Websites that restrict visitors from viewing and interacting with their content unless they first accept the use of cookies that track their browsing activities are violating the terms of the European Union's General Data Protection Regulation (GDPR), the Netherlands' Dutch Data Protection Authority (DDPA) has determined.
Also known as the Autoriteit Persoonsgegevens (AP), the DDPA said in a statement late last week that it is intensifying audit and compliance efforts and has contacted certain offending parties after receiving dozens of complaints from citizens who were denied access to web pages after refusing to accept cookie policies.
Under GDPR, website operators are allowed to request user permission to employ cookies, but that permission must be given freely. The use of so-called cookie walls that block users from accessing sites unless they accept cookies are therefore out of GDPR compliance because they effectively coerce users into granting permission, the AP argues.
AP Chairman Aleid Wolfsen said in a roughly translated statement, "The digital tracking and recording of internet surfing behavior via tracking software or other digital methods is one of the largest processing of personal data, because virtually everyone is active on the internet. To protect privacy, it is therefore important that parties request permission from website visitors."
"In this way, people can deliberately and appropriately use their right to the protection of personal data," the statement continues. "If a website is asked for permission for tracking cookies and if it is not possible to access the website or service if they refuse access to the website or service, people under pressure will receive their personal data and that is unlawful."
"For years, the internet has enabled organizations to conduct surveillance on unwary consumers. This practice is now being upended by GDPR, the California Consumer Privacy Act (CCPA) and similar laws being passed around the world," said Chris Olson, CEO of The Media Trust, in a statement. "To demonstrate their seriousness about protecting consumer privacy, GDPR regulators are closing the loopholes on obtaining site visitors' consent for collecting their behavioral and personal data. And they are not alone in clamping down on websites that deny access to consumers who exercise their privacy rights. Under CCPA, companies cannot discriminate against Californians who decline the collection and distribution of their information. The key takeaway here is for companies to operationalize the spirit of these laws. Doing so will not only lower the risk of infringement but also build customer trust, which is essential to the customer experience."
GDPR went into effect last May, while the CCPA will become official on Jan. 1, 2020.
"There's been a lot of confusion in [the] industry, and ambiguity in regulatory interpretation, concerning the adapting of online content distribution and ads to GDPR," said Omer Tene, VP and chief knowledge officer with the International Association of Privacy Professionals (IAPP). "In this case, the Dutch DPA expressed a restrictive reading. In other cases, other DPAs applied the legislative language more liberally. We will inevitably face a period of uncertainty, which is anathema for businesses, until the dust settles and we know how websites can set cookies to monetize their services."