Perhaps I’ve oversimplified a bit. GDPR has a paragraph that’s often called the “coupling prohibition” - Article 7(4):
> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
It somehow says a whole lot and not much at the same time. Since every member state and everyone who has to comply needs to interpret what GDPR means there are various “recitals” that offer official guidance. One of those is Recital 42 - Burden of Proof and Requirements for Consent[1] which says:
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
So a person must be able to refuse consent “without detriment” and the company is meant to provide an equivalent, but necessarily identical, service to those who do not consent.
What that means exactly is, of course, the subject of much litigation. For example is it a “detriment” to require a subscription fee to those who do not consent to information sharing? So far one ruling (Austria) has said no, provided the fee is reasonable while another (UK) has said yes, the equivalent service must also be free.
As far as how the coupling prohibition should or will apply to a company like facebook - where harvesting user data is the entire business model - I think that is yet to be clearly determined. As are most of the nuances and technicalities in GDPR.
Edit: I should also note that consent is just one avenue to legally allow a company to process user data under GDPR. It’s not the only avenue.
This really shouldn't be left to interpretation, both Article 7(4) and Recital 42 define what is "freely given consent" and in no way limits the actions i can take as a site owner. It is clear that a "cookie wall" isn't considered a "freely given consent" so you can't process personal data based on that.
Correct you can’t process personal data based on it. And the underlying implication is that none of the consent you’ve obtained via a cookie wall is valid because you haven’t given any users the opportunity to “refuse without detriment” (because their options are to consent or see nothing). So the information you’re processing on behalf of users who clicked “I agree” - even the users who do in fact knowingly and willingly agree to the information processing - might be lacking a legal basis.
> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
It somehow says a whole lot and not much at the same time. Since every member state and everyone who has to comply needs to interpret what GDPR means there are various “recitals” that offer official guidance. One of those is Recital 42 - Burden of Proof and Requirements for Consent[1] which says:
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
So a person must be able to refuse consent “without detriment” and the company is meant to provide an equivalent, but necessarily identical, service to those who do not consent.
What that means exactly is, of course, the subject of much litigation. For example is it a “detriment” to require a subscription fee to those who do not consent to information sharing? So far one ruling (Austria) has said no, provided the fee is reasonable while another (UK) has said yes, the equivalent service must also be free.
As far as how the coupling prohibition should or will apply to a company like facebook - where harvesting user data is the entire business model - I think that is yet to be clearly determined. As are most of the nuances and technicalities in GDPR.
Edit: I should also note that consent is just one avenue to legally allow a company to process user data under GDPR. It’s not the only avenue.
[1]https://gdpr-info.eu/recitals/no-42/