on their location, the technology is too imperfect, and you could still be found in non-compliance under the major data privacy laws.

Don’t Try Sneaky Workarounds

You should not attempt workaround tactics regarding your users’ cookie consent options.

Workarounds tactics are sometimes referred to as nudging and include techniques like:

Publishing pre-ticked checkboxes and claiming that counts as user consent
Making the “deny consent” options smaller or less prominent than your opt-in options
Using biased language to dissuade your users from denying consent
Requiring multiple clicks from your users to deny consent
Making it burdensome or difficult for your users to deny consent

If you try any of these workarounds, you’re putting your company at risk. If someone files a complaint against your website or application, data protection authorities could find you non-compliant with the GDPR or the CCPA.

What are your possible penalties?

GDPR: 4% of your gross annual revenue or €24 million ($23 million), whatever is highest
CCPA: $2,500 per incident, $7,500 per intentional incident

Don’t Rely on a DIY-Approach

You might be tempted to try and do all of the cookie compliance requirements yourself, but this is not recommended unless you:

Work with a lawyer
Have extensive knowledge about the data privacy laws that affect you
And have the technical skills required to manage your users’ consent choices

A do-it-yourself approach like this is very time consuming, challenging, and may put your company at risk if anything ever falls through the cracks.

There’s no reason to reinvent the wheel when many great cookie consent managers already exist.

For instance, our Cookie Consent Manager is in accordance with laws in the following 27 regions:

Argentina
Australia
Brazil
Canada
Chile
China
Colombia
Czech Republic
EU
Hong Kong
India
Japan
Kazakhstan
Malaysia
Mexico
Morocco
New Zealand
Nigeria
Philippines
Singapore
South Africa
South Korea
Switzerland
Taiwan
Turkey
United Kingdom
United States

At the very least, use our free website cookie scanner to help you determine what cookies your website uses.

Take a look at some of the most common questions we get about cookie walls:

What is a cookie wall?

A cookie wall is a pop-up that appears on your website or app and asks your users to accept or deny cookies, but if they choose not to accept, their access to your services is denied or limited.

How does a cookie wall work?

Cookie walls work like pop-ups that appear as soon as a user lands on your webpage, they can accept all cookies to gain access to your site or deny all cookies and not use your services.

Are Cookie Walls Legal?

In most cases, cookie walls are not compliant with the GDPR or the ePrivacy Directive. Cookie walls are only allowed under very specific conditions. They are not necessary under the CCPA.

What Should I Use Instead of a Cookie Wall?

You should use a cookie consent banner and a cookie consent manager instead of a cookie wall.

Cookie consent banners let your users customize their consent choices for different cookies and data tracking.

Cookie consent managers help you:

Determine what cookies your website uses
Create a cookie policy to share the appropriate information with your users required by laws like the GDPR and the CCPA
Track your users’ consent options

Summary

If your company falls under data privacy laws like the GDPR, cookie walls are not recommended; you would be better off with consent banners.

Cookie walls don’t meet any of the requirements outlined by the GDPR and each EU country has different criteria for cookie walls, so using them legally could become a time-consuming process.

Make sure your website or app uses an up-to-date cookie consent manager instead of the outdated, obsolete cookie wall.

More about the author

Written by Ali Talip Pınarbaşı, CIPP/E, & LLM

Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author

Michigan Personal Data Privacy Act: First Look & Summary

98 Biggest Data Breaches, Hacks, and Exposures [2023 Update]

CCPA vs. CPRA: What's Different and What's the Same?

How to Prepare for a Future Cookieless World

How To Add a Cookie Policy to Your Website

Are Cookies Personal Data?

Discussing Data Transparency with Privacy Experts

What Is a Privacy Center and Do You Need One

Data Subject Access Requests (DSAR) Guide & How-To