On April 17, 2024, the European Data Protection Board (EDPB) released new guidelines, Opinion 08/2024, addressing the "consent or pay" model employed by major online platforms. These guidelines assert that this model frequently fails to meet the General Data Protection Regulation (GDPR) standards, recommending a case-by-case evaluation of its use. Drafted in response to requests from data protection authorities in the Netherlands, Norway, and Germany—following Meta's adoption of this model on its Facebook and Instagram platforms—the guidelines scrutinize the "consent or pay" model, which necessitates user consent for processing personal data for behavioral advertising. The guidelines emphasize that offering only a binary choice of consenting to personal data processing for behavioral advertising or paying a fee generally does not satisfy the criteria for valid consent. They advise that controllers should not default to this model but should instead consider providing a fee-free equivalent alternative.
Definitions
"Consent or Pay" Model: In this model, controllers present data subjects with at least two choices for accessing the online services they offer. Data subjects may either consent to the processing of their personal data for designated purposes or decline to give consent and instead pay a fee to access the services. The guidelines particularly address scenarios where consent is solicited for the processing of personal data for behavioral advertising purposes.
Behavioral Advertising: This form of advertising is notably intrusive, utilizing data accumulated from observing user activities over time to offer personalized advertisements. These advertisements are tailored based on individual user profiles, which are derived from their preferences, tastes, and interests, allowing for an analysis of user interactions with these tailored advertisements.
Large Online Platforms: An online platform qualifies as large based on several criteria: the extent to which it attracts a substantial user base; its market position; the scale of data processing it conducts, which includes the number of data subjects involved, the volume of data, and the geographic breadth of the processing; and whether it includes controllers of "very large online platforms" as categorized under the Digital Services Act (DSA) and "gatekeepers" under the Digital Markets Act (DMA).
Consent
GDPR's Provisions on Consent
- Article 4(11) of GDPR defines "consent" as a voluntary, specific, informed, and explicit expression of will by which the data subject agrees through a statement or a clear affirmative action to the processing of personal data relating to him or her.
- Article 6(1)(a) establishes that the data subject's consent is one of the legal bases for processing personal data.
- Article 5 outlines data protection principles (lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality), and Article 25(2) on design and default data protection principles, which dictate that only personal data necessary for specific purposes should be processed and inaccessible to others.
- Articles 7 and the recitals (32, 42, 43) detail the main factors for how controllers should adhere to consent requirements: controllers must be able to demonstrate that the data subject has consented to the processing of their personal data, connected to the accountability principle under Article 5(2) of GDPR. If consent is given in a written declaration that involves other matters, it must be presented in a manner that is distinct from those other matters, easy to understand, and in clear and plain language, and any part of such a declaration that constitutes a breach of the GDPR is not binding. Additionally, data subjects must be informed before giving consent that they have the right to withdraw consent at any time, and such withdrawal should not affect the lawfulness of processing based on consent before its withdrawal. The simplicity of giving and withdrawing consent must be equivalent. Lastly, consent must be given voluntarily; where there is a clear imbalance between the data subject and the controller, consent should not be regarded as freely given.
Other Legal Considerations
The "consent or pay" model may have marginal intersections with other EU legal frameworks; it is advisable to refer to these statutes to ensure seamless integration within the EU legal systems. Notably, the definition of "consent" in Article 2(f) of the ePrivacy Directive aligns with that in the GDPR. Similarly, the DMA's Article 5(2) invokes the GDPR definition of "consent." Furthermore, aspects of the guidelines intersect with consumer protection law, competition law, the Directive on Unfair Commercial Practices (2005/29/EC), and the Digital Content Directive (2019/770). Additionally, the Digital Services Act (DSA) specifies obligations for online platform providers, including those classified as very large, enhancing the coherence of EU legislation pertaining to online platforms.
Federal Cartel Court Decision Summary
- The legal question presented was whether the consent obtained from online social network users, given the dominant market position of the network operator, satisfies the effectiveness conditions stipulated in Article 4(11) of the GDPR, particularly the requirement that consent must be freely given.
- The court observed that a dominant position held by online social network providers does not inherently obstruct users from granting valid consent under the GDPR for the processing of their personal data. Nevertheless, a critical element in affirming the validity of such consent is the operator's obligation to demonstrate that the consent was voluntarily given. This aspect is vital as it influences the user's autonomy in decision-making; the inability of users to refuse or withdraw consent without adverse consequences could create a substantial imbalance between the controller and the data subject.
- Considerations such as the extent of data processing, its profound effects on users, and the users' reasonable expectations are pivotal factors in evaluating the case.
Guidelines Go Through
Principles and General Provisions
- Consent from data subjects does not justify collecting personal data beyond what is necessary for specified purposes or in a manner that is unfair.
- Data processing must adhere to the principles of necessity and proportionality, ensuring compliance with purpose limitation and data minimization principles. The proportionality principle questions the necessity of processing personal data and assesses whether the intended purpose could be fulfilled through less invasive methods or by processing less personal data, whether less detailed or aggregated.
- Reconciling excessive tracking with the data minimization principle poses greater challenges compared to personalized advertising systems that enable users to determine their preferences autonomously.
- Data processing activities must uphold the principle of fairness, aligning with the reasonable expectations of data subjects, avoiding discrimination, not exploiting vulnerabilities, preventing imbalances of rights, and refraining from using deceptive or manipulative tactics. When processing activities are particularly intrusive, they should be scrutinized for their impact on the rights and dignity of the subjects, ensuring subjects are provided with the highest level of autonomy. Fairness should guide the controller's decisions, especially when options available to data subjects are limited or potentially manipulated.
- Principle of transparency.
- Controllers are expected to observe the data protection principles and uphold the standards set by default data protection guidelines.
- Special protection for children: Children must be shielded from behavioral advertising influences, exempting them from having to make a "consent or pay" decision.
- Special emphasis should be placed on GDPR Article 5(2) concerning accountability. Controllers are required to demonstrate that consent obtained from data subjects was given voluntarily and fulfills other criteria necessary for its validity.
Effectiveness of Consent
A. Voluntary Consent
- Defining Consent: Consent is a definitive indication of the data subject's intent, where voluntariness is essential to the legality of the data processing activities.
- Ensuring Freedom of Choice: Controllers are required to ensure that data subjects have genuine autonomy in making consent decisions. This includes avoiding the imposition of barriers that could restrict the ability to refuse consent, in line with GDPR provisions on data subjects' control rights over their data. Furthermore, data subjects should not be subjected to misleading designs and must be fully informed about their data processing rights.
- Conditions Undermining Voluntary Consent: Consent is deemed involuntary if influenced by deception, intimidation, coercion, or any other circumstances that impede the free will of the data subjects. Additionally, if data subjects are reluctant to accept the adverse effects associated with data processing, such consent is considered invalid.
- Criteria for Valid Consent: Key considerations for assessing the validity of consent include potential harm to the data subject from refusing or withdrawing consent, the presence of any imbalance of rights between the data subject and the controller, the necessity of consent as a condition for obtaining services or goods, and the ability of the data subject to give consent to various processing activities.
- Individual Assessment of Consent Validity: The evaluation of consent validity must be conducted on a case-by-case basis, considering the specific circumstances and contexts involved.
- Provision of a Non-Behavioral Advertising Alternative
A foundational aspect of safeguarding the data subject's freedom of choice is the range of options provided by the controller.
- The default provision of only a paid service is not acceptable; controllers must offer a free equivalent alternative that does not involve behavioral advertising. This approach prevents users from being forced into a binary decision between consenting to behavioral advertising and paying to opt out, thereby ensuring that consent remains voluntary.
- The free alternative should not entail processing personal data for behavioral advertising. Instead, it could involve less invasive forms of advertising, such as contextual or general advertising, with controllers ensuring that only the necessary personal data for such advertising is processed.
- An essential factor in assessing both the data subject's autonomy in choice and the effectiveness of their consent is whether the controller offers a free alternative devoid of behavioral advertising. This strategy can significantly diminish, or altogether prevent, the adverse effects faced by users who choose not to consent.
- In scenarios where there is a power imbalance, providing a free alternative is a crucial method for controllers to demonstrate that non-consent does not lead to negative repercussions for the data subject.
- Controllers must enable data subjects to clearly understand the potential adverse outcomes of each option, ensuring that choices are presented without deceptive designs.
- Consideration should also be given to specific requirements under the DMA or DSA "gatekeeper" regulations.
- Damage
Controllers are obligated to demonstrate that data subjects who refuse or withdraw consent will not experience harm. Potential types of harm include:
- Users who have historically accessed services without fees or consent to behavioral advertising may face financial hardships or lose access to the service if a free alternative is not provided. This impact is particularly pronounced for long-standing users on large online platforms where lock-in or network effects are significant. The introduction of a "consent or pay" model partway through their use can cause substantial harm.
- On platforms that rely heavily on user-generated content or user interactions, such as video sharing platforms or social networks, network effects can complicate users' decisions to discontinue service use without facing adverse consequences. Often, users prefer to be tracked to maintain online interactions with friends or preferred networks. For users entrenched in the platform's environment, discontinuing use can lead to significant losses, including the loss of communication links, images, videos, and personalized data. The duration of use intensifies the impact of these lock-in effects.
- Inability to use services integral to daily life or those that play a significant role in society can cause considerable detriment. Services such as social platforms or key forums in economic and political arenas profoundly influence users' social lives and their inability to access these can be damaging.
- Being unable to access professional or employment-related platforms can harm users by stripping them of equal opportunities for employment and the ability to stay informed about critical developments in their respective fields.
- Even if users no longer have the right to access certain services, controllers must ensure that they inform users of their GDPR rights, including the rights to access and port their personal data. This ensures that despite the cessation of service use, users' statutory rights are upheld and communicated clearly.
- Power Imbalance
- GDPR Recital (43) emphasizes that for consent to be deemed voluntarily given, it must be free from any significant power imbalance between the data subject and the controller. This is particularly pertinent when the controller operates within the public sector or as a government entity. In situations where a clear power disparity exists, the data subject might feel coerced, leading to decisions made under duress.
- Consent under conditions of power imbalance is only applicable in special circumstances. Adhering to the accountability principle, controllers are required to demonstrate that data subjects will not suffer adverse consequences for withholding consent, particularly when a viable alternative to the traditional consent or pay model is offered. Under these conditions, consent may be regarded as valid.
- Controllers must evaluate the presence of power imbalances using several indicators:
- Market Position: The dominance of a controller, particularly if it is a governmental entity or a major employer, can exacerbate power imbalances. However, a dominant market position alone does not automatically invalidate consent.
- Lack of Alternatives: The absence of realistic alternative services for data subjects can contribute to a power imbalance.
- Link between Imbalance and Harm: The relationship between power imbalances and potential harm should be closely analyzed, including factors like network effects and lock-in phenomena.
- Service Dependency: The extent to which data subjects depend on the services for essential aspects of life, such as employment, public discourse, or daily routines, limits their freedom to choose.
- Vulnerable Target Audiences: Platforms that primarily target vulnerable groups, such as children, are more likely to exhibit power imbalances.
- Conditionality
- Under GDPR Article 7(4), the assessment of voluntary consent must critically examine whether data subjects are compelled to consent to processing activities that are objectively unnecessary for accessing services. Services conditioned on such consent are not deemed to be offered on a conditional basis.
- The Federal Cartel Court has ruled that when data processing operations are not essential for contract fulfillment, controllers are obligated to provide a viable alternative that does not require such data processing. If necessary, this may involve a fee, thereby ensuring compliance with the conditionality requirement and preventing invalid consent.
- Provision of an Equivalent Alternative
- Definition: An equivalent alternative is a service offered by the same controller that does not necessitate consent for processing personal data for behavioral advertising.
- Degree of Difference: The alternative should be deemed equivalent if differences from the original are limited to the absence of data processing for behavioral advertising.
- Function and Quality: Equivalence pertains to the functional and qualitative aspects of the service. The alternative version should provide the same features and functions as the original, although it need not be identical. Additionally, the quality of the alternative service should not be degraded.
- Data Processing Requirements: The equivalent alternative should not involve initial tracking of data users or the provision of personalized advertising recommendations, unless tracking is performed for purposes other than behavioral advertising.
- Appropriate Fee Considerations Base on Necessity
- Personal data must not be commodified. The necessity and appropriateness of any fees must be aligned with the principles set out in the Charter and GDPR.
- Controllers are required to determine the appropriateness of fees on a case-by-case basis, taking into account the specifics of each situation and GDPR guidelines concerning valid consent.
- It is crucial that fee imposition does not obstruct the data subjects' ability to refuse consent nor coerce them into consenting. Fee strategies should uphold data subjects' autonomy.
- Attention must be focused on adhering to GDPR Article 5's principles of fairness and accountability.
- While controllers have the autonomy to set fees, regulatory bodies retain the authority to intervene if fees undermine voluntary consent or contravene accountability norms. The enforcement and interpretation of GDPR compliance rest with regulatory authorities, though cooperation with other agencies may be sought.
- Granularity In the "consent or pay" framework, it is imperative that the different processing purposes are distinctly separated, allowing data subjects the liberty to select each purpose independently. The granularity of consent, particularly in the context of behavioral advertising on large online platforms, is intricate and requires nuanced attention to ensure clarity and compliance.
B. Informed Consent
According to GDPR recital (42), for consent to be truly informed, data subjects must be aware of the controller's identity and the specific purposes for processing their personal data. Inadequate information impedes the ability of users to make informed decisions, rendering the consent invalid. Thus, it is essential that data subjects are provided with comprehensive information regarding the key factors influencing their choices, along with necessary supplementary details to fully comprehend the processing operations they are subjected to.
Factors influencing informed consent extend beyond the principles of transparency, fairness, and accountability to include the depth and quality of the information provided:
- Content of Consent: Based on the accountability principle, controllers are required to provide a transparent simulation and record of the information processing activities, ensuring that data subjects have a clear understanding of the implications, scope, and potential outcomes of their decisions. While GDPR recital (42) mandates only the disclosure of the controller’s identity and the purposes of processing, it does not necessitate a detailed description. However, when employing the "consent or pay" model, large online platforms must ensure that users are fully informed about the processing activities, their changes, and impacts. This includes providing detailed information enabling data subjects to comprehend fully the services to which they are consenting and maintaining the option to object to other services. The purposes of processing must be clearly defined, avoiding vagueness, and should elucidate both the benefits and potential adverse effects to the data subjects. The information should align with the provided choices and explain the technologies used in processing personal data, maintaining adherence to principles of fairness and transparency. Controllers are also advised to update data subjects about any new versions or changes in the processing activities and disclose the legal basis for processing personal data. Specific attention should be given to the disclosure of recipients of personal data, the transfer of data to third countries, the retention period, the ongoing collection and processing of data regardless of consent, the rights of data subjects to withdraw consent, and the implications of such withdrawal, as well as the potential combination or cross-use of data.
- Methods of Providing Information:
- Timing: Information must be provided thoroughly before the initiation of data processing for behavioral advertising purposes, ensuring that data subjects have sufficient time to digest and understand the information.
- Methodology: The use of deceptive design methods is strictly prohibited.
- Transparency: Adherence to GDPR’s transparency guidelines is crucial. The information should be presented in a language that is clear, comprehensible, and concise, explicitly stating the consequences of the data subject’s choices regarding personal data processing.
C. Specific Consent
Specific consent necessitates that large online platforms engage in the processing of personal information for well-defined, clear, and lawful purposes. It is imperative that these platforms provide comprehensive and accurate information regarding these purposes to prevent the gradual expansion or ambiguity of the processing intentions (known as function creep). Specific consent must adhere to principles of granularity, informed consent, and other fundamental data protection principles.
D. Explicit Expression of Will
As stipulated by Article 4(11) of the General Data Protection Regulation (GDPR), for consent to be deemed valid, it must represent an explicit expression of the data subject's will. Typically, a singular action by a data subject does not suffice to demonstrate explicit consent for all intended purposes; rather, consent must be articulated through a clear declaration or a proactive gesture. Within the "consent or pay" model, when users agree to access free services, this agreement should solely reflect consent to the processing activities essential for those services. Consent for any additional purposes must be obtained through active selection by the user. Furthermore, the employment of ambiguous information or designs should be avoided to ensure that the solicitation of consent is precise and transparent. Consent should not be perceived merely as a means to circumvent payment obligations, but should be a clear and deliberate choice by the data subject.
Additional Factors
A. Withdrawal of Consent
Data subjects are entitled to withdraw their consent at any time, and the process should be as straightforward and non-detrimental as the initial granting of consent. Should the withdrawal result in any harm, the consent will be deemed invalid from its inception, and the associated data must be erased. Controllers are obligated to clearly inform data subjects of their right to withdraw consent and the procedure to do so. Withdrawal should not automatically trigger a transition to a paid service. It is crucial that both the provision and withdrawal of consent are voluntary, adhering to established standards of freedom of choice and non-detriment. Notably, ceasing payments is not tantamount to withdrawing consent. Data processing activities conducted before the withdrawal are considered legal; however, processing must cease following a withdrawal unless there is a justified reason to retain the data, in which case it should be promptly deleted.
B. Re-obtaining Consent
Controllers must periodically assess the need to re-obtain consent, taking into account the context, the breadth of the initial consent, and the expectations of the data subjects. It is recommended that for activities such as online behavioral advertising, consent should be renewed annually to ensure ongoing compliance and relevance.
Compliance Recommendations
These guidelines address the data processing practices under the "consent or pay" model utilized by large online platforms, specifically for behavioral advertising. Commonly, if these platforms provide only the options of "consent to use personal data" or "pay to refuse," they fail to meet the standards of "valid consent." Thus, it is imperative for platforms to offer a free equivalent alternative. Personal data must not be treated as a commodity, and the safeguarding of fundamental rights related to data should not be contingent upon payment by the data subjects. It is essential to evaluate whether data subjects within the "consent or pay" model are truly making voluntary choices and to consider potential risks such as deception, coercion, or significant adverse effects, as well as any factors that may impair free will. Consent procedures must adhere to principles of granularity, conditionality, accountability, and specificity to be deemed valid. Lastly, the guidelines underscore that obtaining valid consent does not exempt platforms from adhering to other GDPR mandates, including purpose limitation, data minimization, fairness, and default data protection principles, among others.