In recent weeks, cookies have received a great deal of attention in Italy after Italian media conglomerate, GEDI Gruppo Editoriale S.p.A., implemented new cookie banners across a number of its websites (e.g., La Repubblica, La Stampa, Huffpost, Il Secolo XIX).  GEDI is not alone, however, as other major Italian newspapers such as Corriere della Sera, have also implemented similar banners. 

As a mere example, La Repubblica’s cookie banner (translated from Italian) reads: “Revenues obtained from personalized advertising help us support the work of our editorial team, which is committed to providing you with quality information every day. That is why we ask your consent to the use of cookies or similar technologies for purposes other than those which are strictly necessary, as specified in the cookie policy. You are free to refuse at any time by accessing this policy, but if you do, we will ask you to subscribe to one of our subscriptions.” The banner provides two options: 1) accept all cookies or 2) refuse to provide consent to the installation of cookies and purchase a subscription. But is such a cookie banner lawful under the European and Italian legal frameworks?

Several viral tweets have been circulating on the Italian Twittersphere asking just that and calling for an intervention of the Italian Data Protection Authority (Italian DPA or Garante per la protezione dei dati personali). In response to such public outcry, on 18 October 2022, the Italian DPA announced that in addition to the newspapers, “companies operating on the Internet in the television sector have deployed systems and filters, which condition access to content to a subscription (so-called paywall) or, alternatively, to the provision of consent by users to the installation of cookies and other tracking tools (so-called cookie wall)”. As such, the Italian DPA is “examining these initiatives in light of the current regulatory framework, also with a view to assess the adoption of possible action on the matter.”

On 21 October 2022, the Italian DPA published a second press release on the matter, which notes that “European data protection legislation does not, in principle, preclude the owner of a site from making access to content, by users, conditional on their consent for profiling purposes (through cookies or other tracking tools) or, alternatively, the payment of a sum of money.” In any case, the DPA confirmed that it “is opening a series of investigations to ascertain the compliance of these initiatives with European law.”

Relevant case law

When considering the lawfulness of the approach taken by GEDI, I immediately recalled a similar case from the Austrian DPA in which  a data subject had complained about the cookie banner of an Austrian newspaper. In this case, however, readers were provided with three possibilities when attempting to access the website: 1) the reader could accept advertising and analytics cookies to access the entirety of the website, 2) the reader could refuse the installation of cookies and access limited content, or 3), the reader could purchase a subscription (EUR 6 per month) and access the website in its entirety without having to consent to cookies and other tracking technologies.

The Austrian DPA found the case to present two specific issues, the first being whether or not the newspaper had encouraged the complainant to provide consent which did not comply with the GDPR and thus violated their right to confidentiality (the complainant alleged that the consent was not voluntary and did not comply with Art. 7 GDPR, also because “the provision of the service depends on consent to the processing of personal data”); and secondly, if the newspaper had violated the complainant’s right to object or if there was a lack of possibility to revoke consent.

In its decision, the Austrian DPA noted that “According to Art. 7 GDPR and taking into account Art. 4(11) and Recital 43 GDPR, consent must be given voluntarily and may not be linked to the performance of a contract, even though the consent is not required for the performance of this contract. Consent is considered involuntary if a disadvantage is to be expected if the consent is not given.” The Authority recalled the Article 29 Working Party Guidelines on Consent which highlight that “consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will.”

The Austrian DPA noted that in its opinion, in this specific case, the “consequences of not giving consent are far from being a significant disadvantage and the data subject does not face any significant negative consequences”.It also recalled case law(DSK vom 8. März 2006, DSK 8.3.2006, K178.209/0006-DSK/2006; vgl. dazu auch Kotschy in Brodil (Hrsg), Datenschutz im Arbeitsrecht (2010) 3) and noted that it “must be taken into account that voluntary consent may be given if a certain processing operation also benefits the data subject in a recognizable way.” Because the website visitor in this case could receive full access to the website by providing their consent, it found that such access was “not restricted in any way and is equivalent in terms of the content to the conclusion of a … subscription”. Furthermore, according to the DPA, consent was provided freely and in accordance with Article 7 GDPR so the data subjects’ right to confidentiality was not violated. 

The UK’s ICO, instead, has taken a notably different approach to an analogous situation. As reported by The Register, the ICO warned The Washington Post about its cookie banner which required potential readers to purchase subscription, costing $9.00 per month, to “switch off tracking and cookies”; two other options were presented which were “either free (for a limited number of articles) or $6 a month (for unlimited articles), the Post said readers must consent to the use of cookies, tracking and ads by the paper and third parties.” A statement from a case manager informed The Register that they were “of the view that the Washington Post has not complied with their Data Protection obligations…because they have not given users a genuine choice and control over how their data is used.” Thus, the ICO found such consent to be invalid and told the Washington Post that “they should now ensure that users of the Washington Post website have the option to access all levels of subscription without having to accept cookies.”

On consent and cookie walls

Website publishers, such as the newspapers cited above, are required to comply with applicable cookie legislation (namely, article 5(3) of the ePrivacy Directive, which is a lex specialis to the General Data Protection Regulation).

Article 5(3) of the ePrivacy Directive states that: “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

Article 5(3) of the ePrivacy Directive therefore establishes the requirement to request consent for the instillation of certain types of cookies and other similar tracking technologies on users’ devices. The reference to Directive 95/46/EC now refers to the GDPR which means that such consent is understood as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” (See Article 4(11) GDPR).

Of particular relevance in this examination underway is Article 7(4) GDPR which states that “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.

The European Data Protection Board’s Guidelines 05/2020 on consent under Regulation 2016/679 provided much-needed  clarifications with respect to the validity of consent in the context of cookie walls. Indeed, the section on conditionality (paragraphs 38-41) of the Guidelines have been updated and revised with respect to the Article 29 Working Party’s Guidelines on Consent and provide us with useful material for our analysis.

In paragraph 38, the EDPB stresses that consent is not be considered as freely given where “a controller argues that a choice exists between its service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by a different controller on the other hand. In such a case, the freedom of choice would be made dependent on what other market players do and whether an individual data subject would find the other controller’s services genuinely equivalent. It would furthermore imply an obligation for controllers to monitor market developments to ensure the continued validity of consent for their data processing activities, as a competitor may alter its service at a later stage. Hence, using this argument means a consent relying on an alternative option offered by a third party fails to comply with the GDPR, meaning that a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent.”

Following this logic, we can reasonably assume that individuals cannot be expected to rely on another newspaper providing equivalent information. As stated at the beginning of this blog, it also seems that multiple – even potential competitors – are adopting the “cookie walls” that GEDI Group is adopting.

In the following paragraph no. 39, the EDPB states that “In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)”. The EDPB’s Example 6a describes a cookie wall: “A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the ‘Accept cookies’ button”. According to the EDPB, because in such a scenario, “the data subject is not presented with a genuine choice, its consent is not freely given. This does not constitute valid consent, as the provision of the service relies on the data subject clicking the ‘Accept cookies’ button. It is not presented with a genuine choice.”

Guidelines on cookie walls

Here below I provide details on the Italian, French and Dutch DPAs with respect to cookie walls.

• Italian DPA

The Italian DPA’s  Guidelines on Cookies and other Tracking Tools of 10 June 2021, Published in the Official Journal of the Italian Republic No. 163 of 9 July 2021 and now in force, also cover cookie walls. Specifically, section 6.1 concerns cookie walls. The Italian DPA notes the need for further clarification concerning cookie walls, which it defines as “a ‘take it or leave it’ mechanism in which the user is obliged to give his or her consent to the reception of cookies or other tracking tools – since failing to do so will prevent him or her from accessing the site. Such a mechanism does not allow considering the consent obtained by its application as compliant with the requirements set out in the Regulation, in particular in Article 4 (11) thereof regarding ‘free’ consent”.

The DPA goes on to note that “accordingly, it is to be regarded as unlawful except where the website controller provides the data subject with the option of accessing equivalent content or services without giving his or her consent to the storage and use of cookies or other tracking tools – which will have to be verified on a case-by-case basis.” Furthermore, “an essential condition to be fulfilled is that the proposed alternative complies with the principles of the Regulation as laid down in Article 5 (1), and above all with letter (a) thereof whereby personal data shall be processed lawfully, fairly and in a transparent manner – that is to say, compliance with the principle of ‘lawfulness, fairness and transparency’ is paramount. Failing this, a cookie wall may not be deemed to be in line with the legislation in force.”

It is therefore clear that, as suggested by both the EDPB and the Italian DPA, such situations must be evaluated on a case-by-case basis and that the controller or publisher should:

1. Provide the data subject with the possibility to access equivalent content or services without providing their consent to the installation of cookies;
2.  The alternative service must comply with the GDPR’s principles of lawfulness, fairness, and transparency.

The results of the Italian DPA’s investigations into the cookie walls, the focus of this blog, should their outcome be made public or result in the application of administrative sanctions, will provide necessary clarifications with respect to the same DPA’s cookie guidelines and the position of the DPA on the issue more generally.

• French DPA

In May 2022, the French DPA published its “first evaluation criteria” on cookie walls, which is summarized below. According to the DPA, cookie walls can be attractive for websites as they allow them to “compensate for the loss of advertising revenue resulting from the absence of tracking devices by another method of remuneration”, e.g., by paying to access the website. Cookie walls were prohibited in the French DPA’s 2019 cookie guidelines; however, on 19 June 2020, the French Council of State decided that a general ban on cookie walls by the CNIL was not justified. The French Council of State argued that the freedom of consent of individuals must be assessed on a case-by-case basis, also taking into account the existence of a real and satisfactory alternative offered in case of refusal of cookies.  According to the CNIL’s updated cookie guidelines, making access to a website or service conditional upon the acceptance of cookies most likely infringes on the individual’s possibility to provide free consent. However, where the requirement of free consent “does not lead to a general prohibition of the practice of cookie walls, their legality must be assessed by taking into account the existence of real and satisfactory alternative(s) proposed in case of refusal of the cookies.”

In the context of cookie walls, the CNIL also notes that attention must be given to the information that is provided to individuals, as well as to any transfers of data outside the European Union that may be implicit in certain situations. Furthermore, it is important to consider if the individual who is refusing the cookies has a fair alternative to access the content. The website publisher must either be able to demonstrate that another publisher offers access to an alternative without a cookie wall or the publisher should provide a “real and fair alternative that allows access to the site and that does not require consent to the use of their data.”

Furthermore, any prices charged should be reasonable and should not prohibit the internet user from making a real choice, which will need to be analyzed on a case-by-case basis. Publishers must be able to justify the prices they set and the CNIL encourages publishers to publish their reasoning in order to promote transparency. The CNIL also “invites publishers to take into account, in the evaluation of the reasonable amount, the modes of consumption of the proposed service” and notes that publishers “may choose to use virtual wallets allowing micropayments to access a particular content or service in a fluid way and without the need for the Internet user to register their credit card data with the publisher.” When requiring the creation of an account, the publisher is required to ensure that doing so is in line with the intended purpose: e.g., this is the case “when it is a question of allowing a user who has chosen to take out a subscription (monthly or annual), to benefit from this subscription on other terminals”.

The publisher must also inform users of the use of their data and abide by the principle of data minimization. Where “the publisher wishes to reuse the data collected at the time of the creation of the account for other purposes, it will have to make sure that it has clearly informed the Internet user beforehand and to collect, if necessary, the consent of the Internet users for these new purposes.” While cookie walls are not strictly forbidden, the CNIL points out that the publisher is, in any case, required to be able to demonstrate that the “cookie wall is limited to those purposes that allow fair payment for the service offered.” This means, for example, that “if a publisher considers that the remuneration of its service depends on the revenues it could obtain from targeted advertising, only the consent to this purpose should be necessary to access the service: the refusal to consent to other purposes (personalization of the editorial content, etc.) should not then prevent access to the content of the site.”

Along these lines, publishers in France are required to clearly inform Internet users of the purposes for which consent is necessary to access the service, and where it is not necessary. Furthermore, the CNIL states that “targeted advertising and personalization of editorial content are two different purposes that must be distinguished when determining the purposes for which access to the service is granted.”

Lastly, in cases where a user pays to access content or a service without consenting to cookies, the CNIL clarifies that no cookies which require the consent of the user should be deposited. However, the Authority notes that it is possible, on a case-by-case basis, for the publisher to request the user’s consent for the instillation of cookies “when they are imposed to access content hosted on a third-party site (for example, to view a video hosted by a third-party site) that requires the use of a cookie that is not strictly necessary, or to access a service requested by the user (for example, to provide access to sharing buttons on social networks)”. The consent of the user could then be collected using a dedicated window “displayed when the user wishes to activate the content and in which he/she will have to be clearly informed about:

• the fact that the activation of the external content, or the use of the sharing buttons, requires consent to the deposit of tracers by specifying the purpose(s) of the tracers used as well as a link to the privacy policy, in French, of the external content provider;
• the possibility of easily withdrawing consent at any time;
• the consequences of refusing or withdrawing consent to the deposit of cookies, including the impossibility of accessing the external content.
• …the Internet user must always have the possibility of going to the site’s settings to consent to certain uses (for example, the personalization of editorial content).”

• Dutch DPA

The Dutch DPA has also clearly stated in its FAQ on cookies that “Cookie walls are not allowed under the GDPR” because cookie walls do not allow for publishers to obtain valid consent under the GDPR. More specifically, the Dutch DPA notes that consent is “not freely given, because website visitors cannot access the website without giving their consent. Under the GDPR, consent is not ‘free’ if someone has no real or free choice. Or if the person cannot refuse to give permission without adverse consequences.”

Conclusion

Also of interest, in August 2021, NOYB filed several complaints against Austrian news websites including SPIEGEL.de, Zeit.de, heise.de, FAZ.net, derStandard.at, krone.at and t-online.de after such websites requested “their users to either agree to data being passed on to hundreds of tracking companies (which generates a few cents of revenue for the website) or take out a subscription (for up to € 80 per year)”, questioning if such “consent [can] be considered ‘freely given’ if the alternative is to pay 10, 20 or 100 times the market price of your data to keep it to yourself?”

It will be interesting to see how both the Italian and Austrian DPAs decide in these cases which will provide necessary clarifications with respect to the lawfulness of cookie walls. To this end, I would really like to see the ePrivacy Regulation take a definitive stance on cookie walls so as to harmonize cookie rules across Europe, something we can all agree is very much needed.  

Relevant Guidelines and statements:

• Article 29 Working Party Working Document 02/2013 providing guidance on obtaining consent for cookies (available here)
• Article 29 Working Party Guidelines on consent under Regulation 2016/679 (available here)
• Austrian Data Protection Authority (‘DSB’), FAQ about cookies and data protection (dsb.gv.at), 25 May 2022 (available here)
• Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Websites must remain accessible if tracking cookies are refused 7 March 2019  (available here)
• Dutch Data Protection Authority (Autoriteit Persoonsgegevens), FAQ on cookies (available here)
• European Data Protection Board (‘EDPB’) Guidelines 05/2020 on consent under Regulation 2016/679. Adopted on 4 May 2020 (available here)
• French Data Protection Authority (‘CNIL’), Délibération n° 2020-092 du 17 septembre 2020 portant adoption d’une recommandation proposant des modalités pratiques de mise en conformité en cas de recours aux « cookies et autres traceurs » (available in French here)
• French Data Protection Authority (‘CNIL’), Cookie walls: the CNIL publishes the first evaluation criteria, May 16 2022 (available here)
• French Conseil D’état, Council of State, 19 June 2020, CNIL Guidelines on Cookies and Other Connection Tracers (conseil-etat.fr), 19 June 2020 (available here)
• Italian Data Protection Authority,  Guidelines on Cookies and other Tracking Tools of 10 June 2021 (available in the Italian language here)
• Spanish AEPD on cookie walls, The AEPD updates its Guide on the use of cookies to adapt it to the new guidelines of the European Data Protection Board, July 28 2020 (Document available in Spanish, guia-cookies.pdf (aepd.es).
• UK Information Commissioner’s Office (‘ICO’) Guidance on the use of cookies and similar technologies (available here)