Consent or Pay : Privacy Considerations with Cookiewall-Paywall Hybrid Solution

In the current state of the internet and online publications, many publishers use paywalls to allow website users to access the content of the website. One of the proposed mechanisms of using paywalls is where the content of the website is available free-of-charge to website users who agree to provide their personal data. On the other hand, users who do not consent to provide their personal data are required to pay in order to access the content of the website. Such a mechanism is commonly known as the “Consent or Pay” or “Cookiewall-Paywall Hybrid” solution.

While the cookie walls have been expressly declared to be prohibited in the European legal framework, i.e. access to a service or functionality of a website cannot be made conditional on the user’s acceptance of cookies, there is no clarity as far as hybrid walls are concerned. With the growing concern of data privacy and global privacy regulations becoming stricter, the question arises whether using paywalls in combination with cookie walls is the right thing to do from a user’s privacy point of view.

In this article, we bring you the following five questions that a privacy-compliant website publisher must think about before making use of such hybrid solutions:

— Are you obtaining express consent from the website user prior to processing of their personal data?

The European Union’s General Data Protection Regulation (GDPR) requires organizations to obtain express consent from the website user and not rely on continued browsing, scrolling on the domain, or pre-ticked/pre-selected checkboxes. For consent to be valid, it must be an unambiguous indication of the user’s wishes with respect to his/her personal data.

— Are you providing enough information to website users about the use of paywalls prior to obtaining their consent?

Organizations must provide information to users about the use of paywalls so that they are able to make an informed choice. This shall include providing information on the data controller’s identity, the purpose of each of the processing operations for which the consent is sought, the type of data that will be collected and used, the user’s right to withdraw consent, the recipients and categories of recipients of personal data and the information on the possible risks associated with the user’s consent.

— Are you allowing the website user to refuse to provide personal data without any detriment?

Website publishers must allow their users to refuse or withdraw their consent to their data being processed for additional purposes without imposing any negative consequences or any disadvantage on users for such refusal or withdrawal, such as lowering website service levels or charging users.

— Are you obtaining separate consent for separate types of cookie processing?

Where your service involves multiple processing operations for more than one purpose, users should be able to choose to specific purposes rather than having to choose a bundle of processing operations. Users should be able to select and deselect individual cookie types based on their purposes.

— Are two services offered to the website user genuinely equivalent?

Where
a website publisher offers its users a choice between a service that includes consenting to the use of personal data for additional purposes on the one hand and an alternate service offered by the same publisher that does not involve consenting to the use of personal data for additional purposes, such an alternate service should be genuinely equivalent and must be offered by the same data controller/website publisher.

— Are you providing an unconditional choice to the user?

Organizations must ensure that there is no compulsion on website users to agree to provide their personal data. The provision of the website service should not be made conditional on user’s consent to the processing of personal data that is not necessary for the provision of that service. As per the GDPR, consent must be freely given, specific, informed, and an unambiguous indication of the data subject’s wishes. Where any of the four elements of consent is not fulfilled, such consent is not considered valid. While the European Data Protection Board (EDPB) does not explicitly address cookiewall-paywall hybrid solutions, we look to  the new draft of the e-Privacy Regulation which currently expressly prohibits the use of cookie walls, as indicated in the table below. Such an extreme interpretation of cookie walls puts the cookiewall-paywall hybrid into question and could end up being financially taxing for businesses. In such a situation, organizations have to stay cautious until the EDPB clarifies the legality of paywalls that have cookie walls
incorporated within them. Read about the new EU e-Privacy Regulation draft here.

Cookie walls and European Data Protection Authorities
European Data Protection Board (Europe)	Access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called cookie walls).
Commission Nationale Informatique & Libertés (France)	The use of cookie walls undermines an individual’s freedom of consent and therefore, the lawfulness of cookie walls must be assessed on a case-by-case basis.
Data Protection Commission (Ireland)	Users should not suffer any detriment where they reject cookies or other tracking technologies, other than to the degree that certain functionality on the websites concerned may be impacted by that rejection.
Autoriteit Persoonsgegevens (Netherlands)	The use of cookie walls violates GDPR.
Agencia Española de Protección de Datos (Spain)	Cookie walls can be used only if the user is properly informed about it, alternative access to the service is offered to the user without requiring him/her to accept the cookies, the services of both alternatives offered to the user are genuinely equivalent, and the alternatives must be offered by the same website publisher and not by any other entity.
Information Commissioner’s Office (UK)	Cookie walls should not be used if the use of a cookie wall is intended to require, or influence, users to agree to their personal data being used by the data controller or any third parties as a condition of accessing the service. Individuals should be provided with a genuine free choice.

Read EDPB’s Updated Guidelines on Consent.

How Securiti can help?

Securiti’s Cookie Consent Management Solution enables organizations to build cookie consent notices in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features. Securiti’s Universal Consent Management Solution with its PrivacyOps methodology and automation captures consent and automates revocation fulfillment.