A cookie wall is a pop-up that restricts or blocks access to your website until the user accepts your cookie usage.
If you haven’t heard, the use of cookie walls are not compliant with data privacy laws like the General Data Privacy Regulation (GDPR) and ePrivacy Directive in most circumstances.
While you can still use cookie walls on your website without violating the European Union (EU) GDPR, this is only allowed when you fulfill strict conditions.
Furthermore, cookie walls are obsolete under the California Consumer Privacy Act (CCPA).
In this article, we go over what a cookie wall is, discuss its legality and how you can use them in GDPR-compliant ways. In addition, we will present you with alternative ways you can request consent for cookies and remain compliant with relevant data privacy laws.
What Is a Cookie Wall?
A cookie wall is a pop-up on your website that asks your users to accept or deny website tracking and cookies, but if they choose not to consent, it limits or blocks their access to your website.
Cookie walls don’t give your users the option to customize any of the data collection.
What Are Cookies?
Cookies are small text files of data websites like yours leave on users’ browsers, and you can learn more about the different types by checking out our helpful guide all about internet cookies.
But all other cookies your website uses are considered non-essential and require user consent under laws like the GDPR and ePrivacy Directive because they qualify as personal information.
What Does a Cookie Wall Look Like?
Cookie walls look like pop-up windows that appear as soon as an individual opens your webpage, but they may also appear as banners at the bottom of a screen.
Either way, it typically prompts your user to disable or allow the cookie and tracker settings, as shown in the example below.
A cookie wall forces your users to agree to cookies to use your website and denies them access to features if they opt out of consent.
By comparison, cookie banners comply with global privacy laws and allow your users to opt-in, opt-out, or withdraw consent for specific cookies and tracking at any time.
Are Cookie Walls Legal in the EU?
If you’re still using cookie walls, we have some news for you — the use of cookie walls in the EU is only allowed when you fulfill strict conditions determined by EU Data Protection Authorities.
You need to examine each EU country’s cookie wall requirements and satisfy their conditions.
Let’s now look at the major EU countries’ and the UK’s criteria for lawfulness of cookie walls.
Are Cookie Walls Legal in France?
Yes, cookie walls are legal in France but must meet specific criteria outlined by the French Data Protection Authority (CNIL).
CNIL provided guidance on cookie walls stating that there is no blanket ban on the use of cookie walls. However, a website can only implement cookie walls if it satisfies the following 5 criteria:
- There must be a real and fair alternative to walled content or services
- The price of paywall must be reasonable
- User account creation must correspond to specified purposes
- Pay/cookie walls must correspond to specified cookie purposes
- Where an alternative to cookie walls is selected, cookies may only be deposited in limited circumstances
Are Cookie Walls Legal in the UK?
Cookie walls are legal in the UK, but you must follow specific guidelines to use them.
Similar to France, the UK Data Protection Authority, the Information Commissioner’s Office (ICO), does not prohibit the use of cookie walls if you meet certain conditions:
- You must provide individuals with a genuine and free choice
- Access to your services should not be conditional upon acceptance of cookie walls, unless cookies are necessary for that service
Are Cookie Walls Legal in Italy?
In Italy, cookie walls are not permitted. The Italian Data Protection Authority adopted new guidelines in 2021 that prohibited the use of cookie walls on Italian websites.
European Data Protection Board (EDPB) Update On Cookie Walls
On May 4, 2020, the EDPB updated their guidelines around online user consent.
In its Guidance, the EDPB stated that cookie walls prevent individuals from giving valid consent because they do not have a genuine choice whether to give or refuse consent.
Who is the EDPB?
The EDPB is the body responsible for ensuring entities and businesses consistently cooperate with the GDPR.
According to the board’s guideline updates:
- Businesses cannot prevent users from accessing a service due to opting out of cookie consent
- Accessing a service cannot be dependent on the use of cookie placement or similar technology on users’ browsers
While the EDPB’s Guidelines are not legally binding, they ensure uniform application of the GDPR across the EU and should be taken into account.
Are Cookie Walls Allowed Under the GDPR?
You are allowed to use cookie walls under the GDPR as long as you follow strict guidelines and understand that they do not meet any of the actual privacy guidelines outlined by the law.
In 2018, the GDPR expanded the cookie regulations outlined by the ePrivacy Directive, also called the EU Cookie Law.
You must also ask for affirmative user consent and explain why and how you’re using the data before each cookie is placed on your users’ browsers.
The law defines user consent under article 4, section 11 as:
… freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement in the processing of personal data relating to him or her.”
So while there is no absolute ban on the use of cookie walls in the EU and the UK, you can only implement cookie walls when you satisfy strict conditions.
As we explained above, you need to look into the requirements determined by each EU country before you decide to use cookie walls.
What Does the CCPA Say About Cookie Walls?
You can use cookie walls under the jurisdiction of the California Consumer Protection Act (CCPA), but neither this law nor the amendments from the California Privacy Rights Act (CPRA) regulate cookie usage except for when minors are involved.
If your website or app falls under the CCPA or the CPRA, understand that cookie walls do not address any of the actual data privacy guidelines or requirements.
Legal Cookie Wall Alternatives
As you can see above, each EU country sets its own standards for legality of cookie walls and these are hard to fulfill. Furthermore, each EU country has different criteria for cookie walls and it may be time consuming to understand those nuances.
Therefore, you should consider alternative mechanisms.
The most common cookie wall alternatives you should consider using on your website are cookie consent banners and cookie consent managers.
Let’s go over each of these in more detail.
Legal Cookie Wall Alternative: Cookie Consent Banner
A cookie consent banner pops up as soon as a user enters your website and does not start using cookies until your users choose to accept, deny, or customize the different trackers.
Unlike cookie walls, cookie banners give your users three options:
- Accept all cookies
- Deny all cookies
- Customize cookies
Under the GDPR and CCPA, you must provide your users with information about:
- Why you collect them
- Who you share the information with
- How your users can withdraw consent at any time
Below, see an example of our cookie consent banner that pops up whenever a new visitor comes to our site.
The screenshot below shows what our cookie options look like if you choose to change your preferences, which you can do at any time.
We also always link to our cookie consent options in the footer of our website so our users have constant access to their consent controls, and recommend that you do, too.
You can do all of this and more by using our Cookie Banner Generator.
Legal Cookie Wall Alternative: Cookie Consent Managers
We recommend you use a consent manager because a cookie banner alone is not enough for your website or app to comply with laws like the GDPR and the CCPA.
In just a few clicks, our cookie consent manager can:
- Detect, scan, categorize, and auto-block cookies
- Customize and create a cookie consent banner to collect consent and offer a preference center for your users
You know what else is great about our legal team?
They help us update all of our tools whenever data privacy laws change, so you can trust that our Cookie Consent Manager always complies with the privacy laws that affect you and your business.
What Not To Do
If you rely on cookies and must remain compliant with the GDPR, the ePrivacy Directive, the CCPA, or other regulations impacting cookie usage, you should avoid some common workarounds, like:
- Blocking regional users
- Sneaky workarounds
Let’s go over what not to do now that you know cookie walls are officially out.
Don’t Try to Block Regional Users
To avoid falling under the GDPR, you might attempt to block all European Economic Area (EEA) countries from using your website, but this is not recommended.
Doing so prevents millions of users from one of the largest economic areas in the world from engaging with your business, and the methods to analyze and identify European IP addresses are often unreliable.
You might try the same thing and block all California residents to avoid CCPA regulations, but doing so is nearly impossible.
We don’t recommend blocking users from your website or app based on their location, the technology is too imperfect, and you could still be found in non-compliance under the major data privacy laws.
Don’t Try Sneaky Workarounds
You should not attempt workaround tactics regarding your users’ cookie consent options.
Workarounds tactics are sometimes referred to as nudging and include techniques like:
- Publishing pre-ticked checkboxes and claiming that counts as user consent
- Making the “deny consent” options smaller or less prominent than your opt-in options
- Using biased language to dissuade your users from denying consent
- Requiring multiple clicks from your users to deny consent
- Making it burdensome or difficult for your users to deny consent
If you try any of these workarounds, you’re putting your company at risk. If someone files a complaint against your website or application, data protection authorities could find you non-compliant with the GDPR or the CCPA.
What are your possible penalties?
- GDPR: 4% of your gross annual revenue or €24 million ($23 million), whatever is highest
- CCPA: $2,500 per incident, $7,500 per intentional incident
Don’t Rely on a DIY-Approach
You might be tempted to try and do all of the cookie compliance requirements yourself, but this is not recommended unless you:
- Work with a lawyer
- Have extensive knowledge about the data privacy laws that affect you
- And have the technical skills required to manage your users’ consent choices
A do-it-yourself approach like this is very time consuming, challenging, and may put your company at risk if anything ever falls through the cracks.
There’s no reason to reinvent the wheel when many great cookie consent managers already exist.
For instance, our Cookie Consent Manager is in accordance with laws in the following 27 regions:
- Czech Republic
- Hong Kong
- New Zealand
- South Africa
- South Korea
- United Kingdom
- United States
At the very least, use our free website cookie scanner to help you determine what cookies your website uses.
Cookie Wall FAQ
Take a look at some of the most common questions we get about cookie walls:
What is a cookie wall?
A cookie wall is a pop-up that appears on your website or app and asks your users to accept or deny cookies, but if they choose not to accept, their access to your services is denied or limited.
How does a cookie wall work?
Cookie walls work like pop-ups that appear as soon as a user lands on your webpage, they can accept all cookies to gain access to your site or deny all cookies and not use your services.
Are Cookie Walls Legal?
In most cases, cookie walls are not compliant with the GDPR or the ePrivacy Directive. Cookie walls are only allowed under very specific conditions. They are not necessary under the CCPA.
What Should I Use Instead of a Cookie Wall?
You should use a cookie consent banner and a cookie consent manager instead of a cookie wall.
Cookie consent banners let your users customize their consent choices for different cookies and data tracking.
Cookie consent managers help you:
- Determine what cookies your website uses
- Track your users’ consent options
If your company falls under data privacy laws like the GDPR, cookie walls are not recommended; you would be better off with consent banners.
Cookie walls don’t meet any of the requirements outlined by the GDPR and each EU country has different criteria for cookie walls, so using them legally could become a time-consuming process.
Make sure your website or app uses an up-to-date cookie consent manager instead of the outdated, obsolete cookie wall.