The Dutch DPA Hates Cookie Walls

Credit: Steve Cukrov / ShutterstockCredit: Steve Cukrov / Shutterstock

The Dutch Data Protection Agency (DPA) announced on Thursday that "cookie walls," which only allow website visitors to view a site if they consent to have their browsing tracked, violate the General Data Protection Regulation (GDPR) introduced by the European Union in May 2018.

GDPR introduced new restrictions on what kind of data companies are allowed to collect, what they can do with that information, and what European citizens can do to protect their privacy. It essentially disrupted many of the practices on which the largest tech companies built their platforms. They can no longer conduct for-profit surveillance on all their users without anyone being the wiser; now they're supposed to be far more transparent.

Because so many sites rely on tracking visitors' activities, however, they have started looking for ways to maintain the status quo without risking punishment. That's where the "cookie walls" come in. The DPA explained thatit'd received dozens of complaints from citizens who could no longer access their favorite sites unless they agreed to be tracked. Now it's warned some of the biggest offenders (who were unidentified) to knock it off.

Both aspects of these cookie walls--their introduction and the DPA's stance on them--seem reasonable enough. GDPR requires companies to get consent before tracking browsing activity; why not make it hard to refuse that request by making acquiescence the only way to view a site? It was at least worth a shot. But it also makes sense for privacy regulators to force companies to follow the spirit of the law rather than just its letter.

These harder stances on privacy are becoming increasingly common, especially in Europe. The Norwegian Consumer Council criticized Google and Facebook for relying on UI "dark patterns" to gather information from users who might not actually want to be tracked. Germany's Federal Cartel Office, or Bundeskartellamt, prohibited Facebook from combining user data from its social network and the WhatsApp and Instagram subsidiaries.

And, of course, GDPR is having a continued effect on the industry. Between all those efforts--along with the many we haven't listed--it's only going to get harder for tech companies to gather as much information as possible about pretty much everyone who uses the Internet. (At least in Europe.)