21
Thu, Nov
61 New Articles

Pay-or-Okay: Guidelines of the European Data Protection Board

Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

As we wrote in our earlier article, according to the decision made by the German data protection authority at the end of last year, the use of the “pay-or-okay” principle is generally allowed. This model involves a cookie notice (via a so-called cookie banner) on a website, giving the user the choice between:

  • Consenting to the processing of personal data for personalized advertising purposes, and
  • Paying a certain amount as a subscription fee, in which case the person can use the website without activating cookies that track and analyze their behavior on the website (for displaying ads from external partners).

The practice based on this stance has sparked controversy for several reasons, the most common being that this principle contradicts the rule of freely given consent for data processing, intensifies social inequalities, and suggests that the right to data protection is a commodity that can be traded.

In current practice, opinions on the application of this principle have varied depending on the regulatory bodies and data protection experts.

In this regard, on April 17 of this year, the European Data Protection Board (“EDPB“) issued Opinion No. 08/2024, in which it provided guidelines for further actions in implementing the “pay-or-okay” model.

Guidelines

The EDPB emphasizes that personal data cannot be considered a tradeable commodity but that the right to its protection is a fundamental right that cannot be subject to payment in order to be enjoyed.

Therefore, it is first necessary to consider providing holders of this right with an “equivalent alternative,” i.e., offering an additional, free alternative, such as advertising that involves processing a smaller volume of personal data or none at all. This would significantly impact the assessment of consent validity, particularly concerning the aspect of harm.

On the other hand, the EDPB believes that the application of this principle could be considered valid only to the extent that platforms or companies can demonstrate, in accordance with the principle of accountability, that the consent obtained for processing meets all the requirements of validity.

Valid consent is one that has the following characteristics:

  1. Freely given, meaning that:
  • The individual does not suffer harm as a consequence of not giving consent or withdrawing consent, which implies that the fee is not such that it effectively prevents individuals from making a free choice, or that individuals do not face exclusion from the service if they do not agree to pay, especially in cases where the service plays an important role or is crucial for participation in social life or access to professional networks;
  • There is a balance of power between the individual and the company, where the assessment of balance considers the company’s position in the market, the extent to which individuals rely on the service, and the target audience of the service. Where there is a clear imbalance, consent can only be used in “exceptional circumstances,” and where the platform or company, in accordance with the principle of accountability, can demonstrate that there are “no harmful consequences” for the individual if they do not give consent, especially if the individual is offered an alternative that has no negative impact;
  • It meets the conditions concerning whether consent is necessary for access to goods or services if processing based on consent is not essential for the execution of the contract related to the offer of such goods or services. In this regard, individuals who refuse to give consent for certain data processing should be offered, “if necessary, for an appropriate fee, an equivalent alternative that does not involve such data processing.” This avoids conditionality. In the “equivalent alternative,” data processing that is not necessary for providing the service and relies on consent should be excluded, except when such processing also serves another legitimate purpose;
  • The fee imposed is not such that it prevents individuals from making a real choice or leads them to give consent, i.e., it should be appropriate in the given circumstances;
  • Individuals are free to choose which purpose of processing they accept, instead of facing a single consent request that combines several purposes (granularity);
  1. Informed, meaning that there is complete and clear understanding of the value, scope, and consequences of possible choices for the individual before any choice is made;
  2. An unambiguous indication of will, meaning that individuals are not exposed to deceptive design patterns. For consent to be considered clearly given for other purposes, those purposes must be actively chosen by the individual;
  3. Specific, meaning that platforms or companies must precisely define and limit the purpose of processing.

The EDPB reminds that obtaining consent does not exempt platforms or companies from the obligation to comply with other rules and principles provided by the General Data Protection Regulation 2016/679 of the European Parliament and Council (“GDPR“), including the principles from Article 5 of the GDPR.

For the application of the mentioned model, the following principles are of particular importance:

  1. Purpose limitation and data minimization necessary to achieve that purpose.
  2. Fairness, which implies assessing the impact of processing activities on individuals’ rights and dignity and providing the highest possible level of autonomy to individuals’ data.
  3. Data protection by design, which implies providing processing safeguards to meet GDPR requirements.
  4. Data protection by default, meaning that “default settings” only allow processing that is strictly necessary to achieve the set, legitimate goal.
  5. Accountability, meaning that platforms or companies must be able to demonstrate compliance with the GDPR and the aforementioned principles.

It can be expected that the EDPB guidelines will contribute to the unification of practice across Europe regarding the application of the “pay-or-okay” model. Whether this will be the case remains to be seen.

This article is for informational purposes only and does not constitute legal advice. If you require further information, feel free to contact us.

By Borinka Dobrnjac, Senior Associate, PR Legal 

PR Legal at a Glance

PR Legal is a Serbian business law firm which renders advice on a full range of corporate matters, from day-to-day legal issues to large M&A and capital-raising transactions. We provide high-quality legal services to companies, entrepreneurs, private entities, and public institutions, in a modern and pro-active manner, based on unique professional experience in high-profile transactions and disputes.

Always aiming for practical feasibility, and when necessary, dig deep in order to secure our clients’ best interests, either before the court, state authorities or counterparties. In any case, commitment is omnipresent in all our work.

We distinguish ourselves from our competitors through understanding of commercial interests considering present legal framework, by providing smart and cost-effective business solutions, and most of all by our passion for doing business.

In PR Legal we believe that exceptional results can be achieved only when talented and reliable people work together in the appropriate environment. With such approach and commitment, our focus is on teamwork and encouraging of relationships based on trust and cooperation. Investment in our people is investment in our future, which allows us to provide comprehensive and top-quality assistance to our clients.

We care about our clients, while the building of strong relationships and a culture of excellent client service remains our main compass.
Firm's website.