News and developments
Consent or pay – a valid scheme under the GDPR?
Media companies
throughout Europe struggle with a difficult economic environment: Shrinking sales
figures for print products, the digitalisation and consumer demand force
publishers to offer their content also on the internet. However, generating
money for online publications is not quite easy as – at least in Austria – online
subscription against renumeration has not been well accepted by customers. This
partially has its root in the lack of suitable micropayment means in the past
and users thus getting acquainted to online information being offered for free.
Thus, publishers have instead focused on financing their platforms by online marketing
activities such as placement of banners. Nowadays such digital advertisement is
usually targeted to the specific user. For this purpose, cookies are stored on the
user's computer upon his first visit of the website, which then collect data
about his location, technical equipment used and online behaviour. This finally
allows to display specific, user targeted advertisements. However, such cookies
may cause issues with applicable consent requirements under the
telecommunication and data protection regulations:
Strict consent regime
Both the ePrivacy
Directive, implemented in Austria by the Telecommunications Act
("TKG"), as well as the GDPR set out a strict consent regime for the
setting of cookies respectively the subsequent data processing. In this light,
media companies struggled how to satisfy both, the legal requirements and their
need for funding of its online activities. It seemed that the media industry
all over Europe had more or less the same idea: On multiple platforms a banner
was installed which gave customers two options: Either to accept the setting of
cookies, which allows the company to proceed with targeted online marketing
based on the data collected on its basis, or to pay for a cookie and marketing
free online access by signing up for a paid-up subscription. But is such an
approach in line with the legal requirements? The Austrian Data Protection
Authority ("DPA") rendered a confirmatory decision
(DSB-D122.931/0003-DSB/2018 of 30.11.2018):
Decision of the DPA
In Austria, a user
filed a complaint against a quality newspaper which implemented such a "consent or pay banner". In case of
a subscription, the first month of cookie-free access was not charged, starting
from the second month 6 Euro were due. The user argued that any consent to
cookies and marketing activities must not be deemed freely given as it is
rendered to avoid the payment obligation, only and forces him to accept data
processing.
The DPA held that for
the specific case the consent requirements of the ePrivacy Directive respectively
Para 96 Sec 3 of the Austrian TKG implementing the provisions would prevail as
lex specialis (see Art. 95 GDPR and recital 173 GDPR). As the specific
regulations do not provide for the details on how the required consent may be
obtained, the general provisions of the GDPR do apply. According to Art 7 Sec 4
GDPR any performance of a contract, including the provision of a service, must
not be conditional on consent to the processing of personal data that is not
necessary for the performance of that contract. According to a detailed paper
of the former Art 29 Working Party, any consent is thus deemed to be involuntarily
if its refusal may generally cause severe disadvantages for the user (see Art
29 Working Party 2016/679, WP 259 and recital 42 GDPR).
The DPA held that in
the particular case the user may as an alternative chose the paid-up
subscription. This would allow the user to also access the content without
having to accept any cookies or targeted online marketing activities. The DPA further
held that the specific subscription price of EUR 6 would be reasonably,
adequate and fair. If the user would not like to accept the subscription, he could
still visit other websites as an alternative. In total, user's refusal to
accept cookies would thus not cause him significant disadvantages. To the
contrary, the user would be given a reasonable advantage in exchange for his
consent as both, the free and the paid access, do offer same content. Thus, the
"consent or pay" concept
would be in line with the TKG and GDPR requirements. Consequently, the DPA rejected
the complaint. There has been no information on a filing of an appeal, which is
no surprise as the complaint was made – as it actually happens quite often – on
an anonymous basis, only.
Crucial points
The decision was
received with great relieve by the Austrian media industry and may have quite
some cross-border impact. Taking the arguments of the authority into
consideration, the following issues are crucial for the establishment of a valid
"consent or pay" scheme:
- Implementation
of transparent information on the alternatives and a clear privacy notice; - No cookies
must be set prior to user's decision; - Moderate,
adequate pricing for the alternative subscription; - No
targeted marketing activities under the alternative subscription; - Comparable
content under the access against consent and paid up subscription.
Although being
non-binding in other jurisdictions, the decision of the DPA may at least be
employed as basis for an argumentation in similar cases abroad. Even if the
opinion of the DPA is not shared by other local authorities, it should at least
be reflected if it comes to the crucial question if and which fine shall be
imposed for the alleged infringement. Following a decision of a national data
protection authority, particularly one which has been and is still known for
its stringent approach, should at least help with arguing that there is only
slight negligence involved and that no or a small fine is due, only. Further,
industry associations may – as in Austria – use the decision as a basis for
initiating codes of conduct based on Art 40 GDPR to establish a joint market
standard.
Axel Anderl, Managing
Partner and Head of the IT, IP and Data Protection Practice at >DORDA Rechtsanwälte GmbH