Is the “Pay-or-Okay” Cookie Principle Allowed?

Is the “Pay-or-Okay” Cookie Principle Allowed?

April 03, 2024

According to a decision made by the German data protection authority (“DPA”) at the end of last year, the use of the “pay-or-okay” system is generally permitted. This system involves providing users with a choice through a cookie notice (also known as a cookie banner) on a website between:

  • consenting to the processing of personal data for personalized advertising purposes; and
  • paying a certain amount as a subscription fee, in which case the individual can use the website without activating cookies that track and analyze their behavior on the website (for displaying ads from external partners).

Of course, in each specific case, a range of other conditions must also be met for such a cookie notice to be considered compliant with regulatory requirements, i.e., for consent to the processing of personal data to be deemed valid.

Case details

In this specific case, an investigation conducted by the competent DPA after several complaints were filed against the data controller, including one filed by NOYB (a well-known privacy activist organization), led to the conclusion that the data controller violated GDPR provisions by:

  • installing cookies on the user’s device immediately upon accessing the website, i.e., before the user interacted with the cookie notice, which cookies were not strictly necessary for the functioning of the website;
  • not providing all relevant information in the cookie notice, nor clearly indicating which information is relevant for users accessing the website in general mode versus those subscribed to the content;
  • using the term “I accept” instead of “I consent” within the cookie notice, which may give users the impression that they have no freedom of choice.

Namely, the DPA pointed out that the cookie notice, specifically at the first level, i.e., layer, must clearly state at least the following information for consent to the use of cookies, and consequently the processing of personal data, to be considered valid:

  • the purpose of processing;
  • information on whether personal data is used for profiling individuals;
  • information on whether personal data is transferred outside the European Economic Area (EEA);
  • the number of other data controllers to whom data is disclosed.

However, the data protection authority took the position that the “pay-or-okay” principle, i.e., the system itself is not inherently contrary to GDPR provisions, citing criteria from the German Data Protection Conference (according to which such an approach is acceptable if relevant information is transparently communicated to users, granular consent and its revocation are enabled at any time, and it complies with GDPR processing principles).

Legal framework

The data controller in the described manner violated Article 6(1)(a) of the GDPR, according to which the processing of personal data, among other things, is lawful if the data subject has consented to the processing for one or more specific purposes. Of course, consent must be given prior to the processing itself.

In addition to the above, the DPA referred to European Data Protection Board (“EDPB”) Guidelines 05/2020 on Regulation 2016/679, according to which consent must be “granular”, i.e., specific regarding individual processing purposes and actions, which was not the case here, as in this specific instance, website users did not have sufficient information and were unable to choose processing purposes and actions but had to give broad or undefined consent.

Position of the Spanish DPA („AEPD“) regarding “cookie walls”

A cookie wall serves as a barrier on websites, denying access to users who do not consent to all cookies and trackers present on the site. Essentially, users face a “take it or leave it” scenario where they must agree to marketing cookies and similar tracking technologies or be barred from accessing the website and its services entirely.

However, the EDPB’s guidelines on valid consent, issued in May 2020, categorize cookie walls as an improper method for websites to obtain user consent for processing personal data and using cookies.

In Spain, the concept of cookie walls closely mirrors the EDPB guidelines on consent. Users should have access to services and features without being compelled to accept cookies, ensuring that consent is freely given and not coerced.

The AEPD underscores that cookie walls pose particular issues when users are denied access to a website while attempting to exercise a legal right, such as unsubscribing from a service.

Additionally, the AEPD guidelines stipulate that simply scrolling through a website does not constitute valid consent; consent must be explicitly and unambiguously indicated by the user.

Should a website choose to implement a cookie wall, it must provide an alternative method for accessing the service that does not necessitate cookie acceptance. This ensures that consent is not obtained by restricting access to services.

According to the AEPD’s updated guidelines on cookie walls from 2020, this alternative method does not necessarily have to be free of charge. Offering a subscription model or a paid service without cookies is considered a viable approach under Spanish cookie regulations.

“Pay-or-Okay” principle and META company case

However, there are also other interpretations of the GDPR that consider the “pay-or-okay” system controversial, stating that the choice between paying for data protection or consenting to the processing of such data can be problematic, as it may pressure users to decide between their rights and access to certain services or functions.

Recently, public attention has been drawn to the META company precisely because of its “pay-or-okay” principle, which involves charging its users for data protection; otherwise, it will consider that users have consented to the use of their data for marketing purposes.

Namely, this practice has sparked debates and controversies for several reasons, the most common of which are:

  • the obligation to pay for data protection directly contradicts the rule that consent to the processing of personal data is valid only if freely given;
  • models like the “pay-or-okay” principle can intensify social inequalities, as they implicitly imply that those who are financially less capable may be forced to compromise their privacy in order to use certain services, whereas privacy should be the right of every user, not a privilege available only to those who can pay (such practice could even be considered discrimination);
  • data protection is a right, not a commodity or something to be traded.

Based on the above, opinions regarding the “pay-or-okay” principle vary depending on regulatory bodies, as well as data protection experts.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.