Twitter Logo Youtube Circle Icon LinkedIn Icon

Publishing firms

Legal Developments worldwide

Consent or pay – a valid scheme under the GDPR?

April 2019 - TMT ( Technology, Media & Telecoms). Legal Developments by Dorda.

More articles by this firm.

Media companies throughout Europe struggle with a difficult economic environment: Shrinking sales figures for print products, the digitalisation and consumer demand force publishers to offer their content also on the internet. However, generating money for online publications is not quite easy as – at least in Austria – online subscription against renumeration has not been well accepted by customers. This partially has its root in the lack of suitable micropayment means in the past and users thus getting acquainted to online information being offered for free. Thus, publishers have instead focused on financing their platforms by online marketing activities such as placement of banners. Nowadays such digital advertisement is usually targeted to the specific user. For this purpose, cookies are stored on the user's computer upon his first visit of the website, which then collect data about his location, technical equipment used and online behaviour. This finally allows to display specific, user targeted advertisements. However, such cookies may cause issues with applicable consent requirements under the telecommunication and data protection regulations:

Strict consent regime

Both the ePrivacy Directive, implemented in Austria by the Telecommunications Act ("TKG"), as well as the GDPR set out a strict consent regime for the setting of cookies respectively the subsequent data processing. In this light, media companies struggled how to satisfy both, the legal requirements and their need for funding of its online activities. It seemed that the media industry all over Europe had more or less the same idea: On multiple platforms a banner was installed which gave customers two options: Either to accept the setting of cookies, which allows the company to proceed with targeted online marketing based on the data collected on its basis, or to pay for a cookie and marketing free online access by signing up for a paid-up subscription. But is such an approach in line with the legal requirements? The Austrian Data Protection Authority ("DPA") rendered a confirmatory decision (DSB-D122.931/0003-DSB/2018 of 30.11.2018):

Decision of the DPA

In Austria, a user filed a complaint against a quality newspaper which implemented such a "consent or pay banner". In case of a subscription, the first month of cookie-free access was not charged, starting from the second month 6 Euro were due. The user argued that any consent to cookies and marketing activities must not be deemed freely given as it is rendered to avoid the payment obligation, only and forces him to accept data processing.

The DPA held that for the specific case the consent requirements of the ePrivacy Directive respectively Para 96 Sec 3 of the Austrian TKG implementing the provisions would prevail as lex specialis (see Art. 95 GDPR and recital 173 GDPR). As the specific regulations do not provide for the details on how the required consent may be obtained, the general provisions of the GDPR do apply. According to Art 7 Sec 4 GDPR any performance of a contract, including the provision of a service, must not be conditional on consent to the processing of personal data that is not necessary for the performance of that contract. According to a detailed paper of the former Art 29 Working Party, any consent is thus deemed to be involuntarily if its refusal may generally cause severe disadvantages for the user (see Art 29 Working Party 2016/679, WP 259 and recital 42 GDPR).

The DPA held that in the particular case the user may as an alternative chose the paid-up subscription. This would allow the user to also access the content without having to accept any cookies or targeted online marketing activities. The DPA further held that the specific subscription price of EUR 6 would be reasonably, adequate and fair. If the user would not like to accept the subscription, he could still visit other websites as an alternative. In total, user's refusal to accept cookies would thus not cause him significant disadvantages. To the contrary, the user would be given a reasonable advantage in exchange for his consent as both, the free and the paid access, do offer same content. Thus, the "consent or pay" concept would be in line with the TKG and GDPR requirements. Consequently, the DPA rejected the complaint. There has been no information on a filing of an appeal, which is no surprise as the complaint was made – as it actually happens quite often – on an anonymous basis, only.

Crucial points

The decision was received with great relieve by the Austrian media industry and may have quite some cross-border impact. Taking the arguments of the authority into consideration, the following issues are crucial for the establishment of a valid "consent or pay" scheme:

  • Implementation of transparent information on the alternatives and a clear privacy notice;
  • No cookies must be set prior to user's decision;
  • Moderate, adequate pricing for the alternative subscription;
  • No targeted marketing activities under the alternative subscription;
  • Comparable content under the access against consent and paid up subscription.

Although being non-binding in other jurisdictions, the decision of the DPA may at least be employed as basis for an argumentation in similar cases abroad. Even if the opinion of the DPA is not shared by other local authorities, it should at least be reflected if it comes to the crucial question if and which fine shall be imposed for the alleged infringement. Following a decision of a national data protection authority, particularly one which has been and is still known for its stringent approach, should at least help with arguing that there is only slight negligence involved and that no or a small fine is due, only. Further, industry associations may – as in Austria – use the decision as a basis for initiating codes of conduct based on Art 40 GDPR to establish a joint market standard.

Axel Anderl, Managing Partner and Head of the IT, IP and Data Protection Practice at >DORDA Rechtsanwälte GmbH