9

Quite a few websites started showing european visitors "You cannot use this site because of GDPR", probably based on GeoIP information.

I see two possible legal problems:

  • GDPR forbids coupling of acceptance and the possibility to use. I am not sure if the GDPR wall is illegal or not as there is neither acceptance required on the page nor a possiblity to use the site.
  • The GDPR walls themself often miss a privacy policy (but most seem not to use tracking)
  • European citizens accessing the site when they are visiting non-european countries or via a (possibly anonymous) proxy probably have the same rights, but can access the site and will be tracked (or whatever the site does what does not comply with GDPR)

Are these walls a legal solution for these sites?

Here is an example from the Washington Post. You need to agree to tracking to continue to the site or you need to pay to avoid tracking.

Washington Post

Step 1: Washington Post GDPR-Wall 1

Step 2 (after clicking Free): Washington Post GDPR-Wall 2

Slate

Slate's implementation only offers an "agree" button, which leads you to their site, which probably uses tracking.

Slate GDPR-wall

From their privacy policy:

Slate tracks when EU readers grant consent for Slate to collect and process data through the use of an identifying cookie on your browser.
allo
  • 220
  • 1
  • 7

2 Answers2

6

If the website containing the GDPR-wall processes any personal data of users who hit the GDPR-wall, the GDPR applies to that website. This can be as simple as writing a logfile of all visits to the website. In this case it will be illegal if the website owner does not comply with the GDPR. However a supervisory authority would probably not spent any time on such a minor violation.

As long as the the website with the GDPR-wall does not process any personal data, the GDPR does not apply, so nothing in the GDPR can forbid the GDPR-wall.

Some related remarks:

  • The GDPR does not require a "privacy policy" on the website if the website does not process any personal data.
  • If personal data is processed based on consent, that consent must be freely given. Also it may not be disruptive. So a cookie wall asking for consent would be illegal. But the GDPR does not care about any other disruptive popups, as long as they are not related to asking for consent.
  • Using GeoIP is a perfect way to implement such a GDPR-Wall, because it would block everyone from within the EU, but nobody else. So it blocks exactly those for who the GDPR would apply. In such a case it would not be reasonable to expect anything more from a website owner. A user which uses a proxy, can not expect to be protected by the GDPR, because it bypasses a restriction set by the owner of the website.
  • A webserver does use the IP-address of all incoming requests, to send the reply back. That could be considered a processing of personal data, but everybody seems to agree it is not. I am not sure why. But I do agree that it would be very impractical if that is considered processing of personal data.

I added an example from the Washington Post

So you have to pay $9/month for a GDPR compliant subscription.

Because the price you have to pay is not unacceptable high, I think it would be valid to offer the premium version this way. This does not force you to choose one of the other subscriptions.

In december 2018, the Austrian DPA (DSB) has confirmed that a similar offer is lawful. On derstandard.at you get a choice between free access with tracking and advertising, or pay 6 Euro/Month for tracking free access. Because 6 Euro/Month is cheaper than subscribing to the printed edition, the DSB accepted that as a valid choice. More information can be found on noyb.eu or, (with more details but in German), on wbs-law.de.

wimh
  • 2,925
  • 12
  • 16
2

If getting through the wall requires the user to agree to the use of their data for advertising purposes, like the WaPo one in your example, then it is probably illegal. The GDPR does not allow use to be coupled with agreement to use personal data.

The Dutch data protection agency has clarified that this is the case and is currently taking enforcement action against violators.

user
  • 1,896
  • 1
  • 11
  • 23