By Destiny Ginn
On April 17, 2024, The European Data Protection Board (‘EDPB’) issued an opinion on whether “consent or pay” models used by large online platform services are valid consent mechanisms under the GDPR. The EDPB stated, “In most cases, it will not be possible for large online platforms to comply with requirements for valid consent if they confront users only with a binary choice between consenting to the processing of personal data for behavioral advertising purposes and paying a fee.” If adopted, this opinion would ultimately change how valid legitimate consent is obtained by large and possibly small businesses.
Background
On January 17, 2024, the Dutch, Norwegian, and German supervisory authorities requested the EDPB to issue an opinion on "consent or pay" models in accordance with Article 64(2) of the EU General Data Protection Regulation (‘GDPR’) to determine whether controllers could use “consent or pay” models to obtain consent to process personal data for behavioral advertising. The Dutch, Norwegian, and German supervisory authorities will have an opportunity to amend draft decisions according to this opinion or inform the EDPB chair if it intends not to follow the Board’s opinion.
“Consent or Pay” Models
“Consent or pay” describes a monetization model in which controllers offer consumers a choice between at least two options to gain access to their online services or apps. Consumers are given an option between paying a fee to receive a privacy-protective service or agreeing to use the service with lower privacy protections. The EDPB opinion addressed only large online platforms giving consumers an option between paying a fee to use the services without behavioral advertising or agreeing to use the service for free with behavioral advertisements. The EDPB rejects the notion that large online platforms using “consent or pay” models with EU users obtain freely given consent under GDPR. The EDPB advises controllers to offer an “equivalent alternative” to consumers that is free of charge.
Large Online Platform
The EDPB appeared to limit its opinion to “large online platforms.” Noting that although consent standards apply to all controllers, the EDPB narrowly considered “consent or pay” models in the context of large platforms given “[t]hese platforms may be uniquely situated in respect of some of the criteria for valid consent, e.g., in respect of the existence of an imbalance of power.” But the EDPB stated they will be publishing more guidance on “consent or pay” models for small platforms later in the year.
According to the EDPB, a company may be a large online platform depending on the application of a number of factors. Among these factors are:
(1) Whether the controller attracts a large amount of data subject as their users;
(2) The position of the controller in market;
(3) Whether the controller is conducting a large scaling processing under the GDPR (for this determination, the EDPB pointed to Recital 91 and Article 29 of the Working Party Guidance for reference); and
(4) Whether the controller is an “very large online platform” under the Digital Service Act and a “gatekeeper” under the Digital Markets Act.
Requirements for Valid Consent
Under the GDPR, where a controller is required to obtain consent for processing or relies on consent as a legal basis of processing, the consent must be freely given, specific, informed and unambiguous. The EDPB focuses specifically on the freely given consent for behavioral advertising in the opinion. Controllers relying on consent as a legal basis—or where required to obtain consent—must ensure that consumers have a free choice between consenting to any processing and there may not be any limitation placed on the consumer-making it harder for the consumer to choose. Under the EDPB opinion, users should not face any detriments for not consenting to behavioral advertising. It is considered a detriment to force users to pay a fee to use a service without behavioral advertising. The EDPB encourages large online platforms to provide consumers with a free “equivalent alternative” to the use of their platforms without behavioral advertising and strongly encourages against the ‘consent or pay’ model. The EDPB provided very limited alternative models for large online platforms. They require that alternative models have an option for no processing of behavior advertisements but give the platforms the ability to provide different forms of advertising that involve processing limited information—such as contextual or static advertising.
When considering new potential models, the EDPB encourages large online platforms to consider three factors. The first is detriment. A user is more likely to experience detriment if a large online platform has lock-in or network effects. The second is if there is an imbalance of power between the controller and user. Controllers must consider their position in the market, the targeted audience, and if a user relies on the service to analyze if there is an imbalance of power. The third is whether an appropriate fee is necessary to provide the service. Controllers should assess on a case-by-case basis if a fee is necessary and if so, what fee is appropriate for the service. The EDPB urges controllers to prevent the fundamental right to data protection from becoming a feature users must pay for to enjoy and creating premium services for the wealthy.
Key Takeaways
In conclusion, when applying the EDPB’s factors to large online platforms, EDPB determined that consent obtained through “consent or pay” models is not freely given. Although this opinion purportedly affects large online platforms, it is likely to create large changes in monetization strategies. For now, there may be an argument that small and mid-size businesses may rely on “consent or pay” models where there are no large discrepancies in bargaining power, and where the fees are reasonable. However, we expect more guidance from the EDPB on how this “consent or pay” opinion should be applied to small and mid-size businesses later this year.
Destiny Ginn is an Associate (*pending bar admission) at Hintze Law PLLC. Destiny has experience with global data protection issues, including data breach notification laws, privacy impact assessments, GDPR, and privacy statements.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.