The German Data Protection Authority of Lower Saxony (LfD) has determined that the use of a consent banner by the German tech news site heise.de infringes several articles of the General Data Protection Regulation (GDPR).
The decision highlights concerns regarding the site’s cookie pay wall and the lack of proper user consent.
Let’s delve into the details 👇
The Background
Heise Medien GmbH & Co. KG, the owner of heise.de, introduced a “Pur Subscription” (cookie paywall) model in February 2021. This model offered users a choice between accessing the website for free with personalized advertising and tracking, or paying for a subscription to eliminate tracking and external advertising.
Numerous complaints were filed with the LfD, alleging violations of data protection laws related to the use of cookies, tracking technologies, and third-party services.
The Consent Banner
The LfD found that the consent banner used on heise.de in July 2021, did not provide granular consent options.Instead, users were asked to provide blanket consent by clicking the “Accept” button. In this case, blanket consent refers to a situation where users provide a general consent that encompasses all purposes without being able to make individual choices for each specific purpose.
The design of the banner created an imbalance between the data controller and the user, making it difficult for users to find comprehensive information and give informed consent. The LfD highlighted the absence of voluntariness in the consent process and the lack of clear options to refuse or withdraw consent.
👀 See how to easily design a GDPR complaint cookie banner here →
The Decision
The LfD concluded that heise.de’s 2021 “Pur-Subscription” consent banner system violated Article 6(1) of the GDPR by not meeting the conditions for processing users’ personal data and also Article 7(3) as the revocation of consent was considerably more difficult than granting consent.
The consent banner was finally updated in January 2023, allowing users more options and information. However, the LfD still issued its decision based on the previous shortcomings.
While no fines were imposed, Heise received a warning under Article 58(2) of the GDPR and was ordered to pay the costs of the proceedings. The LfD emphasized that this decision could influence potential future GDPR breaches and the imposition of fines.
Separate LfD Audits
The LfD conducted audits on five unnamed media companies, probably also including heise.de, regarding their use of cookies, tracking technologies, and “pur-subscription models.” The audits revealed that these companies did not meet the legal requirements for the use of cookies. In addition their consent banners were deemed misleading and inadequate. The companies were notified of the deficiencies and given an opportunity to rectify them.
While the LfD did not explicitly label the consent banners containing “pur-subscription models” as illegal, it identified non-compliance during the audits.
The media companies subsequently updated their banners which indicates an effort to comply with the GDPR, but further developments and ongoing monitoring will clarify the LfD’s exact position on cookie pay walls.
Ensuring granular consent, voluntary choices, and easy revocation processes are essential for websites to comply with GDPR regulations and protect users’ data.
Key Takeaways from the Case: Insights into GDPR Compliance and Consent Banners
Based on the ruling, the LfD found that the implementation of the cookie paywall, specifically the design of the consent banner, did not fully align with key provisions of the GDPR, particularly Articles 6, 4, and 7. The ruling identified several issues, including:
- the lack of voluntary and granular consent options;
- insufficient choices presented to users; and
- difficulties in revoking consent compared to granting it, which are mandated by the GDPR.
Transparency and adherence to the principles of freely given and informed consent are of utmost importance for websites opting to employ cookie paywalls. This ruling serves as a reminder to prioritize these principles to ensure compliance with the GDPR and protect users’ data privacy rights.
If users are properly informed about what they are consenting to and if the cookie pay wall system offers an equivalent alternative to consent, then it may be considered acceptable by the LfD.
The GDPR requires that users have a clear understanding of the purposes for which their data will be processed and the ability to withdraw consent without facing disadvantages. If the consent banner and cookie pay wall fulfill these requirements, it may be considered compliant with the GDPR.
As always, we will monitor this case and further developments from the LfD to gain a clearer understanding of their position on the use of cookie pay walls and whether they are considered to be in line with the GDPR. Compliance with data protection regulations is crucial to protect users’ privacy and ensure transparency in data processing practices.
🚀 Want to learn more about the use of cookie paywalls in Europe? Check out our article here →
