Consent or Pay: Boom or Bust?

Background on the Opinion

The advent of the General Data Protection Regulation ("GDPR") raised the profile of data protection and privacy for organisations and the public. For the latter, one of the areas where this was perhaps most evident is website users' interactions with online platforms and in particular the prevalence of advertising to such users.

To increase the efficacy of such advertising, organisations often use behavioural and targeted advertising. However, following the CJEU ruling in July 2023 that organisations could not rely on such activity (and the associated processing of user personal data) being for their own legitimate interests (the "Bundeskartellamt decision"), the alternative legal basis relied on has been user consent. Indeed, the Bundeskartellamt decision noted that, for users who do not consent, an equivalent alternative service must be offered which may include the payment of a fee.

Organisations have therefore offered users a choice between consenting to the processing of their personal data; paying a fee in order that such processing does not occur; or otherwise not using the services offered and so not having their personal data processed (known as the "consent or pay model").

The Dutch, Norwegian and Hamburg supervisory authorities requested the EDPB's view on circumstances where large online platforms have adopted a consent or pay model for behavioural advertising and the manner in which any consent obtained satisfies the GDPR consent requirements, following which the EDPB has issued the Opinion.

Consent or pay model concerns

Following the introduction of pay or consent models and prior to the Opinion, there have been a number of concerns raised regarding such models, including:

• Payment for rights: At a principle level, a consent or pay model could be viewed as treating privacy as a privilege which an individual must purchase and a commodity linked to a price tag, rather than a fundamental right.

Amongst privacy campaigners there is a fear that this could lead to an erosion of the fundamental right to data privacy, further empowering organisations to freely collect and use data for their benefit, and push the industry towards the prioritisation of profit above user rights, especially a user's control over their own information.

• Financial barriers: Accessibility and exclusion issues are also present in a consent or pay model. A fee, especially if higher, may create a two-tiered system excluding low-income users from fully controlling their data privacy.

Such an approach could be seen as exacerbating social inequalities and raising issues of digital equity, an issue of paramount importance since free access is one of the foundations of a great deal of digital content.

Beyond the GDPR, in the US, potential class action lawsuits over this aspect of such models are being considered which argue that the fee to be paid for data privacy would be a form of discrimination against low-income users.

• Transparency: The lack of transparency on the extent of data collection could lead to users believing they have the choice of opting out of all data collection, while still being tracked and profiled for purposes other than targeted ads. A 'paid' option would not necessarily offer much more clarity on the extent of data still collected, raising concerns over hidden tracking practices.
• Anti-competitive practices and competition: Big platforms' dominant position in the sector could result in unfair advantage (manifested through the forced agreement for users to accept paying a fee) and the normalisation of a consent or pay model which could hinder innovation and limit the user's choice, negatively impacting te online environment's vitality and dynamism, some of its key aspects.

The Opinion

The headline coming out of the Opinion is that "in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice". This would seemingly be the EDPB charting a course which aligns with the Bundeskartellamt decision (i.e. that a consent or pay model is permissible) but substantively narrows the circumstances in which it would be feasible and so addressing the privacy concerns.
The detail of the Opinion though puts more meat on the bones and raises a range of issues and interests for market participants to consider, including: 

• Applicability of the Opinion: The Bundeskartellamt decision was in the context of large online platforms, a term which is not defined for the purposes of GDPR. The Opinion does not set out a test of what would constitute a large online platform for the purposes of the Opinion, but it does provide a range of aspects which may determine whether an organisation is one.

Such aspects include whether the organisation attracts a large number of data subjects as users; whether it conducts large scale processing; if it is a 'very large online platform' (as defined in the Digital Services Act) or a 'gatekeeper' (per the Digital Markets Act); as well as such organisation's relative position in the market. The EDPB emphasises that such aspects are non-exhaustive and each organisation will need to consider its position on a case by case basis.   

Arguably this creates a new category of controller (a large online platform controller) and, given the EDPB has noted that it will develop further guidelines on consent or pay models which will have a "broader scope", it will be interesting to see the approach this takes for, as is likely, smaller, non-large online platform.

• Consent must still be GDPR consent: The Opinion is clear that a consent or pay model can operate provided that the controller can demonstrate that such consent meets the requirements of GDPR: freely given, informed, unambiguous and specific.

The EDPB discusses in detail each of these limbs and the factors to consider, for instance if the introduction of a consent or pay model causes detriment to a user such that consent is not freely given, an organisation should keep in mind the nature of the service offered (e.g. is it systematically used, would it prevent participation in social life).

Interestingly the EDPB, contrary to the views of some privacy advocacy groups, has steered away from perceiving any 'payment' as being a detriment, rather such detriment would be due to the loss of the service itself. That said, the Opinion notes that the nature of any fee imposed will be a relevant consideration.

The Opinion emphasises that the specifics of a given consent or pay model (and in particular the organisation implementing such model) are critical and that case-by-case consideration will be required. There is then no 'one size fits all' approach for large online platforms.    

• Other GDPR principles: Even if a controller considers that its consent or pay model meets the GDPR consent requirements, the Opinion emphasises that all GDPR principles will need to be complied with, such as principles of necessity, proportionality and fairness.

For instance, behavioural advertising is often based on the collection, aggregation and analysis of as much data as possible which militates against the principle of data minimisation. Ensuring that the services offered in consent or pay models are designed in such a way as to meet such principles will be integral to their being complaint from a GDPR consent perspective.      

• Real alternative(s): While the Opinion does not unambiguously state that any one approach by a large online platform would render a consent or pay model workable from a consent compliance perspective, it does strongly suggest that the provision of an alternative service which provides genuine equivalence to those which are offered pursuant to the consent or pay model options, would be beneficial.

Such 'third way', for example a service which relied on contextual advertising rather than behavioural advertising and was as rich in features as those made available by way of a paid version would likely provide a user with a real choice. It is worth noting also that the EDPB does not view a similar, free offering from third party organisation as a real choice.

Whether or not the provision of a further offering works commercially will be interesting to monitor as the implications of the Bundeskartellamt decision, the Opinion, and subsequent supervisory authority action are felt.

There remains then a world in which large online platforms can adopt a consent or pay model (and indeed the EDPB did not have much choice in this given the Bundeskartellamt decision), but it is clear that the threshold is high and will require careful consideration by such organisations in order to employ it in a manner which is compliant with the GDPR. 

Next steps

• Non-binding: Ultimately the Opinion is non-binding and it will be for supervisory authorities to determine whether a particular consent or pay model is appropriate in the context in which it is being used. The Opinion does however offer some further clarity on the considerations which supervisory authorities will have if and when reviewing such models.
• Large online platforms: Similarly for large online platforms, there is now more detail on whether a consent or pay model can be put in place, and the considerations which should underpin utilising such model. Key to this will be offering users a real choice, explaining the implications of such choice, and ensuring any model used complies with fundamental privacy principles. 
• Smaller organisations: The Opinion predominantly relates to 'large online platforms' and, while the considerations set out are helpful for organisations in the broader ecosystem, the EDPB has noted that it will develop further guidelines on consent or pay models which will have a "broader scope" and can be expected to provide further clarity for organisations which are not large online platforms.
• UK: In the UK, the Information Commissioner's Office ("ICO") has issued a call for views on consent or pay models. While the ICO's initial view is that UK data protection law does not outright prohibit such models, it has outlined four factors that companies should consider: (i) any imbalance of power between the company and its users; (ii) equivalence of the free and ad-funded services; (iii) the level of the fee charged; and (iv) privacy by design, as well as emphasising that organisations need to consider how to treat existing users, who may have different expectations compared to new users. The outcome of this canvasing should result in updated guidance for the UK in due course.