By Aineias Spiliotis, LL.B
The Danish Data Protection Authority has recently issued two decisions on the use of so-called cookie walls on websites and in this context has also published a set of general guidelines on the use of such consent solutions.
Since the beginning of 2020, when the Danish Data Protection Authority focused on the processing of personal data of website visitors, it has received a significant number of requests regarding the use of so-called cookie walls.
On the basis of two specific complaints, the Data Protection Authority took a position on the extent to which the use of so-called cookie walls by Gul og Gratis and Jysk Fynske Medier was within the scope of the data protection rules.
The cases were examined by the Danish Data Protection Authority.
Overall, the Authority found that a practice by which a website visitor can access the content of a website or service either by giving his consent to the processing of his personal data or by paying for it meets the requirements of the data protection rules for valid consent.
Use of cookie walls by Gul og Gratis
As regards Gul og Gratis, the Authority found, that the company offered an alternative to consent in the form of paid access. The payment provided access to a service that is broadly equivalent to the service that can be accessed through consent.
The pricing of the payment alternative was not unreasonably high, i.e. the pricing was not so high that the data subject would not have a real and practical choice between the payment alternative and the provision of consent.
However, the Authority concluded that Gul og Gratis had not demonstrated that the processing of personal data for statistical purposes was also a necessary part of the alternative payment solution. Indeed, the Authority noted that Gul og Gratis had emphasized its dependence on advertising revenues for the operation of a high-quality online marketplace but had not justified to what extent the processing of personal data for statistical purposes was necessary for this purpose.
Finally, the Authority stated that it ordered Gul og Gratis to either demonstrate that processing for statistical purposes is necessary and therefore, falls within the consent provided as an alternative to payment, or to adapt its consent solution to require visitors to give separate consent for that purpose. In this regard, the Authority has clarified that the deadline for compliance with the order is 8 March 2023.
Use of cookie walls by Jysk Fynske Medier
In the case of Jysk Fynske Medier, the Authority found that the company’s particular approach, whereby visitors could, despite their consent, access parts of jv.dk’s content (unlocked articles) or all of jv.dk’s content with their subscription, did not meet the requirements for valid consent.
This was because the service offered against consent was not substantially equivalent to that offered against payment, and therefore, visitors were not effectively given a free choice.
Similarly, the Authority considered that Jysk Fynske Medier had not demonstrated that the processing of personal data for statistical purposes was also a necessary part of the payment alternative.
Consequently,, the company was instructed to ensure that the consent given by visitors to jv.dk complied with the requirements of the GDPR and to demonstrate that the consent complied with the requirements of voluntary consent – that is, the company must either demonstrate that statistical purposes were a necessary part of the payment alternative or adapt the consent solution so that visitors could give separate consent for this purpose.
Guidelines for the use of cookie walls
Finally, following these two decisions, the Danish Data Protection Authority has issued general guidelines on the use of cookie walls, which other companies should take into account if they wish to use a similar approach or if they already do so.
The guidelines contain four criteria that will be the starting point for the Authority’s assessment of whether the use of a cookie wall in a particular case is in line with data protection rules.
Briefly, these four criteria are:
- Provide a reasonable alternative
- at a reasonable price
- to limit consent to what is necessary
- to process personal data when visitors have paid