The Autoriteit Persoonsgegevens (AP) said that organisations applying so-called 'cookie walls' do not comply with the General Data Protection Regulation (GDPR). It has written to some website operators on the issue after receiving "dozens" of complaints, and confirmed that it plans to "intensify" its monitoring of compliance.
Aleid Wolfsen, chairman of the AP, said businesses cannot pressure consumers into accepting cookies.
Under the GDPR, consent from a data subject to the processing of their personal data must, in general, be freely given, specific and informed. It must also be an unambiguous indication of the data subject's wishes that is stipulated by a statement or by a clear affirmative action. Explicit consent is required for some data processing activities, where consent is the legal basis for such processing.
"With so-called 'cookie walls' on websites (no permission means no access) the permission is not given freely, because website visitors do not get access to the website without giving permission," the AP said. "On the basis of the [GDPR], permission is not 'free' if someone has no real or free choice. Or if the person can not refuse giving permission without adverse consequences."
The AP's statement reiterates a view expressed by the European Data Protection Board (EDPB), of which AP is a part, last year.
At the time, Dublin-based Ann Henry, an expert in data privacy at Pinsent Masons, the law firm behind Out-Law.com, said: "'Cookie walls' won’t be permitted in any guise. Service providers must obtain consent employing whatever technical tools are required to obtain it. That applies across the board whether you are operating a website or are an app provider. Given the clear message from the EDPB in this statement, the advice to any digital marketer has to be for them to place their energies and resources into determining how they can comply with the new consent regime."