Can websites use “tracking walls” to force consent under GDPR?

Dr Johnny Ryan GDPR 12 Comments

This note examines whether websites can use “tracking walls” under the GDPR, and challenges the recent guidance on this issue from IAB Europe. 

This week, IAB Europe published a paper that advises website owners that tracking walls (i.e., modal dialogs that require people to give consent to be tracked in order to access a website) will be permissible under the GDPR. Our view is different.

Several months ago we provided feedback to the IAB of what we regarded as serious mistakes in a preliminary draft of this paper, which we believe will be very detrimental to publishers who follow the paper’s advice. As it appears that our feedback did not make it into the published version of the paper, we want to put our opinion on the record, so that publishers can take it in to account when deciding what course to follow under the GDPR.

We provide an analysis below, and have published our original feedback to the IAB here, for those who want to dig into it.

The GDPR forbids tracking walls.[1] This prohibition may seem curious to adtech colleagues working outside the European Union, who may view personal data as a valid payment for for online content and services. It must be borne in mind that many Europe’s nations have strong historical motivations, and have protected the right to privacy and the right to protection of one’s data as fundamental rights in the European Charter.[2] To understand how European regulators have viewed these rights in the context of tracking walls, consider the following, from the European Data Protection Supervisor:

“There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation. One cannot monetise and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction.”[3]

We believe that publishers who implement tracking walls on their websites could shoulder significant risk of fines and legal action on behalf of the adtech companies that track users on their websites. As we show below, the defenses set forth in the IAB Europe paper are unlikely to convince a judge when the first publisher is sued for breaching the Regulation.

To be clear, we do believe that freely-given consent can help monetise a loyal minority of a publisher’s audience. But, to monetise the majority for whom personal data will not be available,[4] we must join together to build ads that work without personal data.[5] PageFair is partnering with publishers and adtech companies who share a commitment to building a safe adtech stack that is compliant with a strict interpretation of the regulations. This safe adtech can monetise the majority of the audience who will not freely consent to hundreds of 3rd party technology vendors, and interoperate with consent wherever it is available.

Errors in the IAB Europe paper

The IAB Europe paper advises websites that:

“Private companies are allowed to make access to their services conditional upon the consent of data subjects. The GDPR provides that account has to be taken of this when determining whether consent has been freely given, but does not prohibit the practice. Moreover, the ePrivacy Directive similarly explains that services may be made conditional on consent.”[6]

The following section details serious errors in this guidance. Here is a summary: the paper misreads Article 95 in the GDPR to mean that websites can ignore the GDPR’s prohibition on tracking walls, and that they can instead rely on a narrow allowance provided for in Recital 25 of the ePrivacy Directive. In a further misreading, the paper mistakenly suggests that Recital 25’s allowance can be applied to all website content. The problems with this are outlined below.

What the GDPR Article 95 says

The IAB Europe paper refers to Article 95 of the GDPR to say that “the ePrivacy Directive’s more specific rules prevail over the rules of the GDPR”. There are two important mistakes in this sentence. First, the actual text of the Article is:

“This Regulation shall not impose additional  obligations  on  natural  or  legal  persons  in  relation  to  processing  in connection  with  the  provision  of  publicly  available  electronic  communications  services  in  public  communication networks  in  the  Union  in  relation  to  matters  for  which  they  are  subject  to  specific  obligations  with  the  same  objective set  out  in  Directive  2002/58/EC.”[7]

The paper mistakenly reads this to mean that website owners can ignore the GDPR and refer instead to the ePrivacy Directive’s narrow allowance for tracking walls. This is wrong for two reasons.

First, Article 95 does not cover websites. Rather, it covers “electronic communications services”, which are defined in European telecommunications law as transmission services, not content. (In fact, the definition of electronic communications services explicitly excludes services “providing, or exercising editorial control over, content” such as websites).[8]

Second, the paper mistakenly suggests that Article 95 is applicable to Recital 25 in the ePrivacy Directive. As the next section shows, this is important because the paper mistakenly claims that Recital 25 of the ePrivacy Directive permits tracking walls. But Article 95 of the GDPR would only apply to Recital 25 of the ePrivacy Directive if “specific obligations” were defined in Recital 25 that the GDPR was now adding additional obligations to. This is not the case: Recital 25 does not impose obligations. In fact, if provides narrow allowances, which is quite the opposite.

What the ePrivacy Directive Recital 25 says

The paper makes several incorrect assumptions about Recital 25 in the ePrivacy Directive. It cites part of a sentence from Recital 25 to suggest that tracking walls are permissible for all websites:

“website content may still be made conditional on the well-informed acceptance of cookies”.

However, the complete sentence has a different meaning. Here is the full sentence:

“Access to specific website content[9] may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.”[10]

The complete sentence includes two important concepts that the paper does not address: “specific website content” and “legitimate purpose”.

This reference to “specific website content” in Recital 25, as European data protection authorities noted in 2013, means that “websites should not make conditional ‘general access’ to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies”.[11]

Furthermore, limiting access to specific content is permissible only for a “legitimate purpose”. As Recital 25 notes, this relates to purposes such as to “facilitate the provision of information society services”. The term “information society services” is defined in European Law to mean services explicitly requested by users.[12] Clearly, ads that require tracking are not the service that the user has requested.

Conclusion

To summarise, we believe the paper currently misreads Article 95 in the GDPR, and incorrectly assumes that this article is applicable to Recital 25 of the ePrivacy Directive, which the paper then mistakenly concludes can be applied to all website content.

We suggest no bad faith on the part of IAB Europe, or on the part of the adtech companies that led its drafting process. Nevertheless, we fear that website owners may expose themselves to risk as a result of following the guidance in this paper.

Notes

[1] See for example Recital 43, Regulation (EU) 2016/679 of The European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). “…Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance”. See also Recital 32 and 42.

[2] Article 7 and Artile 8 of the Charter of Fundamental Rights of The European Union.

[3] Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content, European Data Protection Supervisor, 14 March 2017 (URL: https://edps.europa.eu/sites/edp/files/publication/17-03-14_opinion_digital_content_en.pdf).

[4] See “Europe Online: an experience driven by advertising”, GFK, 2017 (URL: https://www.iabeurope.eu/wp-content/uploads/2017/09/EuropeOnline_FINAL.pdf), p. 7 and “Research result: what percentage will consent to tracking for advertising?”, PageFair Insider, 12 September 2017 (URL: https://pagefair.com/blog/2017/new-research-how-many-consent-to-tracking/)..

[5] See for example “Frequency capping and ad campaign measurement under GDPR”, PageFair Insider, 7 November 2017 (URL: https://pagefair.com/blog/2017/gdpr-measurement1/).

[6] “Consent, Working Paper 03/2017”, IAB Europe, 28 November 2017, p. 4 (URL: https://www.iabeurope.eu/wp-content/uploads/2017/11/20171128-Working_Paper03_Consent.pdf).

[7] Article 95, General Data Protection Regulation.

[8] “Electronic communications service means a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but exclude services providing, or exercising editorial control over, content transmitted using electronic communications networks and services; it does not include information society services, as defined in Article 1 of Directive 98/34/EC, which do not consist wholly or mainly in the conveyance of signals on electronic communications networks”. Article 2, paragraph c, of Directive 2002/21/EC of The European Parliament and of The Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive).

[9] As the Article 29 Working Party’s Opinion of 2013 notes: “The emphasis on “specific website content” clarifies that websites should not make conditional “general access” to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies (e.g.: for e-commerce websites, whose main purpose is to sell products, not accepting (non-functional) cookies should not prevent a user from buying products on this website).” Working Document 02/2013 providing guidance on obtaining consent for cookies, Article 29 Working Party, (URL: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf), p. 5.

[10] Recital 25, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[11] Working Document 02/2013 providing guidance on obtaining consent for cookies, Article 29 Working Party, (URL: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf), p. 5.

[12] “..any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. For the purposes of this definition: …  “at the individual request of a recipient of services” means that the service is provided through the transmission of data on individual request.” Article 1, paragraph 2 of Directive 98/48/EC of The European Parliament and of The Council of 20 July 1998 amending directive 98/34/EC laying down a procedure for the provision of information in the field of technical standards and regulations.

  • Robert Madge

    Yes, this IAB document offers very dubious arguments to justify a very ‘liberal’ approach to the use of cookies – all based on a biased interpretation of the 1992 ePrivacy Directive and selective quotes from the WP29 and others – when most of this logic will be irrelevant anyway after the ePrivacy Regulation comes into force…

    In addition to the tracking wall issue, the document suggests that consent could be obtained for a number of purposes ‘en bloc’ and that a single consent can be used to cover a controller and a number of third party partners. On the first of these issues, the document twists the use of the word “appropriate” in a Recital reference dealing with the expression “freely given”, and on the second issue it uses an extract from a WP29 Opinion without including the words “originating from the same provider”.

    It’s a pity, because some parts of this IAB document provide some useful advice. I don’t understand what the advertising industry thinks that it has to gain by stretching its legal interpretation to the point that many businesses are likely to get into trouble.

    • Excellent comment Robert. I agree fully with you.

      The notion of bundling of consent en bloc is daft, and dangerous. We have already submitted our view on bundled consent to the Article 29 Working Party.

      • Robert Madge

        I presume that the IAB is hoping for mass non-compliance (or, at least, mass adoption of dubious practices on cookie handling), as has been the case with the existing cookie law. I guess that this will be their fall-back strategy also on ePR, if their lobbying doesn’t have the effect they want.

        PS: You need to look at the cookie consent handling on your own website…

        • Major publishers will be fully compliant, so that will not fly.

          Tell me about the cookie problem?

          • Robert Madge

            Why do you say that major publishers will be fully compliant?

            Perhaps it depends how you define “compliance”. If you define it in the same way as IAB, then I suspect that you are right.

            The IAB (with EASA) played the same game in 2011, with their “Best Practice Recommendation”. Hence we see so many cookie consent implementations now that I certainly believe are not compliant with the ePrivacy directive (2009 amendment).

            Johnny, do you believe that major publishers are “fully compliant” with current law on cookie handling?

          • I should have said *some* major publishers.

            Some major publishers will be using not be using any personal data for advertising, or sharing any personal data in the advertising system, unless visitors have consented.

          • Robert Madge

            Regarding the PageFair cookie problem, I suggest that you look at it yourself. It’s quite possible that you take a different view from me on adequate cookie consent processes.

            My first comment is that your site makes the statement “By continuing to use this website you agree to our cookie policy”. I do not consider that simply continuing to use a website is a “specific and informed indication”, “unambiguously given” consent (quoting from the 1995 data protection directive).

            Perhaps this cookie consent implementation can squeeze through on the question of whether the user has been provided with clear and comprehensive information prior to a consent (although, empirically, this is not the case unless the user views the cookie policy). However, there is no offer of granular consent, no option to withdraw consent except via the sledgehammer of deleting cookies via the browser, and there is an implied cookie wall! The policy states “You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.”

          • I take your point, and you are right to criticise this site for adopting the same approach of “implied consent” that many others have adopted under the current rules. We are working to solve this, and solve the more challenging issues of the new rules too.

  • Tim Schumacher

    Cudos to your honest and well-written article, Johnny. An interesting piece of wishful thinking by ad industry lobbyists.

  • David

    Thank you. This is a topic that not seldom comes to discussion where I work.

    “We need to be able to pick who we’d want as our customers. Just make a contract that forces them to agree with current terms and that we’ll be profiling them”. I’ve been trying to tell them that “This might not be the case …”. This post helps clarifying a bit. But unfortunately the IAB-document might do the opposite.

    This quote from “ARTICLE 29 DATA PROTECTION WORKING PARTY” speaks quite clearly:

    “Where the data subject has no choice, for example, in situations where consent to profiling is a pre-condition of accessing the controller’s services; or where there is an imbalance of power such as in an employer/employee relationship, consent is not an appropriate basis for the processing. “