Are cookie walls allowed under the EU ePrivacy Directive?
A cookie wall is high risk when it blocks website or app content unless the user accepts cookies, pixels, SDKs, local storage, or similar access to terminal equipment that is not strictly necessary. Article 5(3) ePrivacy analysis starts before GDPR processing analysis: check whether the service stores information on the user's device or gains access to information from it, including through browser cookies, JavaScript, pixels, tracked links, identifiers, or client-side code.
If consent is required, the consent standard is the GDPR standard. The EDPB's consent guidance says consent only works where the user has control and a genuine choice to accept or decline without detriment. For cookie walls, that means a user should not be pushed into believing consent is required for access unless the access condition is tied to a strictly necessary service or functionality that the user explicitly requested.
The EDPB cookie-wall reply also cautions against overclaiming a single blanket answer: it noted that the French court decision discussed there did not decide whether cookie walls are lawful on the merits, and that the ePrivacy Directive remained the applicable framework while consent under ePrivacy had to meet GDPR standards. Treat national implementation and regulator practice as part of the review instead of inventing a universal country rule.
- Do not set optional cookies before consent; the Cookie Banner Taskforce records that cookies requiring consent must not be set by default and consent needs a positive user action.
- Separate strictly necessary functionality from analytics, advertising, personalization, social plug-ins, affiliate tracking, pixels, and other tracking purposes.
- Offer a refusal route that is visible enough for the average user to understand; hiding refusal behind weak links, unreadable contrast, or deeper layers can undermine valid consent.
- If access depends on consent, document the alternative offered, such as access without optional cookies, a non-tracking route, or another access model, and explain why it provides a real choice.
- Keep the withdrawal path as easy to find and use as the consent path; the taskforce describes withdrawal at any time and withdrawal as easy as consent as cumulative consent conditions.
Supports the cookie-wall consent test: consent must involve control, genuine choice, no detriment for refusal, informed purposes, and easy withdrawal.
Supports banner checks for default consent, accept and reject options, misleading design, essential-cookie classification, and withdrawal access.
Supports the technical scope review for storage or access to information on terminal equipment, including cookies, pixels, identifiers, and client-side instructions.