Are cookie walls allowed?Can you charge users who do not consent?How long is consent valid for?Is there guidance specific to online advertising?How do users have to indicate consent?
The EDPB Guidelines explicitly forbid the use of cookie walls.The EDPB Guidelines do not discuss the topic of consent-or-pay models.The EDPB Guidelines do not discuss the topic of consent’s validity.The EDPB Guidelines do not specifically address online advertising, but some examples given in the text relate to online advertising use cases.The EDPB Guidelines explain that consent shouldn’t be unnecessarily disruptive, but cannot simply be given through ambiguous methods, where the action could be mistaken for normal use (i.e. continuing to browse and further scrolling).

Agencia Española Proteccion Datos

Are cookie walls allowed?Can you charge users who do not consent?How long is consent valid for?Is there guidance specific to online advertising?How do users have to indicate consent?
The AEPD guidelines explicitly forbid the use of cookie walls, stating that they are following EDPB guidelines.The AEPD guidelines do not mention consent-or-pay models, but it does mention that “certain situations might exist” where an alternative can be found for cookie wall approaches (i.e. take-it-or-leave-it)The AEPD guidelines explain that users should not be prompted for their consent too often to reduce consent fatigue. Thus, they recommend that consent for cookies could last for up to 24 months.The AEPD guidelines include a detailed Annex outlining the various players in the online advertising ecosystem, with some specific guidance per stakeholder. The guidelines also include a reflection on the use of Consent Management Providers (CMPs).The AEPD guidelines explain that there needs to be an affirmative action. Merely continuing to browse cannot be construed as an indication of consent.

Autoriteit Persoonsgegevens

Are cookie walls allowed?Can you charge users who do not consent?How long is consent valid for?Is there guidance specific to online advertising?How do users have to indicate consent?
The AP guidelines explicitly forbid the use of cookie walls – following EDPB guidelines.The AP’s guidelines actually suggest, as an alternative to a consent wall, to allow users to access website content for a price instead.The AP’s guidelines explain that because cookies durability gets renewed each time they are accessed, any cookies with a lifespan of over 6 months will be unlikely to be able to remain valid, as the user is unlikely to be able to give informed consent to such cookies. It therefore follows that consent probably cannot be valid for more than 6 months at a time.The AP doesn’t offer specific guidelines on online advertising.The AP specifies that only a clear indication can be used to signify consent. Merely continuing to use a website cannot be counted as an active indication.

Commission Nationale de l'Informatique et des Libertés

Are cookie walls allowed?Can you charge users who do not consent?How long is consent valid for?Is there guidance specific to online advertising?How do users have to indicate consent?
The CNIL’s guidelines do not prohibit the use of cookie walls, but they do note that making consent a condition for accessing a service is prone to infringing the principle of free consent, and must be assessed on a case-by-case basis.The CNIL’s guidelines do not discuss consent-or-pay models.The CNIL’s guidelines create a lighter regime for specific audience measurement cookies. Under certain circumstances, these can be placed without consent for up to 13 months, and the data collected by those cookies can be retained for up to 25 months. However, for other tracking cookies the CNIL does not define a time limit for retaining the data, nor for the validity of consent.The CNIL’s guidelines have specific rules for audience measurement cookies (first-party only, measuring traffic and A/B testing, broad audience segmentation, anonymized statistics). These can be placed without consent for up to 13 months.The CNIL’s Guidelines call for a clear positive action; i.e. not just scrolling, continuing to browse, use of the app or website. The absence of a positive action to indicate consent must be considered as a refusal to grant consent.
Are cookie walls allowed?Can you charge users who do not consent?How long is consent valid for?Is there guidance specific to online advertising?How do users have to indicate consent?
The Datatilsynet Guidelines do not discuss cookie walls.The Datatilsynet Guidelines do not discuss consent or pay models.The Datatilsynet Guidelines does not provide a time limit for consent, stating that in principle consent does not expire. However, data controllers must ensure that consent can be withdrawn at any time, as easily as it was given.The Datatilsynet Guidelines do not have specific guidance for online advertising.The Datatilsynet Guidelines require that both accept and reject options must be displayed with equal prominence. Furthermore these guidelines have additional requirements that consent must be able to be ticked per purpose, and there needs to be a list of identified data controllers on the first layer of a consent interface.
Are cookie walls allowed?Can you charge users who do not consent?How long is consent valid for?Is there guidance specific to online advertising?How do users have to indicate consent?
The DPC Guidance Note on cookies does not discuss cookie walls.The DPC Guidance Note on cookies does not discuss the consent or pay models.The DPC Guidance Note on cookies recommends re-confirming consent no longer than 6 months after initial consent, but acknowledges that the law does not specify a timeframe for how long consent stays valid.The DPC Guidance Note on cookies includes guidance on the use of Consent Management Platforms (CMPs). It also mentions the use of analytics cookies, which require consent.The DPC Guidance Note on cookies explains that consent must be specific to each purpose. Additionally, consent cannot be implied or assumed from user behavior after seeing a banner for example. There is also a section specifically explaining what information has to be included on a cookie banner.

Information Commissioner’s Office

Are cookie walls allowed?Can you charge users who do not consent?How long is consent valid for?Is there guidance specific to online advertising?How do users have to indicate consent?
The ICO Guidance on Cookies page has a detailed section on Cookie Walls, concluding that they are unlikely to lead to valid consent, noting that not all cookie tracking is necessarily intrusive or high risk.The ICO Guidance on Cookies does not discuss the consent or pay models.The ICO Guidance on Cookies provides plenty of guidance here - first, consent must be refreshed as often as is appropriate, depending on the situation, but leaves it to websites to figure out the right interval. For cookie duration, they should last as long as is ‘appropriate’ and not be disproportionately long.The ICO has a specific section of the website dedicated to their work on AdTech. IAB Europe has cooperated with the ICO in their investigation into the AdTech industry.The ICO Guidance on Cookies explains that a user must have taken an action to signify consent. Furthermore, the Guidance warns that users must not be ‘nudged’ into accepting by making it harder to see the reject or settings options - implying that they must be given equal prominence.

Gegevensbescherming Autoriteit/Autorité de Protection des Données

Are cookie walls allowed?Can you charge users who do not consent?How long is consent valid for?Is there guidance specific to online advertising?How do users have to indicate consent?
The Belgian data protection authority’s guidelines explicitly state that the use of a cookie wall is are not allowed as they consider this not to be valid consent under the GDPR.The Belgian data protection authority’s guidelines do not discuss the consent or pay models.The Belgian data protection authority’s guidelines state that the retention period for cookies need to have a limited duration, and the cookie policy needs to explain this retention period. However, no specific time limits are suggested for how long such retention may be, nor how long consent is valid for.The Belgian data protection authority’s guidelines do not specifically address online advertising, but do explain that audience measurement cookies require consent, even if they are first party cookies. They also clarify that social media plugins (i.e. like-buttons, or tweet-buttons) require consent of the user before being activated as well.The Belgian data protection authority’s guidelines explain that simply continuing to browse a page cannot count as valid consent. Consent has to be indicated through an action from the user.

Links:

European Data Protection Board (EDPB), Guidelines 05/2020 on consent under Regulation 2016/679.

Agencia Española Proteccion Datos (AEPD), Guia sobre el uso de las cookies.

Autoriteit Persoonsgegevens (AP), Uitleg over Cookies.

Commission Nationale de l'Informatique et des Libertés (CNIL), Deliberation n ° 2019-093 of July 4, 2019 - Cookie Guidelines.

Data Protection Commission (DPC), Guidance Note: Cookies and other tracking technologies.

Datatilsynet (Denmark), Guidelines on consent for cookies.

Information Commissioner’s Office (ICO), Guidance on the Use of Cookies and Similar Technologies

Gegevensbescherming Autoriteit/Autorité de Protection des Données (GBA/APD), Website page on Cookies and other tracking methods.

Lines (1)