The Draft ePrivacy Regulation Would Create Two Conflicting Consent Standards In EU Law

The European Council agreed its position on ePrivacy rules on 10 Feb. The upcoming ePrivacy Regulation is a long-awaited result of four years’ debate among EU representatives.

The draft now requires approval from the European Parliament.

A critical provision of the Regulation will clarify the lawfulness of “cookie walls”. It appears that the Council’s approved draft will legalise cookie walls.

The end-user should have a genuine choice on whether to accept cookies or similar identifiers. Making access to a website dependent on consent to the use of cookies for additional purposes as an alternative to a paywall will be allowed if the user is able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to cookies.

This would lead to two conflicting definitions of consent under EU law.

What Is a Cookie Wall?

Cookie walls are interfaces that prevent a person from accessing a website or service unless they agree to non-essential tracking cookies.

Here’s a cookie wall in action, from the Washington Post website:

Washington Post offers “free” and discounted access to its website for people who “consent to the use of cookies and tracking”. People willing to pay €7 per month get “no on-site advertising or third-party ad tracking.”

Why does Washington Post do this? 

Washington Post gains revenue from on-site tracking. The current rules, under the ePrivacy Directive, require website operators (and others) to get consent before setting non-essential cookies on people’s devices. Therefore, the news outlet decided it would offer people a choice about tracking, but declining tracking would incur a fee.

Cookie Walls and the GDPR

It has long been clear that cookie walls are not compatible with the GDPR’s definition of “consent”. The GDPR requires consent to be “freely given” — not given in order to avoid paying €7 per month.

But interpretations varied among EU Member States, with some Data Protection Authorities (DPAs) explicitly or implicitly allowing them.

In May 2020, the European Data Protection Board (EPDB) settled the matter in new guidelines on consent:

In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)

Cookie Walls and the ePrivacy Regulation

The ePrivacy Regulation was supposed to pass into law alongside the GDPR, but it missed the mark by nearly half a decade. 

This misalignment between the two laws is part of the reason the internet has looked like such a mess for the past few years, as website operators set up cookie banners based on increasingly obtuse misinterpretations of the rules.

The “cookie wall” is one of the areas on which the ePrivacy Regulation was supposed to provide some clarity.

A May 2018 draft of the ePrivacy Regulation appeared to permit cookie walls with no paid alternative for all websites providing non-essential services. Recital 20 the draft stated said:

Access to specific website content may still be made conditional on the consent to the storage of a cookie or similar identifier.

A February 2019 draft replaced this section of the Regulation suggesting that a cookie wall could be acceptable if the user is given a paid alternative.

It appears that this version of the provision made it into the Council-approved 2021 draft.

Two Models of Consent

Whereas the ePrivacy Directive demurred to the GDPR’s definition of consent, the ePrivacy Regulation appears to contain its own definition. 

Rather than clarifying matters, I would suggest that it causes further confusion.

There is now a strict definition of consent — to the processing of personal data — at Articles 4 and 7, and Recital 42 of the GDPR. Under this definition, the controller must:

• Ensure the individual gives their consent “freely” 
• Make it “as easy to withdraw as to give consent”
• Ensure the individual does not suffer any detriment if they refuse consent.

There would be a looser definition of consent — to the storage of cookies and tracking across the internet — in the ePrivacy Regulation, wherein the website operator or service provider:

• Does not need to ensure the individual is consenting “freely”
• May make the refusal of consent more difficult than the granting of consent
• May impose a detriment on the individual if they refuse consent

Not all non-essential cookies involve the processing of personal data, but the type of cookies used by Washington Post (and others) to track online activity do. Therefore, these cookies fall within the scope of the GDPR. The website operator who uses these cookies is a data controller. But under the ePrivacy Regulation, they would not need to obey the GDPR on this specific issue.

Who cares?

Many people believe that cookie walls are reasonable. Many websites rely on ad revenue and — if you believe microtargeting and tracking are crucial to earning revenue (I’m not so sure) — why wouldn’t you be allowed to charge people to evade tracking?

For me, the problem is that the GDPR set a strong and meaningful standard of consent that many website operators flagrantly ignore. Rather than insisting on the enforcement of the rules, or finding creative solutions to help businesses raise ad revenue in lawful ways, the EU appears to have caved in on cookie walls.

The tide is beginning to turn on cookie compliance, with tough enforcement action from France’s CNIL and Google’s decision to kill off third-party cookies. By the time the ePrivacy Regulation makes cookie walls lawful, they might be redundant anyway.