A recent statement from Italy’s data protection authority, the Garante, opens a new chapter in the never-ending story of profiling cookies.
In order to understand the weight of the Garante's words, we must look back to June 10, 2021, when the DPA issued a new set of cookie guidelines and changed the rules for online behavioral advertising in Italy. The Garante mandated website operators to show a cookie banner as soon as a user accesses the website and present a user-friendly option to express or deny consent. The DPA suggested the implementation of an “X" button positioned at the top right of the banner, which would refuse non-technical cookies simply closing the banner “without having to access other ad hoc areas or pages.”
Such simple changes dramatically impact the business of multiple online operators and, in particular, the business model of publishers.
In October 2022, various digital Italian newspapers adopted a new strategy. They changed their cookie banners and presented the users with two alternative options to continue reading content: provide consent to the use of profiling cookies or pay a sum of money for a subscription.
It did not take long for a response to come from the Garante. The DPA announced it would open a series of investigations to assess each of these new paywalls for compliance with EU and Italian law. A few days after this move by the publishers, the Garante noted, "European legislation on the protection of personal data, in principle, does not exclude that the owner of a website makes users’ access to online contents subject to their consent for profiling purposes (through cookies or other tracking tools) or, alternatively, to the payment of a sum of money.”
The DPA’s 2021 cookie guidelines — regarding “cookie walls” that limit access to online content if the user does not provide consent for the reception of cookies — stressed that such mechanisms are not permitted. These limitations do not not allow users to express a free consent, as they are basically forced to accept the use of cookies to continue with the navigation. Notwithstanding the above, the Garante considered a possible exception: “the website controller provides the data subject with the option of accessing equivalent content or services without giving his or her consent to the storage and use of cookies or other tracking tools, which will have to be verified on a case-by-case basis.”
In its recent statement, the Garante clarified this comparable material can be provided for a fee, with the consequence that, in principle, a cookie paywall is not forbidden. Such a statement opens new scenarios on a core issue in the current data protection landscape: the monetization of personal data.
In this respect, the EU Directive on "certain aspects concerning contracts for the supply of digital content and digital services” — recently implemented in Italy — seems to consider providing digital content or services in exchange for personal data (instead of money) lawful. Recital 24 of the directive fully recognizes the protection of personal data as a fundamental right that therefore cannot be considered a commodity, but — stresses “digital content or digital services are often also supplied where the consumer does not pay a price but provides personal data to the trader,” adding that “such business models are used in different forms in a considerable part of the market.”
Now, through the proceedings on Italian publishers, the Garante can better clarify the extent to which cookie paywalls are acceptable and in line with EU and Italian law.
There are still a number of open questions, including:
- Can the consent be considered free if the publisher requires payment for a monthly subscription as an alternative to consenting to cookies as a means of access? Can it be considered a fair price?
- Can the consent provided by users be revoked at any moment, according to Article 7.3 of the EU General Data Protection Regulation?
- How long will the consent provided in order to read one article be valid? Only for that reading session or also for future access to the website?
Other national data protection authorities have already provided their views on this thorny matter. For instance, Austria’s DPA stated the following elements must be taken into account by service providers if they decide to use this "pay or okay" model:
- “Full compliance with all data protection regulations (in particular the GDPR) for data processing based on consent (‘okay’);
- they are not public authorities or other public bodies;
- no exclusivity with regard to the content or services offered, i.e. companies with an expressly public (utility) mandate or universal service provider cannot legitimately use ‘pay or okay’;
- no monopoly or quasi-monopoly position of the undertaking on the market;
- a reasonable and fair price for the payment alternative (‘pay’), i.e. the payment alternative may not be offered pro forma at a completely unrealistically high price;
- if a user accesses the website using the payment alternative, no personal data may be processed for the purpose of personalized advertising.”
France's DPA, the Commission nationale de l'informatique et des libertés, outlined the following questions — based on commonly observed practices — to be be used in case-by-case assessments:
- “Does the Internet user who refuses tracers have a fair alternative to access the content?
- Paid alternative: is the price reasonable?
- Can a ‘cookie wall’ or a ‘pay wall’ systematically impose acceptance of all the tracers on the website?
- The user chooses paid access without consenting to cookies: in which (limited) cases can tracers still be used?”
Although some of the mentioned points are shared by different EU DPAs, it is quite clear there is still a high degree of uncertainty on what criteria will make cookie paywalls fully compliant with the EU legal framework.
Considering the unpredictable times still needed for the adoption of the long-awaited ePrivacy Regulation, an official position of the European Data Protection Board — such as updating its guidelines on consent with particular regard to the requirements for a free consent — could help the EU approach this matter consistently and be crucial for a lot of businesses.
For sure, the position adopted by EU DPAs on the cookie paywall will provide some new guidance on the broader issue of data monetization and, therefore, the lawfulness (or not) of a price for the collection of user consent.