You'll likely have come across, at least once, a cookie pop-up with only one choice – "Accept all." Paying a fee may be the only way to avoid invasive online tracking, at times, under the so-called "Pay or Consent" model. After taking its first steps in the EU, cookie walls and privacy paywalls have landed in the UK, too. But, should this practice be legal at all?
Cookie pop-ups offer us a choice to exercise our right to withdraw consent to online tracking, as regulated by the landmark data protection legislation GDPR. With such a choice stripped away, experts fear this would create a two-tier internet instead. The legal approach may be changing but, ethically, it doesn't seem that cookie walls should be an accepted practice.
As data protection expert Rowenna Fielding told me when I met her during an event organized by the Data Privacy Advisory Service: "When you start sorting people into those who can pay to have their fundamental human rights respected and those who can't, that's a problem."
What is a cookie wall?
A cookie wall refers to the practice whereby websites deny users access if they do not consent to have their activities tracked by the cookies in place on that site. The choice here is simple: give away your data if you want to access my content.
A privacy paywall, also known as "Pay or Consent" or "Pay or OK," is a type of cookie wall that enables users to reject non-necessary cookies upon paying a fee. Essentially, the website owner gives you a choice on how to pay for the content provided – your money or personal data.
Meta had to halt its plans to introduce its ad-free subscription in the EU after the European Commission's preliminary view found it not compliant with DMA rules. Austria-based digital rights group Noyb was the first of at least 18 consumer groups to file a legal complaint, warning how the model will make privacy an exclusive right "for the rich."
European news sites were the first to experiment with the pay-to-privacy model since GDPR rules were enforced in 2018. Privacy paywalls came, in fact, as a way to make up for lost revenues fostered by the spread of free digital journalism.
Yet, it was not until Meta, the parent company of Facebook and Instagram, tried to introduce its ad-free subscription for Europeans at the end of 2023 that this practice got more attention from lawmakers, with the EU urging Meta to stop its plans until it addressed concerns under both the GDPR and Digital Market Act (DMA).
This case, however, didn't prevent other organizations from testing out the legal water around cookie walls.
At the time of writing, some of the biggest UK news publications – namely The Sun, Daily Mail Online, The Independent, Mirror, and Daily Express – have also introduced the privacy paywall.
A more relaxed (legal) approach
What's interesting about the cookie walls saga is how the legal approach has been shifting throughout the years.
Let's look at the EU. In Section 3.1 of the GDPR guidelines, the law explicitly states that "if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid."
Similarly, section 3.1.2 reads: "For consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called cookie walls)."
Nonetheless, the proposal for the new ePrivacy Regulation, whose aim is "reinforcing trust and security in the digital world," lacks a blanket prohibition on cookie walls.
The approach towards cookie walls in the UK is getting more relaxed, too.
In 2019, the ICO's guidelines ruled out cookie walls as a valid practice under GDPR or PECR (the UK's equivalent for the ePrivacy Directive). As per the agency's own wording: "You must provide users with controls over any non-essential cookies, and still allow users access to your website if they don’t consent to these cookies."
Now, about 6 years later, ICO's views on this practice have shifted. As per new ICO's guidelines, "Consent or Pay" models are indeed acceptable if the website can demonstrate that "people have freely given their consent for personalized advertising." But, how can it be freely given consent if the only choice you have is paying a fee?
"I think that's just another example of the ICO kicking the can down the road and not making any clear statements on this, because then they'd have to do something about it," Fielding told me. "I wouldn't say there's necessarily coercion there, but there's definitely an element of influence. Privacy is a fundamental right, data protection is a fundamental right."
What's next?
As we have seen, cookie walls are getting traction across the EU and the UK. On their side, though, lawmakers appear more busy shaping data protection legislation accordingly, instead of plugging the legal loopholes that brought website owners to test the waters of cookie walls in the first place.
Moreover, with the UK Data (Use and Access) Bill currently making its way into Parliament, the feeling is that the law could further relax the data protection approach to first-party analytics cookies. And our online privacy is on the line.
Fielding fears the impact that even more widespread cookie walls will have on the future of data protection. She said: "The data sets used for profiling, targeting, and influencing will be data sets of people who cannot afford to assert their rights. That itself is going to have a knock-on effect on the way society is influenced by the content generated from this very particular pool of data."
All in all, as Fielding points out, finding a way out of this ever-invasive surveillance advertising system isn't certainly an easy task, "but somebody needs to try."
As a user, using one of the best VPN apps to spoof your IP address may remain one of the best weapons to resist cookie walls and enjoy tracker-free browsing.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
