On March 22, 2023, the German Conference of Independent Supervisory Authorities (“SAs”) adopted an opinion on websites that offer users a choice between (i) a free version that tracks users’ behavior or (ii) a (usually paid) version that does not track users’ behavior.
The opinion states that this dual approach is acceptable if the following two conditions are met:
- The free version (which involves tracking) generally requires user consent, unless the tracking can be based on another legal basis. The consent must meet GDPR requirements (i.e., freely given, specific, informed, and affirmative). The consent should not be bundled — i.e., cover the processing of personal data for different purposes, unless those purposes are “closely related.” Unfortunately, the opinion does not give examples of “closely related” purposes. The free service must allow users to opt-in separately to each (different) data processing purpose.
- The paid version (without tracking) must be essentially equivalent to the free version. A paid version is an “equivalent alternative” to a free version when users receive equivalent access to the same service “at least in principle” and the access is offered for a “standard market fee.”
The opinion reminds readers that the processing of personal data collected in the context of tracking must comply with the GDPR, as further discussed in the SAs’ guidance for telemedia providers.
In October 2022, the Italian Supervisory Authority (“Garante”) announced that it was investigating the same practice, implemented by a number of Italian online news outlets. The Garante stated that, in principle, the GDPR does not preclude the abovementioned dual approach.
* * *
The Covington Privacy & Cyber team continues to keep a close eye on the guidance issued by European supervisory authorities, including those related to adtech. If you have any questions, feel free to reach out to any member of the team.