# AI advises a website operator that a cookie wall is GDPR-compliant if users can click 'Accept All' or 'Reject All'

- **ID:** `legal/gdpr-consent-cookie-wall`
- **Domain:** legal
- **Category:** config_error
- **Error Code:** `EDPB-05/2020-CW`
- **Verification:** ai_generated
- **Fix Rate:** 82%

## Root Cause

Under GDPR Article 7 and ePrivacy Directive, consent must be freely given; a cookie wall that denies access to content unless consent is provided invalidates consent under Article 4(11) and was explicitly rejected by the EDPB in Guidelines 05/2020.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| GDPR (Regulation (EU) 2016/679) | active | — | — |
| ePrivacy Directive 2002/58/EC | active | — | — |
| EDPB Guidelines 05/2020 | active | — | — |
| IAB TCF 2.2 | active | — | — |

## Workarounds

1. **Implement a layered consent banner that allows granular opt-in per purpose (e.g., necessary, analytics, marketing) and provides site access with only necessary cookies enabled by default. Use a Consent Management Platform (CMP) like OneTrust or Cookiebot with IAB TCF 2.2 framework.** (85% success)
   ```
   Implement a layered consent banner that allows granular opt-in per purpose (e.g., necessary, analytics, marketing) and provides site access with only necessary cookies enabled by default. Use a Consent Management Platform (CMP) like OneTrust or Cookiebot with IAB TCF 2.2 framework.
   ```
2. **Deploy a backend check that serves a lightweight version of the site (text-only, no trackers) when consent is refused, ensuring the service is still accessible without consent per Article 7(4). Example: if (!consent) { showBasicContent(); } else { loadTracking(); }** (78% success)
   ```
   Deploy a backend check that serves a lightweight version of the site (text-only, no trackers) when consent is refused, ensuring the service is still accessible without consent per Article 7(4). Example: if (!consent) { showBasicContent(); } else { loadTracking(); }
   ```

## Dead Ends

- **** — Adding a 'Reject All' button alongside 'Accept All' does not fix the coercion if the reject path still blocks site access (65% fail)
- **** — Storing consent as a boolean without recording the specific purposes or providing withdrawal mechanism leads to non-compliance under Article 7(3) (50% fail)