Dutch regulator says no to “no choice” cookie walls

Users are often required to agree to tracking by third parties before they can access a website’s content.

Now, the Dutch data regulator says that this “take-it-or-leave-it” approach is not GDPR compliant, and warns action may be taken against sites that deny access based on the rejection of trackers.

Tracking walls are frequently employed as a means to obtain user data in an apparently consensual way, but the Autoriteit Persoonsgegevens (AP) has brought the issue to a close following what it describes as multiple complaints from individuals who could not access the material they wanted unless they clicked ‘yes’ to cookies.

“The AP will therefore intensify the monitoring of proper compliance and has sent a number of specific parties a letter about this,” the organisation said in a recent statement.

The AP says that the terms of the GDPR oblige organisations to provide a clear basis for the processing of personal and private data. As such, users must be asked for permission for tracking cookies or other similar tracking software is to be used.

AP chair, Aleid Wolfsen said:

“The digital tracking and recording of Internet surfing behaviour via tracking software or other digital methods is one of the largest processing of personal data, because virtually everyone is active on the internet. To protect privacy, it is therefore important that parties request permission from website visitors.

“In this way, people can deliberately and appropriately use their right to the protection of personal data. If a website is asked for permission for tracking cookies and if it is not possible to access the website or service if they refuse access to the website or service, people under pressure will receive their personal data and that is unlawful.”

The AP also said that while software employed to help a website function, or to monitor general visiting data, was not a sticking point, more enhanced analysis of site viewers would require more robust and freely given permissions, as stipulated by the GDPR.

The lack of genuine choice in so called “take-it-or-leave-it” cookie walls rendered such approaches in violation of the EU data laws.

Cookie walls have been around for some time. In November 2018, The Washington Post was asked by the Information Commissioner’s Office to put a stop to its method of asking users to pay $9 per month in return for cessation of tracking.

The method does not offer users “a genuine choice and control over how their data is used [meaning] consent cannot be freely given and is invalid,” the ICO’s case manager said.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.