Accept cookies or pay: Is this legal?

Q: Are any cookies exempt from these obligations?

Strictly necessary cookies, that is those which only allow communication between the user’s equipment and the network or which are only used to provide a service that was expressly required by the user, are exempt from these regulations. The AEPD provides these examples of exempt cookies: User login cookies User authentication or identification cookies (session cookies only). User security cookies Media player session cookies. Load balancing session cookies. User interface customisation cookies. User interface customisation. Certain plug-in cookies for sharing social media content However, in the spirit of the transparency principle of the GDPR, it is still recommendable to inform users of the use of these cookies.

Q: How can I obtain user consent?

You have to be a bit careful because mere inaction (such as continuing to browse the website or consulting the cookie policy) is not a valid demonstration of consent. The easiest and most transparent way to obtain consent is by asking users to click a button that says something like “I consent” or “I accept”. You’ll want to bear the following aspects in mind: The user must have carried out a clear affirmative action It should be made clear to the user what action needs to be taken to consent The user should have the ability to accept or reject cookies The information about cookies supplied to the user at the time of asking for consent should be separated from information about other topics. Acceptance of the terms and conditions of the website should be separated from privacy policy or cookie policy consent If the content of your website is aimed at children under 14 years old, reasonable effort should be made to ensure that the consent was given by their parent or guardian. Users should be able to revoke their consent at any time and it should be as easy to do so as it was to give their consent.

Earlier this year, I was looking for information on a well-known Spanish news website. I clicked to enter the website and I was greeted with a cookie banner that gave me two options:

Navegación gratuita mediante la aceptación de cookies (Free browsing through acceptance of cookies)
Suscribirme y rechazar (Subscribe and decline)

Basically, do you want to pay for this website with money or with your personal details?

Abigail Sked-circulo-1 Written by Abigail Sked

Paralegal

More information

The rise of the 'consent or pay' model

Since the beginning of this year, many Spanish websites have implemented similar “cookies banners”, and really, it’s no surprise. In the Spanish Data Protection Agency (AEPD)’s 2024 guide on the use of cookies, it is stated that in order to gain the consent of their users to install cookies that are not strictly necessary on their computers, companies must offer “an alternative, not necessarily free of charge, way to access the service without the need to accept the use of cookies" (the italics have been added by us). This mirrors the Judgement of the Court of Justice of the European Union of 4 July 2023, Meta Platforms Inc v Bundeskartellamt, C-252/21 which stated that “users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations” (para 150).

However, a new Opinion (08/2024) adopted by the European Data Protection Board suggests that "consent or pay" models should offer real choice. More on that below.

Firstly, if you’re not sure about what cookies are and how they may be used, you might find our frequently asked questions about cookies useful.

Cookies: Frequently Asked Questions

What are cookies?

The AEPD describes cookies as “any type of data storage and retrieval device that is used in a user's terminal equipment (the device from which they access the service) for the purpose of storing information and retrieving information already stored”.

How can different types of cookies be categorised?

Cookies can be split into different categories based on their provenance, duration and purpose:

Provenance:

First-party cookies —These cookies are put on your device directly by the website you are visiting.
Third-party cookies — These are the cookies that are placed on your device, not by the website you are visiting, but by a third party like an advertiser or an analytic system.

Duration:

Session cookies – These cookies are temporary; they only survive as long as you keep your browser open (or once your session ends). They’re usually used to store information that’s only relevant for the provision of the service requested by the user on a single occasion (e.g. a list of products purchased).
Persistent cookies — These are the cookies which remain on your hard drive until you delete them, or your browser does, depending on the cookie’s expiration date (they could in theory last for a few minutes or a few years). It's recommendable to reduce the lifespan of cookies to the minimum time necessary to accomplish their purpose.

Note: In order for a cookie to be exempt from the duty of informed consent, its expiry must be related to its purpose. As a result, session cookies are much more likely to be exempt than persistent cookies.

Purpose:

Technical/Strictly necessary cookies: These are the cookies that allow the user to browse a website, platform or application and use the different options or services that exist on it.
Preference/personalisation/functionality cookies: These are cookies which allow information to be remembered so that one person’s user experience may differ from that of another user (language, region from which they access the service, number of search results shown, etc.).
Analysis/statistic/performance cookies: Those which allow the party responsible for them to monitor and analyse the behaviour of users of the websites to which they are linked, including the measurement of the impact of advertisements.
Behavioural advertising cookies: These cookies store information on user behaviour obtained through continuous observation of their browsing habits, allowing a specific profile to be developed on which the advertising displayed will be based.

These commonly used categories are offered as a guideline. However, publishers and third parties may establish whichever categorisations they consider best suit the purposes of the cookies they use and which respect the principle of transparency vis-à-vis users.

As a company that uses cookies, what are my obligations towards the users of my website?

The legal obligations imposed by the regulation are twofold: the obligation of transparency and the obligation to obtain consent.

Are any cookies exempt from these obligations?

Strictly necessary cookies, that is those which only allow communication between the user’s equipment and the network or which are only used to provide a service that was expressly required by the user, are exempt from these regulations. The AEPD provides these examples of exempt cookies:

User login cookies
User authentication or identification cookies (session cookies only).
User security cookies
Media player session cookies.
Load balancing session cookies.
User interface customisation cookies.
User interface customisation.
Certain plug-in cookies for sharing social media content

However, in the spirit of the transparency principle of the GDPR, it is still recommendable to inform users of the use of these cookies.

What information do I need to provide to the users and when?

You should provide this information to the user before the use of cookies begins, so in most cases this will mean as soon as they click onto your website. The information needs to be clear, concise, easy to understand for your target audience and easy to find, which is why “cookie banners” are so useful. They pop up on the screen meaning that the user can’t avoid the information, they provide a concise summary of the key information and a clear choice to accept or reject the cookies and will provide a link to your website’s cookie policy where the user can find more complete information.

Your clearly marked cookie banner should include:

Identification of the publisher responsible for the website
Identification of the purposes of the cookies that are used
Information about whether the cookies are first-party or third-party cookies (although it’s not necessary to state who these third parties are here)
General information about the types of data that will be collected and used if you will be creating user ‘profiles’ with this data
The way in which the user can accept, deny or change the settings of the use of cookies
A clearly visible link to the cookie policy

Whereas your cookie policy should include the following information:

Definition and general functions of the cookies
Information about the types of cookies that will be used and their purposes
Identification of the parties who will use the cookies
Information about the way to accept, deny or revoke consent to the use of cookies
If applicable, information about the transfers of data to third countries carried out by the website publisher
In the case of data usage for profiling which involves automated decision making with legal or similar effects for the users, you will need to inform them of the logic used to make these decisions and the foreseeable importance and consequences of this data processing.
The retention period of the data
For other information which is required by the GDPR but which does not specifically relate to cookies, you can refer to your privacy policy.

How can I obtain user consent?

You have to be a bit careful because mere inaction (such as continuing to browse the website or consulting the cookie policy) is not a valid demonstration of consent. The easiest and most transparent way to obtain consent is by asking users to click a button that says something like “I consent” or “I accept”.

You’ll want to bear the following aspects in mind:

The user must have carried out a clear affirmative action
It should be made clear to the user what action needs to be taken to consent
The user should have the ability to accept or reject cookies
The information about cookies supplied to the user at the time of asking for consent should be separated from information about other topics.
Acceptance of the terms and conditions of the website should be separated from privacy policy or cookie policy consent
If the content of your website is aimed at children under 14 years old, reasonable effort should be made to ensure that the consent was given by their parent or guardian.
Users should be able to revoke their consent at any time and it should be as easy to do so as it was to give their consent.

Obligations of data controllers: Cookie controversy

The obligations on those who use cookies are twofold: the obligation of transparency and the obligation to obtain consent when using cookies that are not strictly necessary for the provision of the service requested by the user.

The controversial issue that arrises as a result of these “consent or pay” models regards the posibility of denying access to a service to those who reject cookies.

So called “cookie walls” which offer no alternative to the acceptance of cookies are not allowed.

In addition, certain individuals should be protected from these types of banners. For example, companies should be especially wary of creating any form of barrier to access when their service relates to the exercising of a legally recognised right and perhaps their website presents the only way to exercise that right. Similarly, children should not be subject to behavioural advertising, and by extension, should not be confronted with ‘consent or pay’ models seeking consent for such processing.

However, the AEPD foresees certain situations in which not accepting cookies could lead to reduced functionality or access to a website, as long as the user is informed of this and is offered a not necessarily free alternative which would not require them to accept cookies and which is, as far as possible, equivalent to the version with cookies.

So, consent or pay models, such as the one at the beginning of this article, should be legal, right? Well, not necessarily, especially if the company is a large online platform making use of behavioural advertising cookies.

What is the European Data Protection Board's opinion on 'consent or pay' models?

Behavioural advertising by large online platforms

The European Data Protection Board (EDPB) takes issue with large online platforms (defined in section 2.1.3. of Opinion 08/2024) confronting users with a choice between consenting to the processing of their personal data for behavioural advertising purposes and paying a fee.

Cookies used for behavioural advertising (‘advertising that is based on the observation of the behaviour of individuals over time’) are viewed by many as the most intrusive because they can be used, along with data actively provided by the user, to build up a very detailed picture of your personal life and who you are as a person (your likes and dislikes, your daily schedule, your profession, your relationship status, your age range and other demographic data, etc).

Paid alternatives should not be the default

Therefore, the EDPB states: “The offering of (only) a paid alternative to the service which includes processing for behavioural advertising purposes should not be the default way forward for controllers… If controllers choose to charge a fee for access to the ‘equivalent alternative’, controllers should consider also offering a further alternative, free of charge, without behavioural advertising, e.g. with a form of advertising involving the processing of less (or no) personal data.”

What might that look like?

If we use the example given at the beginning of this article, the company might consider offering more clarification and a third option for their cookie banners, for example:

Free browsing through acceptance of content personalisation and behavioural advertising cookies.
Free browsing through acceptance of content personalisation cookies.
Subscribe and reject all cookies.

Importance of freely-given consent to data processing

In all instances in which the processing of personal data relies on consent, that consent must be freely given. If the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. Therefore, large online platforms will need to assess on a case-by-case basis whether their position in the market, the service they provide and the way in which they have requested consent will cause users to feel compelled to pay the fee in order to access their service. They might want to ask themselves the following questions to determine this:

Would the decision not to consent lead the individual to suffer negative consequences, such as exclusion from a prominent service, lack of access to professional networks, or risk of losing content or connections?
Is there an imbalance of power between the individual and us, the data controller?
- What is our position in the market?
- Who is our target audience?
- Might the individual rely on this service?
Has the individual been given the ability to consent to different processing operations (such as those related to the functionality of the service and those related to behavioral advertising) rather than bundling them all together?

So, are 'consent or pay' cookie models legal?

Remember that this Opinion of the EDPB only applies directly to large online platforms, but it may serve as guidance for others. The EDPB concludes it’s Opinion by stating that consent collected by large online platforms in the context of ‘pay-or-consent’ models relating to behavioural advertising may only be considered valid to the extent that such platforms can demonstrate that all of the relevent requirements for valid consent (freely given, informed, specific, unambiguous indication of wishes) are met, as well as that all of the principles of the GDPR (purpose limitation and data minimisation, fairness, accountability and data protection by design and default) are complied with.

Do you need a cookie policy drafted? We can help you. Check out our data protection services:

DATA PROTECTION CONSULTANCY