Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

Consent or Pay : Privacy Considerations with Cookiewall-Paywall Hybrid Solution

Download: Consent Report Q2 2024
Contributors

Anas Baig

Product Marketing Manager at Securiti

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

In the current state of the internet and online publications, many publishers use paywalls to allow website users to access the content of the website. One of the proposed mechanisms of using paywalls is where the content of the website is available free-of-charge to website users who agree to provide their personal data. On the other hand, users who do not consent to provide their personal data are required to pay in order to access the content of the website. Such a mechanism is commonly known as the “Consent or Pay” or “Cookiewall-Paywall Hybrid” solution.

While the cookie walls have been expressly declared to be prohibited in the European legal framework, i.e. access to a service or functionality of a website cannot be made conditional on the user’s acceptance of cookies, there is no clarity as far as hybrid walls are concerned. With the growing concern of data privacy and global privacy regulations becoming stricter, the question arises whether using paywalls in combination with cookie walls is the right thing to do from a user’s privacy point of view.

In this article, we bring you the following five questions that a privacy-compliant website publisher must think about before making use of such hybrid solutions:

 

The European Union’s General Data Protection Regulation (GDPR) requires organizations to obtain express consent from the website user and not rely on continued browsing, scrolling on the domain, or pre-ticked/pre-selected checkboxes. For consent to be valid, it must be an unambiguous indication of the user’s wishes with respect to his/her personal data.

— Are you providing enough information to website users about the use of paywalls prior to obtaining their consent?

Organizations must provide information to users about the use of paywalls so that they are able to make an informed choice. This shall include providing information on the data controller’s identity, the purpose of each of the processing operations for which the consent is sought, the type of data that will be collected and used, the user’s right to withdraw consent, the recipients and categories of recipients of personal data and the information on the possible risks associated with the user’s consent.

— Are you allowing the website user to refuse to provide personal data without any detriment?

Website publishers must allow their users to refuse or withdraw their consent to their data being processed for additional purposes without imposing any negative consequences or any disadvantage on users for such refusal or withdrawal, such as lowering website service levels or charging users.

— Are you obtaining separate consent for separate types of cookie processing?

Where your service involves multiple processing operations for more than one purpose, users should be able to choose to specific purposes rather than having to choose a bundle of processing operations. Users should be able to select and deselect individual cookie types based on their purposes.

— Are two services offered to the website user genuinely equivalent?

Where
a website publisher offers its users a choice between a service that includes consenting to the use of personal data for additional purposes on the one hand and an alternate service offered by the same publisher that does not involve consenting to the use of personal data for additional purposes, such an alternate service should be genuinely equivalent and must be offered by the same data controller/website publisher.

— Are you providing an unconditional choice to the user?

Organizations must ensure that there is no compulsion on website users to agree to provide their personal data. The provision of the website service should not be made conditional on user’s consent to the processing of personal data that is not necessary for the provision of that service. As per the GDPR, consent must be freely given, specific, informed, and an unambiguous indication of the data subject’s wishes. Where any of the four elements of consent is not fulfilled, such consent is not considered valid. While the European Data Protection Board (EDPB) does not explicitly address cookiewall-paywall hybrid solutions, we look to  the new draft of the e-Privacy Regulation which currently expressly prohibits the use of cookie walls, as indicated in the table below. Such an extreme interpretation of cookie walls puts the cookiewall-paywall hybrid into question and could end up being financially taxing for businesses. In such a situation, organizations have to stay cautious until the EDPB clarifies the legality of paywalls that have cookie walls
incorporated within them. Read about the new EU e-Privacy Regulation draft here.

Europe Flag icon
European Data Protection Board (Europe)
Access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called cookie walls).
italy flag icon
Commission Nationale Informatique & Libertés (France)
The use of cookie walls undermines an individual’s freedom of consent and therefore, the lawfulness of cookie walls must be assessed on a case-by-case basis.
ireland flag icon
Data Protection Commission (Ireland)
Users should not suffer any detriment where they reject cookies or other tracking technologies, other than to the degree that certain functionality on the websites concerned may be impacted by that rejection.
france flag icon
Autoriteit Persoonsgegevens (Netherlands)
The use of cookie walls violates GDPR.
Agencia Española de Protección de Datos (Spain)
Cookie walls can be used only if the user is properly informed about it, alternative access to the service is offered to the user without requiring him/her to accept the cookies, the services of both alternatives offered to the user are genuinely equivalent, and the alternatives must be offered by the same website publisher and not by any other entity.
uk flag icon
Information Commissioner’s Office (UK)
Cookie walls should not be used if the use of a cookie wall is intended to require, or influence, users to agree to their personal data being used by the data controller or any third parties as a condition of accessing the service. Individuals should be provided with a genuine free choice.

 

Read EDPB’s Updated Guidelines on Consent.


How Securiti can help?

Securiti’s Cookie Consent Management Solution enables organizations to build cookie consent notices in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features. Securiti’s Universal Consent Management Solution with its PrivacyOps methodology and automation captures consent and automates revocation fulfillment.

Schedule Your
Personal Demo

Learn how you can leverage Securiti’s Data Command Center to address data security, privacy, governance, and compliance.

See a demo
Schedule your demo today

Ask for a DEMO to understand how Securiti can help you comply with GDPR, EDPB’s Guidelines on Consent, and a whole host of other global privacy laws and regulations, with ease.


Frequently Asked Questions (FAQs)

A cookie wall is a pop-up or overlay on a website that requires users to consent to the use of cookies before they can access the site's content. An example is a website that displays a message stating, "To continue, you must accept our use of cookies."

Cookie walls are a subject of debate in the context of privacy regulations. In some regions, such as the European Union, using non-essential cookies without freely given consent may not comply with data protection laws. However, the legality of cookie walls can vary depending on local regulations.

A cookie paywall is a variation of a cookie wall where users have the option either to accept the cookies or pay a fee or subscription payment to access content or services.

The legality of cookie paywalls, like cookie walls, can depend on local privacy regulations. Some regions may consider them acceptable, while others may have restrictions on their use, particularly if they limit access to essential services.

A cookie wall is a more intrusive mechanism restricting access to a website or content until the user consents to cookies. In contrast, a cookie banner is a less intrusive notification informing users about cookie usage but allowing them to proceed to the website's content without requiring consent. Users can usually make choices about cookies in cookie banners.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

What's
New