The EDPB highlights the need to comply with all the requirements of the GDPR, in particular those for valid consent.
In the rapidly evolving landscape of ecommerce and data protection, it is paramount for businesses to understand how any new practices involving the processing of personal data may affect their user’s privacy and the business compliance with the relevant legislation. In this regard, the dilemma around the lawfulness of the ‘consent or pay’ models, also known as ‘pay or ok’, have raised some concerns in the industry recently, in particular in relation to valid consent and the concept of equivalent alternatives. Following a request from the Dutch, Norwegian and German (Hamburg) supervisory authorities after several large online platforms had started to implement ’consent or pay’ models relating to behavioural advertising, the European Data Protection Board (EDPB) has released its opinion on the requirements for valid consent in this context, also pointing out that obtaining consent does not absolve the controller from complying with the rest of GDPR principles and obligations.
Understanding the ‘Pay or Ok’ Models
‘Pay or ok’ models present users with a choice of either consenting to data processing for behavioural advertising and other purposes when accessing the online service or paying a fee for gaining access to the online service without their personal data being processed for those purposes. It should be noted that whereas this second option may mean that the data subjects will not be tracked at all, it might also entail that data subjects will be still tracked for different purposes, for example for website usage analytics and improvement. While these models offer users a degree of control over their data, they also raise significant dilemmas in relation to data protection and GDPR compliance.
Firstly, the validity of consent is a key concern. The GDPR mandates that consent must be freely given, specific, informed, and unambiguous. In the context of ‘pay or ok’ models, users may feel coerced into consenting to data processing to access the services, some of which might even be considered essential services such as searching for a job, potentially undermining the principle of freely given consent. Additionally, there’s a risk of ambiguity regarding the terms of consent, especially if users are not fully informed about the implications of their choices. Furthermore, the proportionality of data processing is another issue, as businesses must ensure that the collection and processing of user data are necessary and proportionate to the services provided.
Requirements for valid consent under the GDPR
The EDPB puts a special focus on the fact that valid consent within the context of ‘pay or ok’ models must comply with the GDPR requirements. Accordingly, consent should be freely given, specific, informed, and unambiguous. The EDPB carries out an assessment of the lawfulness of consent gathered within the scope of ‘pay or ok’ models which results in the following key conclusions:
- Controllers should offer an equivalent alternative free of charge, which could be a version of the service with a different form of advertising involving the processing of less personal data or no personal data at all. The existence of this alternative should be considered as a determining factor when assessing whether data subjects can exercise a real choice and therefore whether consent is valid.
- When presented with a ‘consent or pay’ model, the data subject should be free to choose the individual purpose(s) they accept, rather than having to consent to a bundle of processing purposes.
- Comprehensive information about the processing of personal data should be provided before the consent is collected, allowing the data subjects to genuinely understand the processing operations at hand. For example, it has to be clear to the data subjects what exactly they would be paying a fee for and how that would affect the data processing involved.
- The withdrawal of consent should not automatically enter the data subject into the paid subscription, but it should rather result in the data subject being presented again with the different alternatives that are available. Conversely, the termination of the paid subscription is not equivalent to giving consent.
It should be noted that whereas the EDPB Opinion is focused on large online platforms, the analysis of compliance with GDPR requirements applies to any business or online service processing personal data under the ‘pay or ok’ models.
Equivalent alternative: what does this concept entail?
The EDPB points out that users must have genuine choices beyond consenting to data processing for behavioural advertising or paying for their personal data not to be used for these purposes. This entails providing users with meaningful alternatives that offer comparable benefits without relying on data processing for behavioural advertising.
Whereas the CJEU indicated in the Bundeskartellamt judgement that where data processing operations are not strictly necessary for the performance of the contract, users must be free to refuse to consent to such processing operations and being offered an alternative “if necessary for an appropriate fee”, no additional details were provided on the meaning of the expressions “equivalent alternative” or “if necessary for an appropriate fee”. In its Opinion, the EDPB points out that in order for the alternative to be equivalent, it should, among other requirements, also omit the processing operations that would be carried out as a precondition of processing for behavioural advertising purposes.
Other considerations from the EDPB
Together with the requirements for valid consent and the proportionality assessment, the EDPB also addresses the need for complying with other principles and obligations mandated by the GDPR.
Purpose limitation and data minimisation are key in order to ensure that the personal data is collected and processed only for specified, explicit, and legitimate purposes, minimising the risk of excessive or unnecessary data processing. These principles play an essential role in this scenario since behavioural advertising may involve the collection and processing of large amounts of personal data, including the combination of several sources that could result in intrusive monitoring of the data subjects.
The processing of personal data about children is another point that should be observed under the ‘pay or ok’ models, given that children merit additional protection as vulnerable individuals therefore they should not be subject to behavioural advertising.
According to Cristina Contero Almagro, one of Aphaia’s Managing Partners, “Since behavioural advertising is a particularly intrusive form of advertising, entailing significant risks for the fundamental rights and freedoms of the data subjects, controllers should carry out a Data Protection Impact Assessment when considering the implementation of ‘pay or ok’ models or when evaluating equivalent alternatives in this context. Businesses should also take into account any implications that these decisions may have in relation to their compliance with other relevant laws, such as the ePrivacy Directive”.
As regulatory requirements continue to evolve, businesses must remain vigilant and adaptable, ensuring that innovation and growth is not detrimental to compliance with the GDPR and other data protection legislation.