On 30 November 2018, the Austrian Data Protection Authority (“DPA”) decided that the website of an online media publisher – which offers users the option to either consent to advertising cookies or pay for a subscription – gives users a free choice that is compatible with the requirements of consent under the GDPR. (The decision is available in German here.)

Background. The Austrian publisher in question set up a functionality on its website whereby users are given the option to either: (i) consent to advertising cookies and receive full access to website’s content; (ii) refuse consent and receive partial access to the website’s content; or, (iii) pay for a subscription to receive full access to the website’s content for 6 euros/ month and not be tracked by any advertising cookies, third-party scripts, or social media plug-ins (unless the user chooses to personally re-activate these features).

Complaint. The complainant argued that the website did not meet the requirements for voluntary consent under the GDPR because (i) the provision of the service was subject to the user’s consent to process personal data, and (ii) the tracking of personal data was technically not necessary for the provision of the service, since the publisher also offered a paid version with no tracking. The complainant further argued that his right to oppose the tracking had been violated since, even after refusing to give consent, a non-essential cookie still operated and could not be opted-out.

Austrian DPA’s Decision and Analysis. The Austrian DPA dismissed the complaint. In its decision, the DPA pointed out that media companies have relied on advertising as a source of revenue for decades, and in the context of online publishing this is often the only source of revenue. The DPA also took note of the fact that the publisher had developed a privacy-conscious product that offered a pay-for-subscription/ tracking-free option for users. Notably, the DPA stated that:

“The requirement of voluntary consent could not lead to media companies having to provide their services free of charge, especially since online advertising without data-based control would not allow refinancing in the current market environment.”

The DPA further explained that involuntary consent occurs when a data subject is placed at a disadvantage. Referring to the Article 29 Working Party’s Guidelines on Consent, the DPA considered the criteria for “disadvantage” in this context, which may exist when there is a risk of deception, intimidation, coercion or significant negative consequences. The DPA found that the subscription option for 6 euros/ month was not a disproportionately expensive alternative, and in any event, users are free to simply choose another online publisher. In the view of the DPA, neither of these possible outcomes constituted a “significant negative consequence.”

Finally, the DPA also addressed the complainant’s argument about the non-essential cookie script which continued to operate after consent was revoked. The DPA found this point was moot because the publisher had fixed this issue during the course of the DPA’s review of the case.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.