If you spend time on the internet, you’ve probably come across a cookie wall or a paywall. In this post, we’ll explore whether, under the GDPR, using either method is legally allowed or not. Before we dive into the legal requirements, though, let’s go over what these methods actually are.
📌 The cookie wall is a mechanism where the user has only one option to access the website: accept the processing of the cookies. The cookie wall is prohibited.
Since this can affect publishers’ ability to earn, some within the industry have tried to make use of the current “grey area” to shift the landscape to one that is more profitable. One example of this is the so-called “paywall”.
While legislations may vary slightly between EU countries, in general, cookie walls are most likely not allowed as they can be considered contrary to the GDPR’s requirement for “freely given” consent.
The European Data Protection Board (EDPB), in its guidelines for GDPR compliance, confirmed that the use of cookie walls does not constitute a valid way of obtaining consent for personal data processing in the EU.
On a member-state level, some countries such as Germany and Belgium state explicitly that they do not allow cookie walls. Other countries, such as the UK and Ireland, do not yet have definitive statements.
The Austrian, French and Danish DPAs have already indicated that the paywall system is a valid solution as long as the subscription to the site has a modest and fair cost so that it does not constrain the user’s free choice.
The Spanish DPA indirectly shared its position implying that cookie walls can be used as long as the user has been clearly informed of the two available options for accessing the service:
Latest Developments on the “Pay or Okay” Practice A Request for EDPB’s Formal Opinion
Recent trends show an increasing number of major online services implementing a “pay or okay” policy, where users must either consent to being tracked and profiled for behavioral marketing or pay a fee to access the service. This practice has raised significant privacy concerns, leading the Data Protection Authorities (DPAs) of Norway, the Netherlands, and Hamburg to seek guidance from the European Data Protection Board (EDPB).
The DPAs have formally requested the EDPB to issue an opinion under Article 64(2) of the GDPR on whether such practices comply with the requirement for consent to be genuinely voluntary. This inquiry reflects a critical junction for online privacy, posing the question: Is privacy a universal right or a luxury for those who can afford it?
Tobias Judin, head of the International Section at the Norwegian DPA, emphasizes the importance of this issue, stating, “We are at a crossroads. Is privacy a human right for everyone, or is it a luxury reserved for those with ample means? The answer will define the internet in the years to come.”
The EDPB is expected to provide an opinion within eight weeks, with a possible extension of up to fourteen weeks. This decision could significantly impact how consent-based practices are enforced across the EEA, aiming for a harmonized approach to privacy and consent.
The debate centers on the voluntary nature of consent and the conditions under which it is obtained, especially in light of the EU Court’s emphasis on the voluntary aspect of consent. With varying stances among European DPAs and the potential for significant implications for popular online services, a unified interpretation from the EDPB could clarify the legality and ethicality of “pay or okay” schemes.
Regardless of the EDPB’s forthcoming opinion, the need for transparent and less invasive marketing practices remains, underscoring the balance between profit maximization and respecting user privacy.
UPDATE On May 17, 2023, the German Data Protection Authority of Lower Saxony (LfD) made a decision regarding the use of a consent banner as a cookie pay wall on the popular German-language tech news site, heise.de. The authority found that this practice infringed several articles of the GDPR. For more details on this case, please see here →
🔑 The key takeaway from the DSB’s decision is that if a “pay or okay” system is used, users should have the option to give granular consent instead of just a general one. It’s important to note that the DSB reached this decision specifically because users were only given a choice between paying or allowing all their data to be processed without the option for more granular consent.
As it stands, the decision of whether paywalls can be compliant or not is still somewhat of a grey area. We will have to wait for a uniform approach from the DPAs to better assess the compliance of these mechanisms.
iubenda will, as always, be following this evolving case and will keep you updated with any new decisions.
💡To learn more about which EU cookie consent rules apply on a per-country basis, check out our Cookie Consent Cheatsheet here.
Our Privacy Controls and Cookie Solution has specific consent recovery features that give publishers the freedom to place the accept button in a subscription pop-up or other elements in cases you might choose to use methods like paywalls. Please get in contact with us for further information on this option.