Are consent or pay models compliant with GDPR? A new EDPB opinion explains
April 17, 2024. The European Data Protection Board (EDPB) has issued Opinion 08/2024 on the validity of consent in “pay or ok” models used by large online platforms in behavioral advertising.
The opinion, which was requested by Dutch, Norwegian and German regulators, aims to clarify under what conditions these models can be implemented.
What is a payment or consent model?
The “pay or ok” model is a business model in which users have the choice of paying a fee or agreeing to data processing.
Recently, EDPB commented on the model’s compliance with GDPR rules for behavioral advertising by large online platforms.
Behavioral advertising is a way of displaying ads to users based on their online activity. It is based on tracking what users do online. This information is used to create a profile of the user’s interests and preferences. This allows ads to be more targeted, increasing the likelihood of engagement and conversion.
What is the problem?
The ERO notes that most “consent or payment” models used by large online platforms do not comply with the requirements of the GDPR. The council calls for a case-by-case assessment and urges regulators to enforce compliance with the GDPR. In doing so, it ensures that data protection remains a fundamental right, not a commodity.
The main incompatibility of “payment or consent” models with the GDPR stems from the requirement of voluntary consent (Article 4(11) of the GDPR). This article defines consent as a voluntary, specific, informed and unambiguous demonstration of will. The data subject gives it in the form of a statement or explicit action, consenting to the processing of personal data concerning him.
If the user has to choose between payment and consent, consent is not truly voluntary, which violates the principles of the GDPR.
How to comply with GDPR requirements in a “consent or payment” model?
“Consent or payment” models can be implemented by large online platforms in a way that constitutes valid consent only in very specific circumstances.
According to EDPB 08/2024, these models must ensure that consent is not coerced by the threat of a fee or exclusion from the service, which could mean a lack of real choice.
For the consent to be valid, the following conditions must be met:
- freely given consent – the fee imposed, if any, should not be so high as to prevent the data subject from making a free choice.
- specificity: data subjects should be able to consent to specific purposes of data processing, rather than an all-or-nothing choice.
- Informed consent: the information should help the user understand how the data is processed.
- specific consent: consent must be given for one or more specific purposes.
- equivalent alternative: if charged for an alternative without behavioral advertising, offer another free alternative to avoid presenting users with a binary choice.
- Compliance with GDPR principles: must comply with all GDPR principles, including purpose limitation, data minimization, fairness, and accountability.
- Assessment of imbalance of power: the controller must assess the imbalance of power between the data subject and the controller, taking into account factors such as market position, lock-in or network effects, and dependence on the service.
Why shouldn’t personal data be a commodity?
Personal data should not be treated like a commodity, and privacy should not be a paid functionality. Accordingly, data controllers should not merely offer a paid alternative to a service that includes processing for behavioral advertising.
Instead, large online platforms should consider providing data subjects with an “equivalent alternative” that does not require payment of a fee.
Privacy by design is an approach that allows organizations to prepare reliable and compliant systems and procedures. It is worthwhile to ensure that adequate data protection policies are in place at the initial stages of any project to balance business goals and regulatory requirements.
Our team is ready to help. Contact us for support in implementing models that comply with GDPR and other data protection regulations.