Cookie Walls - EDPB updated guidelines release

May 13, 2020

4th May saw the European Data Protection Board publish updated guidelines on consent law; consent being one of six lawful bases that data controllers use to process personal data.  The EDPB reconfirmed the set of standards that need to be adhered to in order to use consent as a basis for the right to process personally identifiable information (PII).

‘Cookie walls’ are not legal. This was the message reinforced by them on Monday in the update to their guidelines, in which they reiterated that consent should always be freely obtained. Clearly, permission is not at all free if a user has to accede to something in order to access a website. A cookie wall simply does not offer this free choice if users are being asked to allow tracking cookies or a tracking pixel to be placed on their browser in order to access a company’s website.

The revised text states: “A website provider puts into place a script that will block content from being visitable except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies’ button. Since the data subject is not presented with a genuine choice, its consent is not freely given. "

The cookie wall issue has been a matter of contention and confusion for some time now. The UK data protection authority, the ICO, published a post in 2019 in which it confirmed that agreeing to cookies in order to use a website is not considered valid consent but concluded that the issue was still under consideration.  France’s equivalent governing body, the CNIL, last year insisted that users should be allowed to access a website whether they allow or deny cookie consent and the Dutch DPA have stated firmly that they consider the practice of cookie walls (no permission means no access) to be unlawful.


The EDPB, in the same updated release, paid attention to another matter of continuous concern: scrolling or swiping through a website.  On this, the revised guidelines state:

“…actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action…”

Obviously, the message could not really be clearer, however, as the two-year anniversary of the introduction of the pan-European data protection law looms, critics will continue to assess whether enforcement is really being put into action and actively being pursued by regulators, particularly on this very thorny issue.

Become a Partner
As a partner you have the option to promote a wide spectrum of GDPR services from the complete GDPR checklist to GDPR managed services. PanoSec have an affiliate program and a channel partner program.
Affiliate Partners
Our affiliate program gives you the opportunity to gain a percentage of any revenue earned from customers you refer to us.

The program works as follows:

1. Create an account: Affiliate Registration
Register via the "Affiliate Registration" button below, then login to your account and click on "Programs".

2. Start promoting PanoSec products!
Once you are in the programs page, get your unique affiliate links and start marketing. You can track all your affiliate referrals in your personal dashboard.
Affiliate registration
Channel Partners
PanoSec Channel Partners Program is focused on technology companies, security VARs, SaaS service providers, business continuity experts and insurance companies who will use PanoSec as a part of their security offer to end users.

Start Now