What should a website do if the end user refuses to accept the necessary cookies?

Question

Suppose that a data controller chooses the consent legal basis for GDPR article 6 purposes.

Then, the data controller says something along these lines in a cookie consent banner on their website:

We need to use cookies to provide you with our service.

Accept/ Decline

What if the user clicks "Decline"? Should the website session be terminated? Should the website developer prevent the user from further accessing any part of the website?

That seems like the logical conclusion if the user denies the processing of necessary cookies.

Answer 1

These kinds of cookie banners are typically noncompliant and useless since they are not clear and provide too little information to users.

Careful: blocking a user who declines consent is usually a GDPR violation! Instead, only those aspects of the site that rely on this consent should be disabled.

When cookie consent is needed

Per the EU ePrivacy directive (PECR in the UK), information society services (websites, apps, …) are only allowed to store or access information on the end user's device if one of the following holds:

• the access or storage is strictly necessary for performing a service that was explicitly requested by the user; or
• the user has given consent

Note: there is no “legitimate interest” exception for cookies.

When is access/storage strictly necessary? For example, it is strictly necessary for a photography app to store photos on a device. It is strictly necessary for a website to store session cookies so that you can log in to the site. It is strictly necessary for an ecommerce site to store the contents of your shopping cart. It is strictly necessary to remember cookie consent status. And so on.

It is not strictly necessary from the perspective of the user to have analytics cookies, ad personalization cookies, or cookies for features that the user doesn't actually use.

Many websites that just provide the service the user expects will therefore not have to ask for cookie consent, even if they use cookies.

It is worth noting that the ePrivacy definition is entirely technology-neutral. It doesn't relate specifically to cookies, but to any kinds of storage, including LocalStorage. Regulatory guidance considers any access or storage of information on the device to be in scope, even JavaScript APIs in a browser (for example to read the screen dimensions), and considers techniques like fingerprinting to be functionally equivalent and therefore subject to the same rules.

It is also worth noting that these rules apply regardless of whether the information being accessed/stored qualifies as “personal data”.

What consent is

Consent is defined in Art 4(11) and Art 7 GDPR, and further explained in EDPB guidelines 05/2020.

A defining feature of consent is that it must be freely given. The user must not suffer “detriment” for revoking or declining consent. And per Art 7(4):

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

This disallows making access to a service conditional on unrelated consent. For example, it would not be permissible for a website to exclude users who decline consent for advertising cookies. But:

• The EDPB guidelines discuss that there can be “permissible incentive” for consent. For example, courts and some DPAs seem to be of the opinion that a subscription website can offer free access to users that consented to personalized ads: consent-or-pay-walls can be compliant, whereas consent-walls alone would not.
• Sometimes consent is really needed for a processing activity, in which case it is OK to block that service until consent is given. For example, websites should not load third party content like YouTube videos or embedded maps until consent is given to share personal data with the third party. The rest of the website should still work, though.

If consent was not freely given, if the user didn't have an actual choice, then the consent is invalid.

What should the data controller in your scenario do?

The data controller should reassess the role of the cookies for which they are trying to ask for consent.

• If these cookies are strictly necessary from the user's perspective, then it is proper to inform the user about them – but this should not be confused with consent. It is my personal opinion that purely informational cookie banners are confusing/misleading and should be avoided, but this could also be argued differently.
• If these cookies are not strictly necessary, then the phrasing “We need to use cookies to provide you with our service” is quite misleading. It should be made clearer to the user that they can opt-in to additional services/improvements if they want to. The user should be able to configure this on a per-purpose basis.

Thus, more compliant cookie consent flows will typically give the user three options:

• continue with only strictly necessary cookies/purposes (must be default behaviour if none is selected)
• consent to all purposes
• configure purposes

For example, I'm fairly happy with the current Reddit cookie notice:

Why this is a good notice:

• it explains the data controllers (Reddit and partners)
• it summarizes the purposes for which consent is sought
• it links to more detailed information
• the presented options “accept all” an “reject non-essential” are less ambiguous that “accept/decline”

Comparing this with the list of minimum required information for informed consent in section 3.3.1 of the EDPB guidelines linked above, the following information is missing though:

• the identity of the “partners”
• what (type of) data will be collected and used
• the existence of the right to withdraw consent

Answer 2

It's very easy for a web site to claim they "need" cookies, with the same sincerity that a child "needs" a pony. So here is a litmus test.

You say the user who comes to a URL with no cookies should get no page. OK, what if that user's browser has a User-Agent of "Googlebot"? It is the Google crawler. Whoa, whoa, whoa, that's a different deal! you say. We WANT to serve content to the Google search engine as bait for visitors! We Do Not Want to serve content to users who resist tracking!

That sentiment, right there, is what violates GDPR.

You must cheerfully serve the same content to cookie-refusing users as you do to Google. Noting Google's own content policy, which forbids serving different content to Google than to users (the SEO word for that is cloaking). Obviously you can omit things like the logged-in bar, but the meat of the content should be the same, cookied or not or Google.

A counter-example is example.com/user/inbox. Obviously this page exists only for logged in and cookied users and shows them their in-site messages. Someone who is not logged in, including Google, has nothing of value here. Blanking that page for cookieless users is perfectly fine.

Answer 3

We can't answer what should be done. We can answer what legally can be done: There's a line in the sand between mainly two categories of cookies after doing the lawful basis tests:

• Strictly necessary cookies for the mere functionality of the site.
• Any other cookie.

Acceptance is only necessary for the any other cookie category. This is for example analytics or which types of ad you deem cool.

For many of the strictly necessary ones you also might have legitimate interests under (f), but it is enough that the site won't work at all or not properly if not saving those data on the user's disk. As a random example, to allow a customer's shopping card to function, a list of items the user put into the shopping cart could be stored in the cookie. Or when logging in, a keyphrase that enables access to the user's data.

It is your duty to differentiate between absolutely necessary cookie content and anything else.

Answer 4

We're missing the obvious thing here.

"Strictly necessary cookies" don't exist. Period. Every time - every single time- one of these banners pops up I use uBlock to zap it away without accepting or denying anything at all. You can TRY to make me accept them. You will fail, every time, and I will continue to use the site regardless, because I can and you can't stop me.

Every site I have ever done this on as a user- probably hundreds at this point: I do it every time I get the cookie banner, everywhere I see it (including this very site, which itself is in violation of the GDPR via its lie about cookies that are "strictly necessary" ) - continues to function exactly as desired for the duration, regardless.

There. Are. No. Strictly. Necessary. Cookies. They simply do not exist and never have.

Hot take: if you insist there are cookies that exist that are strictly necessary, you are lying. Knowingly. And your company should be held liable under the GDPR.

Again, that includes this very site.

I have a degree in web design and development. I am posting this as a guest, without accepting any cookies or logging in.

And I can still post, without accepting any cookies at all (the cookie liebanner is up even as I type this on mobile).

I am considering reporting this site to EU regulators as an ironically shining example of just how many websites blatantly lie about "strictly necessary cookies" in order to try to skate around their legal requirements.

Answer 5

Stopping the user who declines from using your website is a GDPR violation. What the site needs to do is to run the site without the cookies. If this makes it harder to send spam to me... That's Ok.

Answer 6

@Richard Tingle I posted my reply above and this one without creating an account, much less logging in. I've accepted no cookies prior to doing so.

Strictly necessary cookies don't exist. Not when you can refuse to accept or deny them and still have this particular functionality.

If I intended to create an account (I don't) or log in (I haven't, ever) it would be different. As it is, this sites claims of cookies being "strictly necessary" are just plain lies. I have neither created an account nor logged in, and despite refusing to accept OR deny the cookie liebanner I can still post and even edit my post (as I have just now done).

What I've just proven conclusively is that cookies AREN'T NECESSARY. Period. My actions right here, right now are proof positive that the claims of them being necessary for the site to function properly are boldface lies that should cause this very site to be sanctioned per the GDPR.

No I am not being polite. Frankly, given the discussion and the site I find myself on I am very, very, very pissed off. I do NOT like being lied to and I like people who lie to regulators even less.

This site should face fines for this given this discussion. It's open and flagrant violation of the GDPR requires a response. I think I WILL report this site to regulators. Its admins damned well ought to know better than to try to pull this trick.