Take-it-or-leave-it privacy policies that require people to accept tracking cookies in order to access a website are illegal, Dutch regulators said this week.
“Thorough monitoring and analysis of the behavior of website visitors and the sharing of this information with other parties is only allowed with permission. That permission must be completely free,” the Dutch Data Protection Authority said Thursday, according to a Google translation of the decision.
“With so-called 'cookie walls' on websites (no permission means no access) the permission is not given freely,” the opinion continues. “Permission is not 'free' if someone has no real or free choice. Or if the person can not refuse giving permission without adverse consequences.”
The Data Protection Authority said it had received “dozens” of complaints from people who weren't able to access websites after refusing tracking cookies. The agency added it will intensify monitoring efforts.
Europe's GDPR broadly requires companies to obtain people's consent before using cookies for tracking. Since the law took effect in May 2018, companies have faced complaints over their practices -- including their methods of obtaining consent.
Regulators in France said earlier this year they fined Google $57 million after concluding that the company failed to obtain people's unambiguous consent before using their data in order to personalize ads.
The French regulators said Google's interface included a pre-checked box that allowed the company to use data for ad targeting. The use of a form that had already been filled out rendered people's consent ambiguous, according to regulators.