EPDB adopts an opinion on consent/payment models of online platforms
The European Data Protection Board (EDPB), at the request of the Dutch, Norwegian and German Data Protection Authorities, has issued an opinion on the circumstances and conditions under which 'consent or payment' models, relating to behavioral advertising, may be implemented by large online platforms in a way that constitutes valid and freely given consent (Opinion No. 8/2024).
The opinion focuses on models implemented by 'large online platforms'. Considering that the GDPR (EU Regulation No. 679/2018) does not give a precise definition of these intermediaries, the Committee first referred to Article 3(i) of the Digital Service Act (EU Regulation No. 2065/2022), which defines an 'online platform' as a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public from another service (or a minor feature of the main service) which, for objective and technical reasons, cannot be used without that other service. The EDPB has, however, stipulated additional assessment criteria, to be applied on a case-by-case and non-exclusive basis, which is useful to determine whether a data controller should be considered a 'large online platform' in this context. This includes: the ability to attract a large number of users, the market position and the ability to carry out 'large-scale' processing, assessed based on the number of users concerned, the volume of data and the geographical reach of the processing activity. The definition of 'large-scale online platforms' may also include 'gatekeepers', as defined in the Digital Market Act (EU Regulation No. 1925/2022), i.e. companies that (i) have a significant impact on the internal market; (ii) provide a core platform service, which is an important gateway for business users to reach end-users; (iii) enjoy an established and long-lasting position in their operations, or can be expected to enjoy such a position in the near future.
In the so-called 'pay or okay' model, devised by Meta, the data controller offers data subjects a choice between two options to obtain access to an online service: the data subject can either give consent to the processing of his or her personal data for a specific purpose ('okay'), or decide to pay a fee and access the online service without having his or her personal data processed for that purpose ('pay').
The EDPB, in its opinion, emphasised the need to comply with all the requirements of the GDPR, in particular those relating to valid consent, taking into account the specific features of the concrete case: in any case, obtaining consent does not exempt the data controller from complying with all the principles outlined in Article 5 GDPR, as well as with the other obligations of the regulation - in particular, the principles of necessity and proportionality, purpose limitation, data minimisation and fairness.
Based on these considerations, the EDPB considered that, when platforms confront users with the alternative between consenting to the processing of personal data for behavioral advertising purposes and paying a fee, in most cases it will not be possible to meet the GDPR requirements for valid consent. In fact, according to the Committee, offering only a paid alternative to services involving the processing of personal data for behavioral advertising purposes should not be the default solution for data controllers, and instead they should consider providing a free alternative that doesn’t involve the use of behavioral advertising (i.e., a form of advertising involving the processing of little or no personal data).
The same situation arises if unwilling data subjects do not pay a fee and face exclusion from the service (especially if it is prominent). The president of the EDPB, in this regard, recalled that: “data controllers should always take care to avoid turning the fundamental right to data protection into a feature that individuals must pay to enjoy. Individuals should be fully aware of the value and consequences of their choices”.
Other conditions taken up by the EPDB for consent to be given by the GDPR include:
the 'granularity', if a 'pay or okay' model is presented, the data subject should be free to choose which purpose of processing to accept, rather than being faced with a request for consent that lumps several together;
the non-deceptiveness, because for consent to be informed, the information process put in place by data controllers should allow data subjects to have a full and clear understanding of the value, scope, and consequences of their possible choices, considering the complexity of the processing related to behavior;
the time limitation, because although the GDPR does not set a specific time limit as to consent how often should be renewed, or how long consent can be considered to express the data subject's will, the committee stated that this assessment must be made on a case-by-case basis;
the revocability, at any time, of all processing activities permitted by the data subject's consent.