Cookie Walls: Are They GDPR Compliant?

A cookie wall is a pop-up that restricts or blocks access to your website until the user accepts your cookie usage.

Using cookie walls is not compliant with data privacy laws like the General Data Privacy Regulation (GDPR) and ePrivacy Directive unless you meet strict conditions.

Furthermore, cookie walls are obsolete under the California Consumer Privacy Act (CCPA).

In this article, learn what a cookie wall is, how you can and can’t use one in GDPR-compliant ways, and alternative solutions to request consent for cookies.

Table of Contents

What Is a Cookie Wall?
What Does a Cookie Wall Look Like?
Are Cookie Walls Legal in the EU?
Are Cookie Walls Allowed Under the GDPR?
What Does the CCPA Say About Cookie Walls?
Legal Cookie Wall Alternatives
What Not To Do
Cookie Wall FAQ
Summary

A cookie wall is a pop-up on your website that asks users to accept or deny website tracking and cookies, but if they choose not to consent, it limits or blocks their access to the website.

Cookie walls don’t give your users the option to customize any of the data collection.

What Are Cookies?

Most websites use cookies, which are small text files of data websites leave on users’ browsers.

Some are considered essential because they’re necessary for a website to function properly.

But all other cookies are considered non-essential and require user consent under laws like the GDPR and ePrivacy Directive because they qualify as personal information.

Cookie walls look like pop-up windows or banners that appear on screen as soon as an individual opens a webpage.

It typically features cookie text that prompts users to disable or allow cookie and tracker settings, as shown in the example below.

Cookie-Wall-Graphics

A cookie wall forces users to agree to cookies to use your website and denies them access to features if they opt out of consent.

By comparison, cookie banners comply with global privacy laws and allow users to opt-in, opt-out, or withdraw consent for specific cookies and tracking at any time.

The use of cookie walls in the EU is only allowed when you fulfill strict conditions determined by EU Data Protection Authorities.

You must examine each EU country’s cookie requirements and satisfy their conditions.

Let’s now look at the major EU countries’ and the UK’s criteria for lawfulness of cookie walls.

Are Cookie Walls Legal in France?

Yes, cookie walls are legal in France but must meet specific criteria outlined by the French Data Protection Authority (CNIL).

CNIL provided guidance on cookie walls, stating that while there is no blanket ban on the use of cookie walls, websites can only implement one if it satisfies the following criteria:

There must be a real and fair alternative to walled content or services.
The price of the paywall must be reasonable.
User account creation must correspond to specified purposes.
Pay/cookie walls must correspond to specified cookie purposes.
Where an alternative to cookie walls is selected, cookies may only be deposited in limited circumstances.

Are Cookie Walls Legal in the UK?

Cookie walls are legal in the UK, but you must follow specific guidelines to use them.

Similar to France, the UK Data Protection Authority, the Information Commissioner’s Office (ICO), does not prohibit the use of cookie walls if you meet the following conditions:

You must provide individuals with a genuine and free choice.
Access to your services should not be conditional upon acceptance of cookie walls unless cookies are necessary for that service.

Are Cookie Walls Legal in Italy?

In Italy, cookie walls are not permitted.

The Italian Data Protection Authority adopted new guidelines in 2021 that prohibited the use of cookie walls on Italian websites.

European Data Protection Board (EDPB) Update on Cookie Walls

On May 4, 2020, the body responsible for ensuring entities and businesses consistently cooperate with the GDPR, the EDPB, updated their guidelines around online user consent.

The Guidelines state that cookie walls prevent individuals from giving valid consent because they don’t have a genuine, free choice.

According to the board’s updates:

Businesses cannot prevent users from accessing a service due to opting out of cookie consent
Accessing a service cannot be dependent on the use of cookie placement or similar technology on users’ browsers

While the EDPB’s Guidelines are not legally binding, they ensure uniform application of the GDPR across the EU and should be taken into account.

Cookie walls aren’t usually allowed under the GDPR unless they follow strict guidelines.

For example, if consent is your legal basis for using cookies, a cookie wall wouldn’t meet the privacy requirements outlined by the law, which defines user consent in Article 4 as:

“… freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement in the processing of personal data relating to him or her.”

Besides asking for affirmative user consent, the GDPR also requires you to explain why and how you’re using the data before each cookie is placed on your users’ browsers, which is not something that cookie walls accomplish.

Cookie walls may meet the obligations if you can prove a different legal basis, like fulfillment of a contract or legitimate interest, but this is more difficult to achieve.

As we explained above, you also need to look into the requirements determined by each EU country before you decide to use cookie walls.

You can use cookie walls under the jurisdiction of the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) so long as users can still opt out of the selling or sharing of their data and cookies used for targeted ads.

But if your website or app falls under the CCPA, understand that cookie walls don’t address any of the actual data privacy guidelines or requirements.

For example, the CCPA and CPRA state that you must inform your users about what personal data you track, including through cookies, why, and what you do with the data — but you do this with a cookie policy, not just a wall.

Each EU country has its own set of standards regarding the legality of cookie walls, and it can be time-consuming to understand and follow all of those nuances.

Instead, consider using alternative mechanisms to cookie walls, like consent banners and consent managers, which fully comply with all aspects of the GDPR.

Legal Cookie Wall Alternative: Cookie Consent Banner

A cookie consent banner is a great legal alternative to a wall because it pops up as soon as users enter your site and won’t deploy cookies until they choose to accept, deny, or customize the different trackers.

Unlike cookie walls, banners give your users three options:

Accept all cookies
Deny all cookies
Customize cookies

You can also link to a cookie policy on your banner, which meets the GDPR and CCPA requirements to inform users about:

Your use of cookies
Why you collect them
Who you share the information with
How your users can withdraw consent at any time

Below, see an example of the cookie consent banner that pops up on our site.

We link to our cookie policy and consent preference center directly on our banner, following the guidelines outlined by the GDPR and the CCPA.

The screenshot below shows what our cookie options look like if you choose to change your preferences, which you can do at any time.

termly-consent-preference-center-example

We also provide a link to our cookie consent options in the footer of our website so our users have constant access to their consent controls, and recommend you do the same.

You can do all this and more using our Cookie Banner Generator.

Legal Cookie Wall Alternative: Cookie Consent Managers

A cookie consent manager is an all-in-one compliance solution for businesses and helps your website or app create a cookie consent banner, cookie policy, and manage and track your users’ consent options.

We recommend you use a consent manager because a cookie banner alone is not enough for your website or app to comply with laws like the GDPR and the CCPA.

Our Cookie Consent Manager was built by our legal team and data privacy experts to help your business use cookies in accordance with global data privacy laws.

In just a few clicks, our cookie consent manager can:

Detect, scan, categorize, and auto-block cookies.
Customize and create a cookie consent banner to collect consent and offer a preference center for your users.
Create a cookie policy with automatic updates and consent logs, generate a Do Not Sell My Info link, and create DSAR forms

We update our tools regularly, so you can trust that our Cookie Consent Manager meets the standards of existing and new privacy laws that may affect your business.

What Not To Do

Let’s go over what not to do when adding a cookie wall or banner to your GDPR-compliant site.

Don’t Try to Block Regional Users

To avoid falling under the GDPR, you might attempt to block all European Economic Area (EEA) countries from using your website, but this is not recommended.

Doing so prevents millions of users in one of the largest economic areas in the world from engaging with your business, and the methods to analyze and identify European IP addresses are often unreliable.

Because the technology is imperfect, you could still be found in violation of data privacy laws, so this workaround is not worthwhile.

Don’t Try Sneaky Workarounds

You should not attempt sneaky workaround tactics regarding your users’ cookie consent options, like:

Publishing pre-ticked checkboxes and claiming that counts as user consent.
Making the “deny consent” options smaller or less prominent than your opt-in options.
Using biased language to dissuade your users from denying consent.
Requiring multiple clicks from your users to deny consent.
Making it burdensome or difficult for your users to deny consent.

Implementing these workarounds puts your company at risk because someone could file a complaint against your website or app, and data protection authorities could find you in violation of the GDPR or CCPA.

The penalties for noncompliance are significant:

GDPR: 4% of your gross annual revenue or €24 million ($23 million), whatever is highest
CCPA: $2,500 per incident, $7,500 per intentional incident

Don’t Rely on a DIY-Approach

You might be tempted to do all of the cookie compliance requirements yourself, but this isn’t recommended unless you:

Work with a lawyer
Have extensive knowledge about the data privacy laws that affect you
Have the technical skills required to manage your users’ consent choices

A DIY approach is very time-consuming, challenging, and may put your company at risk if anything falls through the cracks.

Rather than reinvent the wheel, many great solutions already exist, like our Cookie Consent Manager, which is configurable to comply with cookie requirements in the following regions:

Argentina
Australia
Brazil
Canada
Chile
China
Colombia
Czech Republic
EU
Hong Kong
India
Japan
Kazakhstan
Malaysia
Mexico
Morocco
New Zealand
Nigeria
Philippines
Singapore
South Africa
South Korea
Switzerland
Taiwan
Turkey
United Kingdom
United States

Take a look at some of the most common questions we get about cookie walls:

What is a cookie wall?

A cookie wall is a pop-up that appears on your website or app and asks your users to accept or deny cookies, but if they choose not to accept, their access to your services is denied or limited.

How does a cookie wall work?

Cookie walls work like pop-ups that appear as soon as a user lands on your webpage, they can accept all cookies to gain access to your site or deny all cookies and not use your services.

Are Cookie Walls Legal?

In most cases, cookie walls are not compliant with the GDPR or ePrivacy Directive and are only allowed under very specific conditions. They are not necessary under the CCPA.

What Should I Use Instead of a Cookie Wall?

You should use a cookie consent banner and consent manager instead of a cookie wall.

Cookie consent banners let your users customize their consent choices for different cookies and data tracking.

Cookie consent managers help you:

Determine what cookies your website uses
Create a cookie policy to share the appropriate information with your users required by laws like the GDPR and the CCPA
Track your users’ consent options

Summary

If your company falls under data privacy laws like the GDPR, cookie walls are not recommended — you’re better off with consent banners.

Cookie walls don’t meet the GDPR consent requirements, and using them legally is time-consuming because EU member states have different criteria in place for implementing them.

Make sure your website or app uses an up-to-date cookie consent manager instead of the outdated, obsolete cookie wall.

More about the author

Written by Ali Talip Pınarbaşı, CIPP/E, & LLM

Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author

What Is Consent Management? Simplified For Businesses

New Jersey Data Privacy Act: First Look & Summary

What Is the IAB’s Global Privacy Platform (IAB GPP)?

American Privacy Rights Act (APRA): First Look & Summary

109 Biggest Data Breaches, Hacks, and Exposures as of 2024

New Zealand Data Privacy Act 2020 Explained

7-Step CPRA Compliance Requirements Checklist

CCPA vs. CPRA: What's Different and What's the Same?

CPRA: California Privacy Rights Act