What Are Cookie Walls? Are They Legal & GDPR Compliant?

As an online business owner, you’ve likely come across the term “cookie wall.” But what are cookie walls, and what do they mean for your site?

A cookie wall is a pop-up that demands site visitors give consent to cookie use as a condition of access. Unlike a regular cookie banner that allows visitors to decline cookies and still browse, cookie walls make consent a gateway—no cookies, no entry.

Since it can prohibit the use of cookies and deny access to a website, the big question here is: Are cookie walls a legal way to obtain consent under the GDPR and similar laws, or could they put your business at risk?

KEY TAKEAWAYS:

A cookie wall is a type of barrier that requires users to manage or accept cookie settings before accessing a site
Just like a cookie notice, it informs visitors about the website’s data collection. However, it blocks access until the user gives consent or adjusts settings.
If you’re using a cookie wall, make sure users have a true choice. Your website could face legal issues if users can’t decline cookies freely.

Table of Contents

What Are Cookie Walls & How Do They Work?

Cookie walls prevent users from accessing a website’s content without first providing user consent for cookies. The goal of using a cookie wall is to collect and process user data for various purposes, such as advertising or site analytics.

To implement this, website owners deploy cookie walls that appear before the user can have a full view of the content. For example, on JSTOR’s website, visitors are presented with a message explaining that cookies must be accepted to remove the popup.

JSTOR's cookie notice with cookie walls on a white background.

This forces a decision: grant permission to track their online behavior or lose access to some parts of the site.

On the one hand, this method leverages consent but is controversial because it restricts user choice significantly. On the other, it can help ease data privacy concerns.

Given that 32% of users worldwide worry about how companies handle their personal data, you can use a cookie wall to give visitors more control over their privacy, helping them feel secure in their online experience.

Are Cookie Walls Legal?

The use of cookie walls usually contravenes data privacy laws, which require clear, voluntary consent.

While the regulations regarding the legality of cookie walls may vary, the general consensus leans toward them being problematic. Some data privacy authorities argue that they force users to consent, which undermines the voluntary nature of consent.

EU

In the EU, cookie walls are closely scrutinized under several regulatory frameworks and privacy laws like the GDPR and ePrivacy Directive.

These laws mandate that consent for cookies and similar technologies must be freely given, informed, specific, and unambiguous. Cookie walls conflict with these principles as they do not provide a voluntary choice.

The European Data Protection Board or EDPB guidelines also reinforce that making access to services conditional on consent infringes upon the requirements for consent to be freely given.

In France, the CNIL (Commission Nationale de l’Informatique et des Libertés) has also enforced a ban on cookie walls. It argues that they do not allow for free and uncoerced consent, which is necessary under French and EU law.

Following recent updates, Italy also implemented strict regulations concerning cookie consent. The new guidelines on cookie walls clarify that mere scrolling does not constitute consent, and there must be clear, affirmative action like clicking a button.

Thus, cookie walls on Italian websites that force users to accept cookies to access services are considered non-compliant with these updated standards.

PRO TIP: If your website targets EU residents, avoid cookie walls that block access without free consent. Use clear cookie banners that give users a real choice and make opting out simple.

UK

In the UK, cookie walls are largely influenced by the General Data Protection Regulation or GDPR.

The UK GDPR, along with the Privacy and Electronic Communications Regulations (PECR) and the Information Commissioner’s Office expressed that you can use cookie walls if you meet certain conditions:

Access to services cannot be conditional on acceptance of cookie walls unless the cookies are strictly necessary for the service itself, such as essential cookies for login or authentication.
Users are provided with clear and detailed information about what cookies are being used, what data is being collected, and for what purposes.
The consent mechanism must allow users to choose specific cookies to accept or reject. Blanket consent for all cookies does not meet the GDPR’s standard of consent.
Users must be able to withdraw their consent at any time as easily as they provided it.

When a cookie banner blocks access to a website’s content, that’s considered forced consent. This approach does not align with the principles and requirements of data privacy regulations.

USA

Unlike the European Union, the U.S. follows a more fragmented approach to cookies and cookie walls, with regulations varying by state and industry.

At the federal level, there are no specific laws that declare cookie walls illegal. However, businesses must still consider various privacy laws and sector-specific regulations that could impact their use of cookies.

Here are some states that have enacted comprehensive privacy laws that may indirectly affect how cookie walls can be used:

California: Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), businesses must disclose their data collection practices, including the use of cookies. The law emphasizes the right to opt out of the sale of personal data, which could influence the use of cookie walls.
Virginia: The Virginia Consumer Data Protection Act (CDPA) provides consumers with similar rights to California’s laws, requiring businesses to inform users about data processing, including cookies, and offer the ability to opt-out.
Colorado: The Colorado Privacy Act (CPA) requires transparency around the use of cookies and gives consumers the right to opt out of data collection practices such as targeted advertising.
Connecticut: The Connecticut Data Privacy Act (CTDPA) includes provisions that govern how businesses collect and use personal data through cookies.
Utah: The Utah Consumer Privacy Act (UCPA) also includes cookie-related rules, primarily around transparency and the right to opt out of data collection and sale.

While these states don’t regulate cookie walls, they provide cookie guidelines emphasizing transparency and consent. Businesses must disclose data collection and sharing practices and allow consumers to opt out of the sale of their information.

Australia

There is no clear ruling that states cookie walls are illegal in Australia, but their use is subject to the Australian Privacy Principles (APPs).

This law emphasizes obtaining informed and voluntary consent for data collection. If a cookie wall forces users to accept cookies to access a site, it could conflict with the requirement that consent be freely given.

That said, businesses may be allowed to implement cookie walls unless cookies are necessary for essential functions like security and enabling key services on the site.

Can You Use Cookie Walls Under CCPA?

No, you cannot use cookie walls under the CCPA. The CCPA does not explicitly mention cookie walls, but its focus on consumer rights and data privacy suggests that cookie walls are not compliant.

The CCPA requires websites to provide users with clear information about their data collection practices and to allow users to exercise their cookie preferences. The use of cookie walls on websites can hinder these rights by forcing users to accept cookies.

To ensure CCPA cookie compliance, I make sure my website:

Provide clear and easily accessible information about cookie practices
Obtain explicit consent from users before collecting or using their personal data
Allow users to exercise their right to opt out of cookies or to change their cookie preferences
Implement strong data security measures to protect user data

In addition to these, I also make it a point that my website has a comprehensive cookie policy. There, I include a list of the different cookies my website uses and their purposes.

This not only keeps my site transparent but also ensures users are fully informed and can make choices that align with their privacy preferences.

PRO TIP: Instead of a cookie wall, use a cookie banner that allows users to manage their preferences without restricting access to content or services. This ensures compliance with the CCPA.

Are Cookie Walls Compliant With the GDPR?

No, cookie walls are not compliant with the GDPR. The European Data Protection Board has stated that the use of cookie walls does not comply with the GDPR for the following reasons:

Consent is not freely given: GDPR consent must be freely given, meaning users should have the option to decline cookies without being restricted from accessing the website.
Informed consent is compromised: Even if a GDPR-compliant cookie declaration explains the cookies being used, pairing it with a cookie wall doesn’t offer users a true choice, undermining the requirement for informed consent.
Pressure to consent: The EDPB guidelines make it clear that users should not be pressured into giving consent. Cookie walls, by blocking access, create undue pressure on users to agree to cookies.
Genuine choice is missing: Under the cookie walls GDPR debate, cookie walls do not allow users to make a genuine, voluntary choice regarding their data, as they are forced to either consent or lose access.
Transparency alone isn’t enough: Even if the cookie banner meets GDPR standards, implementing a cookie wall negates the principles of free and voluntary consent, which the GDPR requires.

Cookie walls are not considered GDPR compliant because it does not allow users to exercise their privacy rights freely.

What Are Legal Alternatives for Cookie Walls?

A cookie banner or notice is an excellent alternative to cookie walls. These are less intrusive methods that still comply with data privacy and offer transparency and choice without restricting content.

Cookie Notice

A cookie notice is a message or alert that appears on a website, typically at the bottom or top of the page. It briefly informs users that cookies are being used on the site and provides details about their purpose.

It often includes a link to a more detailed cookie policy or privacy policy, where users can find out how their data is collected and used. Here’s an example of one from iRobot:

iRobot's cookie notice on a white background.

Compared to a cookie wall, this notice is less intrusive. Users are not pressured to give consent and can continue browsing while deciding their preferences.

More importantly, they are given the option to review cookie policies, making this cookie consent solution a more user-friendly and privacy-respecting method of gaining consent.

That said, this particular example from iRobot lacks a “Decline” button, which would allow users to reject all non-essential cookies with one click. Without this, users may feel coerced into making choices they don’t fully agree with.

Since they have to manually control cookies to reject them, this can create an incomplete sense of consent. It may also challenge the notice’s compliance with the GDPR consent principle of ease and freedom of choice.

Cookie Consent Banner

A cookie consent banner is another good alternative to a cookie wall for legally obtaining user consent. Unlike a cookie notice, which simply informs users about the use of cookies, it actively asks users to provide their explicit consent before cookies are placed on their device.

It usually appears as a cookie popup when users first visit the website and typically offers the option to accept, reject, or customize cookie settings. Here’s an excellent example of a cookie consent banner from the Seattle Seahawks:

Seattle Seahawks' cookie consent banner on a white background.

Instead of forcing users to agree to cookies to access content, they asked users to choose which cookie categories they accept or reject. This type of cookie banner respects the user’s right to privacy.

What Not To Do When Adding a Cookie Wall

When adding cookie management tools to your website, it’s important to approach the process with transparency and respect for user privacy. Here are some key things to avoid to ensure your cookie practices align with legal and ethical standards.

1. Don’t try sneaky workarounds

Avoid deceptive practices that can obscure the true nature of cookie consent. Cookie walls don’t allow genuine user choice if they mask or complicate the consent process. You’ll want to avoid:

Prechecked boxes that can mislead users into unintentionally consenting to cookies
Misclassifying different types of cookies to mislead users about their purpose and necessity
Using overly technical language when explaining what cookies do to confuse users
Bundling cookie consent from other agreements like terms of service or newsletter sign-ups
Making opting out difficult by designing the “Decline” button less visible or harder to find than the “Accept” button

In my experience running my online store, when you’re upfront about how and why you’re using cookies, customers appreciate the honesty and are more likely to engage with your site.

Clear communication helps establish trust.

In fact, a 2022 global survey revealed that 60% of online consumers view transparency and trustworthiness as the most important traits of a brand. Together, they can lead to higher customer satisfaction and longer-lasting relationships.

2. Don’t block regional users

Blocking access to users who do not allow cookie usage, especially if they are not necessarily cookies, is a clear violation of the GDPR and CCPA.

Instead of blocking access, consider implementing a more nuanced approach where users can still interact with your site with limited functionality or receive a different browsing experience that doesn’t rely on intrusive cookies.

If you provide equal access to content, you’ll comply with privacy laws and create a more inclusive and user-friendly experience that encourages trust and engagement.

3. Don’t rely on a DIY approach

Given the complexities associated with different types of cookies and varying legal standards, consider using established platforms or seeking professional advice for managing cookie consent rather than handling it entirely on your own.

For guidance on cookie walls, it’s advisable to leverage tools specifically designed to ensure compliance and simplify the process.

Using our cookie banner generator can be an excellent solution. This tool helps you create customized cookie banners that adhere to legal standards, making it easier to manage consent effectively.

Cookie Wall Examples

The way cookie walls are implemented can vary significantly across different websites. Check out the examples below that highlight what works well and what doesn’t when it comes to cookie wall implementation:

Mediapart

Mediapart, a popular French online newspaper, offers a solid example of a cookie wall. When you visit the site, it doesn’t just throw cookies at you and force you to accept them as some websites do.

Instead, it gives you a clear explanation of what cookies are being used and—more importantly—why they’re used.

Mediaparts' cookie walls on a white background.

The popup explains that some cookies are essential for things like logging in and ensuring the site functions properly, while others, like those used for statistics and retargeting, are optional.

This approach aligns with CNIL guidelines, which have pretty strict rules on how cookies should be handled. CNIL is clear in its stand that cookie walls are generally non-compliant if users aren’t given a real choice.

Mediapart avoids this by offering both “Accept” and “Decline” buttons right off the bat. Plus, those who want more control over what data they’re sharing can click on “More Options” where they can toggle specific cookie categories on or off.

In short, Mediapart’s cookie wall ticks all the boxes—genuine choice, clear communication, and easy-to-use controls. It’s exactly what CNIL wants to see when it comes to respecting user privacy while still keeping its website functional.

Corriere Della Sera

As one of Italy’s most well-known newspapers, both online and in print, Corriere Della Sera understands the importance of user privacy. The website implements a cookie wall that adheres to Italy’s strict regulations under the GDPR:

Like Mediapart’s cookie wall, it explains the different types of cookies in use, such as those necessary for technical functionality (which do not require consent) and optional cookies for advertising and geolocation tracking, which do.

It also informs users that their personal data could be shared with third parties, offering full disclosure about potential data usage. This level of detail helps users understand exactly how their data might be used, which is a key requirement under the GDPR.

Additionally, the cookie wall complies with GDPR guidelines by giving users a real choice: they can either “Accept and continue” to allow non-essential cookies or “Refuse and subscribe” to access content without cookies by paying for a subscription.

Users can also click on the “Preferences” button to manage consent for individual cookie types. This supports the GDPR’s principle of freely given, specific, and informed consent.

Heise Online

Heise Online is a top German tech news site that provides a strong example of a cookie wall that respects user privacy while keeping things flexible.

Similar to Corriere Della Sera, they’re very clear about working with up to 183 partners. They also explain exactly what their cookies do, from ad personalization to site functionality.

Heise Online's cookie walls on a white background.

What’s great about this is that users don’t feel pressured. They can either adjust their cookie preferences or subscribe to avoid tracking entirely, a perfect balance for privacy-conscious visitors.

By allowing users to easily manage their consent at any time, this approach meets both German privacy law and the application of the GDPR.

Financial Times UK

Financial Times UK, known for delivering critical financial news, does a solid job with its cookie wall, and for good reason.

As a financial newspaper, trust and transparency are non-negotiable when it comes to user data. FT’s cookie wall doesn’t just inform users about cookies. It highlights how important these tools are for keeping the site secure and running smoothly.

Financial Times UK's cookie walls on a white background.

By offering users two clear options—“Manage Cookies” or “Accept Cookies”—users are given control without feeling forced.

It also stands out because of its honesty. They clearly mention that disabling cookies might affect site performance, which is a key consideration for people relying on uninterrupted access to market news.

FT UK also provides detailed explanations of how data is used, so users know exactly what they’re agreeing to.

Trouw

Trouw, a well-established Dutch news website, offers another strong example of how to handle data privacy and user control via a cookie wall.

It informs users what data they collect and for what purpose. It also includes links to both the privacy policy and cookie policy, plus a list of all advertising partners that use cookies for ad personalization and research.

Users can also adjust or revoke their consent whenever they choose to, giving them full control over their browsing experience.

Frequently Asked Questions

What does a cookie wall look like?

A cookie wall looks like a pop-up that appears when you first visit a website. It blocks access until you accept or manage cookie settings.

What are the legal implications of using a cookie wall for my business?

Using a cookie wall can violate GDPR if users aren’t given a genuine, free choice to accept or reject cookies. Blocking access without consent could lead to potential fines.

Should I use a cookie wall on my website?

Using cookie walls could risk non-compliance with privacy laws. Consider alternative consent methods that respect user privacy instead.

What is a “soft” cookie wall?

A “soft” cookie wall allows users to access the website even if they decline non-essential cookies. It still prompts for consent but doesn’t block access.

What is a cookie paywall?

Cookie paywalls are systems that require users to either accept cookies or opt for a paid subscription to access website content.