Having a cookie consent option is very useful but it is relatively pointless without being able to track the consents for compliance.
The ICO say...
A cookie wall – sometimes called a ‘tracking wall’ – requires users to ‘agree’ or ‘accept’ the setting of cookies before they can access an online service’s content. This is also known as the ‘take it or leave it approach’.
In some circumstances, this approach is inappropriate; for example, where the user or subscriber has no genuine choice but to sign up. This is because the GDPR says that consent must be freely given.
Further, Recital 43 of the GDPR states that:
‘Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.’
The ePrivacy Directive refers to conditional access to website content in Recital 25. This is sometimes used to justify using a cookie wall. It states:
‘Access to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.’
However, when considering Recital 25, you should note that:
‘specific website content’ means that you should not make ‘general access’ subject to conditions requiring users to accept non-essential cookies – you can only limit certain content if the user does not consent; and
the term ‘legitimate purpose’ refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does not include third parties such as analytics services or online advertising.
If your use of a cookie wall is intended to require, or influence, users to agree to their personal data being used by you or any third parties as a condition of accessing your service, then it is unlikely that user consent is considered valid.
However, it should be noted that not all cookie tracking is necessarily intrusive or high risk. Furthermore, the GDPR is clear that the right to the protection of personal data:
is not absolute;
should be considered in relation to its function in society; and
must be balanced against other fundamental rights, including freedom of expression and the freedom to conduct a business.
The key is that individuals are provided with a genuine free choice; consent should not be bundled up as a condition of the service unless it is necessary for that service.