Earlier this year, I was looking for information on a well-known Spanish news website. I clicked to enter the website and I was greeted with a cookie banner that gave me two options:
Basically, do you want to pay for this website with money or with your personal details?
Paralegal
Since the beginning of this year, many Spanish websites have implemented similar “cookies banners”, and really, it’s no surprise. In the Spanish Data Protection Agency (AEPD)’s 2024 guide on the use of cookies, it is stated that in order to gain the consent of their users to install cookies that are not strictly necessary on their computers, companies must offer “an alternative, not necessarily free of charge, way to access the service without the need to accept the use of cookies" (the italics have been added by us). This mirrors the Judgement of the Court of Justice of the European Union of 4 July 2023, Meta Platforms Inc v Bundeskartellamt, C-252/21 which stated that “users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations” (para 150).
However, a new Opinion (08/2024) adopted by the European Data Protection Board suggests that "consent or pay" models should offer real choice. More on that below.
Firstly, if you’re not sure about what cookies are and how they may be used, you might find our frequently asked questions about cookies useful.
The obligations on those who use cookies are twofold: the obligation of transparency and the obligation to obtain consent when using cookies that are not strictly necessary for the provision of the service requested by the user.
The controversial issue that arrises as a result of these “consent or pay” models regards the posibility of denying access to a service to those who reject cookies.
So called “cookie walls” which offer no alternative to the acceptance of cookies are not allowed.
In addition, certain individuals should be protected from these types of banners. For example, companies should be especially wary of creating any form of barrier to access when their service relates to the exercising of a legally recognised right and perhaps their website presents the only way to exercise that right. Similarly, children should not be subject to behavioural advertising, and by extension, should not be confronted with ‘consent or pay’ models seeking consent for such processing.
However, the AEPD foresees certain situations in which not accepting cookies could lead to reduced functionality or access to a website, as long as the user is informed of this and is offered a not necessarily free alternative which would not require them to accept cookies and which is, as far as possible, equivalent to the version with cookies.
So, consent or pay models, such as the one at the beginning of this article, should be legal, right? Well, not necessarily, especially if the company is a large online platform making use of behavioural advertising cookies.
The European Data Protection Board (EDPB) takes issue with large online platforms (defined in section 2.1.3. of Opinion 08/2024) confronting users with a choice between consenting to the processing of their personal data for behavioural advertising purposes and paying a fee.
Cookies used for behavioural advertising (‘advertising that is based on the observation of the behaviour of individuals over time’) are viewed by many as the most intrusive because they can be used, along with data actively provided by the user, to build up a very detailed picture of your personal life and who you are as a person (your likes and dislikes, your daily schedule, your profession, your relationship status, your age range and other demographic data, etc).
Therefore, the EDPB states: “The offering of (only) a paid alternative to the service which includes processing for behavioural advertising purposes should not be the default way forward for controllers… If controllers choose to charge a fee for access to the ‘equivalent alternative’, controllers should consider also offering a further alternative, free of charge, without behavioural advertising, e.g. with a form of advertising involving the processing of less (or no) personal data.”
If we use the example given at the beginning of this article, the company might consider offering more clarification and a third option for their cookie banners, for example:
In all instances in which the processing of personal data relies on consent, that consent must be freely given. If the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. Therefore, large online platforms will need to assess on a case-by-case basis whether their position in the market, the service they provide and the way in which they have requested consent will cause users to feel compelled to pay the fee in order to access their service. They might want to ask themselves the following questions to determine this:
Remember that this Opinion of the EDPB only applies directly to large online platforms, but it may serve as guidance for others. The EDPB concludes it’s Opinion by stating that consent collected by large online platforms in the context of ‘pay-or-consent’ models relating to behavioural advertising may only be considered valid to the extent that such platforms can demonstrate that all of the relevent requirements for valid consent (freely given, informed, specific, unambiguous indication of wishes) are met, as well as that all of the principles of the GDPR (purpose limitation and data minimisation, fairness, accountability and data protection by design and default) are complied with.
Do you need a cookie policy drafted? We can help you. Check out our data protection services: