News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Are cookies a new currency for the online world? Related reading: The way the third-party cookie crumbles: Part 1 – EU and UK developments

rss_feed

""

A recent statement from Italy’s data protection authority, the Garante, opens a new chapter in the never-ending story of profiling cookies.

In order to understand the weight of the Garante's words, we must look back to June 10, 2021, when the DPA issued a new set of cookie guidelines and changed the rules for online behavioral advertising in Italy. The Garante mandated website operators to show a cookie banner as soon as a user accesses the website and present a user-friendly option to express or deny consent. The DPA suggested the implementation of an “X" button positioned at the top right of the banner, which would refuse non-technical cookies simply closing the banner “without having to access other ad hoc areas or pages.”

Such simple changes dramatically impact the business of multiple online operators and, in particular, the business model of publishers.

In October 2022, various digital Italian newspapers adopted a new strategy. They changed their cookie banners and presented the users with two alternative options to continue reading content: provide consent to the use of profiling cookies or pay a sum of money for a subscription.

It did not take long for a response to come from the Garante. The DPA announced it would open a series of investigations to assess each of these new paywalls for compliance with EU and Italian law. A few days after this move by the publishers, the Garante noted, "European legislation on the protection of personal data, in principle, does not exclude that the owner of a website makes users’ access to online contents subject to their consent for profiling purposes (through cookies or other tracking tools) or, alternatively, to the payment of a sum of money.”

The DPA’s 2021 cookie guidelines — regarding “cookie walls” that limit access to online content if the user does not provide consent for the reception of cookies — stressed that such mechanisms are not permitted. These limitations do not not allow users to express a free consent, as they are basically forced to accept the use of cookies to continue with the navigation. Notwithstanding the above, the Garante considered a possible exception: “the website controller provides the data subject with the option of accessing equivalent content or services without giving his or her consent to the storage and use of cookies or other tracking tools, which will have to be verified on a case-by-case basis.”

In its recent statement, the Garante clarified this comparable material can be provided for a fee, with the consequence that, in principle, a cookie paywall is not forbidden. Such a statement opens new scenarios on a core issue in the current data protection landscape: the monetization of personal data.

In this respect, the EU Directive on "certain aspects concerning contracts for the supply of digital content and digital services” — recently implemented in Italy — seems to consider providing digital content or services in exchange for personal data (instead of money) lawful. Recital 24 of the directive fully recognizes the protection of personal data as a fundamental right that therefore cannot be considered a commodity, but — stresses “digital content or digital services are often also supplied where the consumer does not pay a price but provides personal data to the trader,” adding that “such business models are used in different forms in a considerable part of the market.”

Now, through the proceedings on Italian publishers, the Garante can better clarify the extent to which cookie paywalls are acceptable and in line with EU and Italian law.

There are still a number of open questions, including:

  • Can the consent be considered free if the publisher requires payment for a monthly subscription as an alternative to consenting to cookies as a means of access? Can it be considered a fair price?
  • Can the consent provided by users be revoked at any moment, according to Article 7.3 of the EU General Data Protection Regulation?
  • How long will the consent provided in order to read one article be valid? Only for that reading session or also for future access to the website?

Other national data protection authorities have already provided their views on this thorny matter. For instance, Austria’s DPA stated the following elements must be taken into account by service providers if they decide to use this "pay or okay" model:

  • “Full compliance with all data protection regulations (in particular the GDPR) for data processing based on consent (‘okay’);
  • they are not public authorities or other public bodies;
  • no exclusivity with regard to the content or services offered, i.e. companies with an expressly public (utility) mandate or universal service provider cannot legitimately use ‘pay or okay’;
  • no monopoly or quasi-monopoly position of the undertaking on the market;
  • a reasonable and fair price for the payment alternative (‘pay’), i.e. the payment alternative may not be offered pro forma at a completely unrealistically high price;
  • if a user accesses the website using the payment alternative, no personal data may be processed for the purpose of personalized advertising.”

France's DPA, the Commission nationale de l'informatique et des libertés, outlined the following questions — based on commonly observed practices — to be be used in case-by-case assessments:

  • “Does the Internet user who refuses tracers have a fair alternative to access the content?
  • Paid alternative: is the price reasonable?
  • Can a ‘cookie wall’ or a ‘pay wall’ systematically impose acceptance of all the tracers on the website?
  • The user chooses paid access without consenting to cookies: in which (limited) cases can tracers still be used?”

Although some of the mentioned points are shared by different EU DPAs, it is quite clear there is still a high degree of uncertainty on what criteria will make cookie paywalls fully compliant with the EU legal framework.

Considering the unpredictable times still needed for the adoption of the long-awaited ePrivacy Regulation, an official position of the European Data Protection Board — such as updating its guidelines on consent with particular regard to the requirements for a free consent — could help the EU approach this matter consistently and be crucial for a lot of businesses.

For sure, the position adopted by EU DPAs on the cookie paywall will provide some new guidance on the broader issue of data monetization and, therefore, the lawfulness (or not) of a price for the collection of user consent.


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Massimiliano Pappalardo, CIPP/E IAPP Member Contributor
Tags
Big Data
Content Moderation
Enforcement
Internet of Things
Privacy Law
1 Comment

If you want to comment on this post, you need to login.

  • comment Oliver Kindzorra • Dec 7, 2022 
    Privacy is a fundamental right and GDPR is clear about it, that personal data should never be used as a currency. That makes paywalls as described unlawful in my opinion, especially if they just replicate agency messages and publically available information. And Mr. Schrems has the same opinion, as he reported 220 paywall user to data authorities and is on a crusade right now about this particular topic. You can find more information about that on the NOYB website. However, there is one case, and one case ony, where I would agree about the lawfulness of a paywall and that is when it comes to in-depth, detailed content like studies, whitepapers and alike. Such a content is a lot of work and authors needs to be paid for that work. But for the normal news, not so much, as it can be compensated by other income sources.
Related Stories
Measuring the carbon footprint of browsing cookies
Advertising technology is the main revenue stream forming the economic connective tissue of the internet. But as the world struggles to transition from fossil fuels to create energy, what that energy powers is drawing more and more scrutiny. This reality led Barcelona artist and digital researcher ...
Read More queue Save This
Related Stories
Tags
Big Data
Content Moderation
Enforcement
Internet of Things
Privacy Law
Recent Comments