If you spend time on the internet, you’ve probably come across a cookie wall or a paywall. In this post, we’ll explore whether, under the GDPR, using either method is legally allowed or not. Before we dive into the legal requirements, though, let’s go over what these methods actually are.
In short:
📌 The cookie wall is a mechanism where the user has only one option to access the website: accept the processing of the cookies. The cookie wall is prohibited.
Since this can affect publishers’ ability to earn, some within the industry have tried to make use of the current “grey area” to shift the landscape to one that is more profitable. One example of this is the so-called “paywall”.
📌 The paywall is a method where the user is given another option (for example, to pay or subscribe instead of giving consent for the use of cookies) to access the content.
While legislations may vary slightly between EU countries, in general, cookie walls are most likely not allowed as they can be considered contrary to the GDPR’s requirement for “freely given” consent.
In response to evolving digital platform practices, the European Data Protection Board (EDPB) has issued an Opinion which offers new guidance emphasizing the need for large online platforms to offer consumers robust privacy-preserving alternatives. Specifically, the EDPB advises that when devising alternatives to current models, platforms should provide a truly equivalent option that does not require consumers to pay a fee.
In instances where a fee-based alternative is provided, platforms are encouraged to consider also offering a complimentary option such as using contextual advertising or allowing users to select their preferred advertising types, rather than relying on intrusive behavioral advertising.This approach, where advertising relies minimally or not at all on personal data, aligns closely with GDPR standards for obtaining valid consent and underscores the importance of offering genuine choices to users.
The Opinion mainly focuses on large online platforms but also seems to sets a general standard that could apply to various digital services, a theme which will be explored further in the upcoming guidelines. It highlights the EDPB’s dedication to making privacy a key part of the user experience on all digital platforms, fostering a more equitable digital environment.
On a member-state level, some countries such as Germany and Belgium state explicitly that they do not allow cookie walls. Other countries, such as the UK and Ireland, do not yet have definitive statements.
👉 The Italian DPA (Garante Privacy) stated in its latest Guidelines on cookies and other tracking tools that the cookie wall is unlawful except when the website provides the data subject with the option of accessing equivalent content or services without giving his or her consent to the storage and use of cookies or other tracking tools – which will have to be verified on a case-by-case basis.
As regards paywalls, the Garante published a press release to inform that it’s analyzing this solution as implemented by some Italian publishers.
The Austrian, French and Danish DPAs have already indicated that the paywall system is a valid solution as long as the subscription to the site has a modest and fair cost so that it does not constrain the user’s free choice.
UPDATE On May 17, 2023, the German Data Protection Authority of Lower Saxony (LfD) made a decision regarding the use of a consent banner as a cookie pay wall on the popular German-language tech news site, heise.de. The authority found that this practice infringed several articles of the GDPR. For more details on this case, please see here →
The Spanish DPA indirectly shared its position implying that cookie walls can be used as long as the user has been clearly informed of the two available options for accessing the service:
🔑 The key takeaway from the DSB’s decision is that if a “pay or okay” system is used, users should have the option to give granular consent instead of just a general one. It’s important to note that the DSB reached this decision specifically because users were only given a choice between paying or allowing all their data to be processed without the option for more granular consent.
Latest Developments on the “Pay or Okay” Practice A Request for EDPB’s Formal Opinion
Recent trends show an increasing number of major online services implementing a “pay or okay” policy, where users must either consent to being tracked and profiled for behavioral marketing or pay a fee to access the service. This practice has raised significant privacy concerns, leading the Data Protection Authorities (DPAs) of Norway, the Netherlands, and Hamburg to seek guidance from the European Data Protection Board (EDPB).
The DPAs have formally requested the EDPB to issue an opinion under Article 64(2) of the GDPR on whether such practices comply with the requirement for consent to be genuinely voluntary. This inquiry reflects a critical junction for online privacy, posing the question: Is privacy a universal right or a luxury for those who can afford it?
Tobias Judin, head of the International Section at the Norwegian DPA, emphasizes the importance of this issue, stating, “We are at a crossroads. Is privacy a human right for everyone, or is it a luxury reserved for those with ample means? The answer will define the internet in the years to come.”
The EDPB has now issued an opinion, and further guidelines are expected to be developed. This development could significantly influence how consent-based practices are enforced throughout the EEA, promoting a uniform approach to privacy and consent.
The debate centers on the voluntary nature of consent and the conditions under which it is obtained, especially in light of the EU Court’s emphasis on the voluntary aspect of consent. The EDPB is advocating for a third option that promotes fairness and choice for users. This push for an alternative approach aims to clarify the legality and ethics of ‘pay or okay’ models across European DPAs, potentially reshaping practices in popular online services
Regardless of the EDPB’s forthcoming opinion, the need for transparent and less invasive marketing practices remains, underscoring the balance between profit maximization and respecting user privacy.
Currently, the compliance of paywall mechanisms with privacy regulations remains ambiguous. However, the recent press release from the EDPB points towards clearer guidelines expected in the near future. These guidelines are anticipated to provide some clarity to DPAs, which will help better assess the compliance or otherwise of paywalls and similar mechanisms. This guidance is particularly crucial as it will clarify the expectations and requirements for providing users with genuine choices in accessing digital content under privacy regulations.
iubenda will, as always, be following this evolving case and will keep you updated with any new decisions.
💡To learn more about which EU cookie consent rules apply on a per-country basis, check out our Cookie Consent Cheatsheet here.
Our Privacy Controls and Cookie Solution has specific consent recovery features that give publishers the freedom to place the accept button in a subscription pop-up or other elements in cases you might choose to use methods like paywalls. Please get in contact with us for further information on this option.
