Get best of the week

Why the EU eradicates cookie walls

At the end of last year, the European Court of Justice banned sites from setting cookies by default and using pre-filled check boxes on relevant banners. The regulator stated that these practices are contrary to the requirements of the General Data Protection Regulation.

In early May, the European Data Protection Board (EDPB) put an end to another issue - cookie walls violate GDPR . We are discussing the situation.


Photos - Erol Ahmed - Unsplash

EDPB Ordinance


Last March, the Dutch regulator called cookie walls illegal. These are banners blocking access to content until the user agrees to the processing of personal data. The decision of the data protection agency in the Netherlands provoked a discussion among site owners, lawyers and politicians. And at the beginning of the month, representatives of the European Data Protection Board (engaged in the enforcement of GDPR) issued an official clarification in which they confirmed that cookies are contrary to GDPR. They force users to accept the terms of data collection, while such consent should be voluntary.

Additionally, the EDPB commission clarified that scrolling through a web page also cannot be considered an authorization to process PD.

What are the pitfalls


EDPB only adopts new rules and clarifies laws related to the protection of personal data. Their implementation is monitored by local authorities of the EU member states. But a number of experts note that this is not the best way . Despite fines on GDPR - which can reach 20 million euros - many resources set cookies without user consent.

Specialists from Aarhus University, University College London and MIT note that only 11.8% of banners comply with the minimum requirements of EU law.

Also, The Verge reporters write that banning cookie walls will not be a panacea. There are many tools in the arsenal of dishonest webmasters with which they force users to agree to set cookies. “Dark practices” include overly complex interfaces and vague language .


Photo - Kari Shea - Unsplash

Interestingly, the need to strictly regulate cookies could be avoided if all companies initially followed the recommendations in the original cookie specification ( RFC 2109 ). This fact was noticed by Thomas Baekdal, founder of the technology magazine of the same name Baekdal.

The specification was developed by engineers from Netscape Communications back in 1997. The document forbids Internet resources to set third-party cookies or at least activate them by default. At the same time, sites should provide users with the ability to delete information about themselves and revoke permission to set cookies. Similar requirements today can be found in articles No. 17 and No. 21 of the GDPR.

How to block unwanted cookies yourself


You can use the tools that various browsers offer . Mozilla has developed a utility that prohibits the installation of fingerprint collectors and tracking cookies. Similar solutions are available in Safari  and  Brave , while Google is only planning to implement them. The corresponding functionality in Chrome will appear in the next two years.

Another protection tool might be the Do Not Track  (DNT) framework . It was developed by the W3C consortium and should automate work with cookies. A special function is added to the browser. It tells sites which cookies the user has enabled. However, Forrester studies have shownThat popular resources ignore the new mechanism. For this reason, at the beginning of last year, engineers from W3C stopped working on the project. It is hoped that someone will continue the work begun by the consortium and bring it to its logical conclusion.


Posts from the 1cloud.ru blog:

Situation: Do AdTech companies violate GDPR?
Potential attacks on HTTPS and how to defend against them
What tools will help comply with GDPR
Why mainstream browser developers again refused to display the subdomain


At us on Habré:


More articles:


All Articles