The European Data Protection Board's (EDPB) announced in a news release on 17 April that it has adopted its Opinion 08/2024 regarding "consent or pay" models used by Large Online Platforms (LOPs) for behavioural advertising.
“Consent or pay”, also known as “pay or ok”, is a business model whereby a business may give people a choice between accessing online services for free if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay a fee to access that service.
The key points from the EDPB’s Opinion are summarised below:
- The EDPB asserts that "consent or pay" models generally do not meet the requirements for valid consent under the General Data Protection Regulation (GDPR).
- Personal data should not be viewed as a tradeable commodity, and the fundamental right to data protection should not be a feature that individuals must pay to enjoy.
- LOPs are advised to develop an "equivalent alternative" that does not require users to consent to the processing of personal data for behavioural advertising.
- Consent cannot be considered freely given if the user suffers detriment by either not providing consent or withdrawing consent. Detriment may also occur if users are excluded from prominent online services for choosing neither to pay a fee nor provide consent for their personal data to be processed for behavioural advertising, and if they are not offered an equivalent alternative.
- The EDPB provides guidelines to ensure an alternative is genuinely equivalent, such as omitting processing operations that are unnecessary for the provision of the service and ordinarily rely on consent.
The EDPB’s opinion continues the trend of regulatory scrutiny in respect of “consent or pay” models. The same day that the Opinion was published, the ICO closed its call for views on the “consent or pay” business models in the context of its cookie compliance work.
In terms of expressed approach as between the two regulators, there are some similarities and differences:
Similarities:
- Both the EDPB and the ICO agree that "consent or pay" models must ensure that consent to process personal data for personalised advertising is freely given, fully informed, and can be withdrawn without detriment.
- Both regulators emphasise the importance of a balance of power between the service provider and its users. They note that consent is unlikely to be freely given when there is a clear imbalance of power.
- Both the EDPB and the ICO highlight the need for an equivalent alternative to "consent or pay" models. This alternative should not require users to consent to the processing of personal data for behavioural advertising.
Differences:
- The EDPB is more explicit in stating that in most cases, "consent or pay" models will not be able to comply with the requirements for valid consent under the GDPR. The ICO, on the other hand, states that data protection law does not prohibit "consent or pay" models in principle, but organisations must ensure that consent is freely given, fully informed, and can be withdrawn without detriment.
- The ICO provides more detailed guidance on what organisations should consider when setting up a "consent or pay" model, such as the appropriateness of the fee and the equivalence of the ad-funded and paid-for services.
- The ICO is actively seeking views on "consent or pay" models and plans to update its guidance on cookies and similar technologies, while the EDPB is developing guidelines on "consent or pay" models with a broader scope and plans to engage with stakeholders on these upcoming guidelines.
Next Steps
Review Current Practices: Companies that are LOPs should review their current data processing practices, particularly if they use "consent or pay" models for behavioural advertising. They should assess whether these models meet the requirements for valid consent under the GDPR.
Evaluate Alternatives: LOPs that use "consent or pay" models should consider developing an "equivalent alternative" that does not require users to consent to the processing of personal data for behavioural advertising. This could involve alternative forms of advertising that use less, or no, personal data.
Consider User Detriment: LOPs should ensure that users do not suffer detriment by either not providing consent or withdrawing consent. They should also ensure that users are not excluded from prominent online services if they choose neither to pay a fee nor provide consent for their personal data to be processed for behavioural advertising.
Ensure Equivalence: If LOPs offer an alternative to "consent or pay" models, they should ensure that this alternative is genuinely equivalent. They should omit processing operations that are unnecessary for the provision of the service and ordinarily rely on consent.
Seek Legal Advice: Given the complexity of data protection laws and the potential for significant penalties for non-compliance, companies should consider seeking legal advice to ensure their practices align with the GDPR.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon_(1).jpg?crop=300,495&format=webply&auto=webp)
