On 17 January 2024, the Data Protection Authorities (“DPAs”) in Norway, Netherlands, and Hamburg required the European Data Protection Board (the “EDPB”) to take a position in relation to the “consent or pay” models, requesting a formal opinion pursuant to Article 64(2) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”). The request concerns, in short, the circumstances under which so-called “consent or pay” models can be implemented by large online platforms that attract large amounts of users in the European Economic Area when data is processed for behavioral advertising purposes, in a way that satisfies the requirement for a valid, and in particular freely given, consent, also taking into account the judgment C-252/21 of the European Court of Justice (the “CJEU”). “Consent or pay” models can be defined as models where a data controller offers data subjects a choice between at least two options in order to gain access to an online service that the controller provides: Under the first option, the data subjects get access to the service only if they consent to being tracked and targeted with behavioral advertising by the data controller. In this case, the data controller’s business model is usually financed through online advertising based on users’ behaviors. Under the second option, the data subjects pay a fee (which can be, for instance, weekly, monthly, or annual subscription, as well as a one-off payment) and are allowed to access a version of the service that does not include the processing of the user’s personal data for behavioral advertising purposes. However, while this second option may entail that the data subjects are not tracked at all, it might also entail that data subjects would be still tracked for different purposes, e.g. in order to analyze the use of a website to improve its functionalities. In any event, the EDPB recalls that such purposes must be legitimate, specific and processing must be based on a lawful ground pursuant to the GDPR. Moreover, cookies or tracking technologies may still be used under the paid version of the service, for purposes other than behavioral advertising. If any technology used involves access or storage of information in terminal equipment, this is subject to compliance with the GDPR and Article 5(3) of the ePrivacy Directive, where applicable. Scope of the Opinion The opinion of the EDPB (the “Opinion”) concerns, and is limited to, the assessment of the validity of consent when used as a legal basis to process personal data for behavioral advertising purposes within the context of “consent or pay” models deployed by large online platforms. Behavioral advertising is based on different criteria and techniques, including on the basis of information related to users’ behavior online and offline. Behavioral advertising, which entails the development of detailed profiles of data subjects, has become a key feature of certain business models in today’s online environment. The online behavioral advertising is defined, in the Article 29 Working Party (WP29) Opinion 2/2010 on online behavioral advertising, as “advertising that is based on the observation of the behavior of individuals over time” and, specifically, the development of a specific profile of the users and the provision of advertisements tailored to match data subjects inferred interests. The EDPB recalls that “online platform” is not defined in the GDPR; such concept may cover, but is not limited to, “online platform” as defined under Article 3(i) of the Digital Services Act[1] (the “DSA”). According to the EDPB, the following elements shall be assessed, on a case-by-case basis, to determine whether a controller is considered a “large online platform”: The EDPB further recalls that such definition may cover, among others, certain controllers of “very large online platforms” (“VLOPs”)[2], as defined under the DSA and “gatekeepers”, as defined under the Digital Market Act (the “DMA”)[3]. (For a detailed description of these topics, please refer to our previous paper, available here, in Italian) Legal and jurisprudential context For the purposes of the Opinion, the EDPB highlights the need for large online platforms to comply with all the requirements of the GDPR. First and foremost, the reference goes to Article 4(11) and Article 6(1)(a) of the GDPR, which define consent and specify that it is one of the lawful grounds for processing of personal data. In addition, it is also important to recall all the principles relating to processing of personal data, such as the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability (Article 5 of the GDPR) and principle of data protection by design and by default (Article 25 of the GDPR). Other relevant provisions are Article 7 and Recitals 32, 42 and 43 of the GDPR which provide additional requirements and guidance regarding how controllers need to comply with the main elements of the consent requirements. The EDPB further recalls other relevant European regulations, such as the ePrivacy Directive (Directive 2002/58/EC) and implementing national laws; Directive 2005/29/EC in Unfair Commercial Practices Directive; Directive 2019/770 concerning contracts for the supply of digital content and digital services; the DMA and the DSA. There are also various guidelines adopted by the EDPB which are relevant for the Opinion, such us the Guidelines 05/2020 on consent (the “Guidelines on consent”), which however, do not explain how they should be applied in the context of “consent or pay” models implemented by large online platforms. Lastly, as expressly requested by the DPAs, the EDPB recalls the judgment C-252/21 of the CJEU. The CJUE has affirmed that the mere presence of a dominant market position held by a provider of online social networks does not inherently negate the ability of users of such platforms to offer valid consent, as outlined in Article 4(11) of the GDPR, regarding the processing of their personal data by said operator. However, the CJEU has clarified that the existence of a dominant position constitutes a significant factor in evaluating if the consent is valid – and in particular freely given – with the burden of proof lying upon the operator in question. This determination stems from the recognition that such a circumstance may impinge upon the freedom of choice of the user, potentially rendering them unable to refuse or withdraw consent without facing adverse consequences. Moreover, it may create a clear power asymmetry between the data subject and the controller, thus warranting heightened scrutiny. When the consent collected by large online platform, in the context of “consent or pay” models, can be considered valid? In line with the principle of accountability, the Opinion concludes that behavioral advertising may only be considered as valid to the extent that such platforms can demonstrate that all the requirements for valid consent have been met. This means that the consent shall be: The EDPB also provides clarifications on the withdrawal of consent and advises controllers to carefully assess how often consent should be “refreshed”. According to the first aspect, the EDPB emphasizes that the requirement of an easy withdrawal is a necessary aspect of valid consent in the GDPR. In the context of “consent or pay” models, it is important that transparent and clearly recognizable information is provided on how the right of withdrawal can be exercised, in order to avoid giving the impression that the withdrawal would automatically lead to entering into a paid subscription. In such cases, exercising the right of withdrawal will result in the user being once again faced with the choice of whether to give consent to the processing for behavioral advertising purposes or take out a paid subscription. On the other hand, referring to how often consent should be refreshed,the EDPB provides that controllers should conduct this assessment on a case-by-case basis. In the context of behavioral advertising, considering the intrusiveness of the processing, the EDPB emphasizes that a limited period of time during which consent remains valid, such as one year, seems appropriate. 1. Freely given consent The criterion of “freely given consent” is central to the understanding of consent as a legal basis for processing of personal data. The distinct character of consent as a legal basis for processing is that it is the data subject’s decision (i.e. their freedom of choice) which determines the legality of the processing. Controllers must ensure that data subjects have a real freedom of choice when asked to consent to the processing of their personal data, and they may not limit data subjects’ autonomy by making it harder to refuse rather than to consent. In fact, consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. The EDPB, in order to qualify a consent as “freely given” recalls its previous Guidelines on consent, explaining that the main criteria to be taken into account when assessing whether consent is valid are the following: In addition to these conditions, in the Opinion, the EDPB identifies an additional (and new) requirement that should be a feature of valid consent: the provision of a “free alternative” without behavioral advertising. As stated above, data subjects should enjoy a real and genuine freedom of choice when asked to consent to the processing of personal data. Therefore, the offering of (only) a paid alternative to the service which includes processing for behavioral advertising purposes should not be the default way forward for controllers. When developing the alternative to the version of the service with behavioral advertising, controllers should consider providing data subjects with an “equivalent alternative” that does not entail the payment of a fee. This means that, if controllers choose to charge a fee for access to the “equivalent alternative”, controllers should consider also offering a further alternative, free of charge, without behavioral advertising, e.g. with a form of advertising involving the processing of less (or no) personal data. This is a particularly important factor in the assessment of certain criteria for valid consent under the GDPR: whether such alternative is offered, free of charge, it will have a substantial impact on the assessment of the validity of consent, in particular to mitigate the detriment that may arise for non-consenting users from either having to pay a fee to access the service or not being able to access it. Moreover, the EDPB considers that the ”equivalent alternative”, as mentioned by the CJUE, refers to an alternative version of the service offered by the same controller that does not involve consenting to the processing of personal data for behavioral advertising purposes. The Opinion provides elements that can help ensuring the alternative is genuinely equivalent: the more the alternative version differs from the version with behavioral advertising, the less likely it is for the alternative version to be considered as genuinely equivalent to the latter, although the EDPB states that this remains a case-by-case assessment. In this regard, the EDPB emphasize that the equivalent alternative shall not be accompanied by the data processing operations that are not necessary for the provision of the service and rely on consent. Hence, since processing for behavioral advertising purposes is not necessary for the provision of the service and relies on consent, this processing has to be omitted in the alternative version. Moreover, regarding the imposition of a fee to access the “equivalent alternative” version of the service, the EDPB recalls that personal data cannot be considered as a tradeable commodity. Controllers should assess, on a case-by-case basis, both whether a fee is appropriate at all and what amount is appropriate in the given circumstances, keeping in mind the need to prevent the fundamental rights of the data subjects from being transformed into a premium feature. 2. Informed consent Providing information to data subjects prior to obtaining their consent is essential to enable them to make informed decisions and understand what they are agreeing to. In fact, the GDPR provides that it is necessary to inform the data subject of certain elements that are crucial to make genuine choice, i.e. (at least) the identity of the controller and the purposes of the processing for which the personal data are intended. In the context of the “consent or pay” models, large online platforms should: 3. Specific consent The Opinion provides that valid consent also needs to be specific, i.e. given for one or more specific purposes and amount to an unambiguous indication of wishes: in “consent or pay” models it is especially important for controllers to attentively design how data subjects are asked to provide their consent. This means that users should not be subject to deceptive design patterns. Large online platforms should define a specific, explicit and legitimate purpose for the processing activities for which consent is collected and provide sufficient information to the data subjects on such processing activities. Moreover, they should precisely define and delimit the purposes of their processing activities, as well as assess and document on a case-by-case basis whether providing behavioral advertising entails for them to process personal data for different purposes, and to require separate consents for such purposes. [1] Art. 3(i) of the DSA defines “online platform” as a “hosting service that, at the request of a recipient of the service, stores and disseminates information to the public, unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of this Regulation”. [2] VLOPs are “online platforms which provide their services to a number of average monthly active recipients of the service in the Union equal to or higher than 45 million and which are designated as VLOPs” by the European Commission under Article 33(4) DSA. [3] "Gatekeepers” are companies that fulfil the following three cumulative requirements: (i) they have a significant impact on the internal market; (ii) they provide a core platform service, which is an important gateway for business users to reach end users; (iii) they enjoy an entrenched and durable position, in their operations, or it is foreseeable that they will enjoy such a position in the near future.
