Many websites, especially those with journalistic and editorial content, give users the choice of either accessing the page content free of charge and allowing extensive tracking of surfing behavior in return, or being exempt from web analysis for a fee. The option of a mandatory tracking consent on the one hand and a fee-based tracking-free page visit on the other hand is referred to as a “pure subscription model” or “cookie paywall” and was controversial in terms of data protection law for a long time. The following article shows how it is to be evaluated according to the GDPR and which requirements must be observed for data protection-compliant implementation.
I. Pur subscription models: Fee for informational self-determination
Pur-subscription models, also known as “cookie paywalls”, are a popular instrument, especially on the websites of news agencies and websites with journalistic content, in order to generate additional income from the point of view of privacy and to reward the journalistic work of the authors who publish. However, they are also spreading to blogs and sites that primarily serve to impart knowledge.
Pure subscription models give the user the choice between free use of the site with extensive web analysis and paid browsing without analysis of usage behavior.
For this purpose, a banner is regularly placed before the page is called up, which requires the user to make a data protection decision: either free use of the site with simultaneous mandatory consent to tracking measures or paid subscription for tracking-free surfing and more privacy:
(Those: Zeit.de)
The name “Pure subscription model” comes from the second, i.e. the paid alternative under tracking waiver and addresses the fact that the user should alternatively use the website with extensive web analysis or tracking-free, i.e. “pure”, in the paid subscription to be able to use.
II. Data protection compliance of pure subscription models
In the past, pure subscription models on websites were controversially discussed as to whether they were permissible under data protection law, because in particular the voluntary nature of the tracking consent required for free use of the website was in question.
Individual data protection authorities argued that the desired website tracking by reading and storing information (e.g. cookies) on user devices in “free mode” is only permissible with express consent (according to Section 25 TTDSG). However, the decisive prerequisite for the effectiveness of such a tracking consent is its voluntariness and thus the possibility of the user to grant or refuse it at will, Art. 4 No. 11 in conjunction with recitals 32, 43 DSGVO.
However, if the user of an internet offer is now forced to give his consent for free use of the site and the only alternative available to him is payment of a fee, this voluntary nature is not sufficiently given. Rather, exercising the right to informational self-determination is made dependent on subjective willingness to pay and objective ability to pay.
Am However, on March 22, 2023, the data protection conference of the federal and state data protection authorities (DSK) positioned itself and declared pure subscription models are permissible under data protection law in compliance with certain data protection requirements.
Note on the binding nature of DSK resolutions:
Resolutions of the DSK are not legally binding in general, so they do not represent mandatory guidelines for the interpretation of data protection laws.
However, they are usually used and applied by administration and judiciary as a standard for legal assessment, so that they actually have a constitutive character.
These requirements, which must be met for the data protection-compliant operation of a pure subscription model, are presented below.
III. Prerequisites for data protection-compliant pur subscription models
In the opinion of the DSK, pure subscription models or cookie paywalls used as a synonym are generally permissible under data protection law.
Website providers can therefore base the tracking of user behavior on a mandatory consent when the page is accessed if they alternatively offer a tracking-free model that is subject to a fee.
However, it must be ensured that the following requirements are met:
1.) Equivalence
The service that users receive in the pure model, i.e. when paying the fee without tracking, must be an equivalent alternative to the free service with mandatory tracking consent.
It is decisive in this respect that at least the same content can be accessed with paid use as with free use with tracking permission.
A pure subscription model is therefore inadmissible if the content of the pages offered in the paid tracking-free model falls short of what is offered in the model with mandatory tracking consent.
2.) Awareness of the tracking consent
In order to be able to be obtained effectively and thus to be able to serve as a justification for tracking in the free page model, the consent must be transparent and understandable and explain all data processing that is to be justified with the consent.
References to the data protection declaration, in which the individual tracking measures are then explained in more detail in terms of their scope, their purposes and those involved in the processing, are sufficient.
3.) Granularity of consent/prohibition of general consent
The “granularity” of the consent required by the DSK is probably the most important admissibility requirement, which at the same time establishes a significant restriction as to the scope of the mandatory tracking consent in the free model.
According to this, in the case of pure subscription offers, it is inadmissible to design the mandatory consent as a general consent for all processing purposes.
Rather, if several, significantly different processing purposes come together, the user must be given the opportunity to actively and voluntarily select the purposes for which they want to give their consent via opt-in.
Consent may only be mandatory with regard to one processing purpose.
It would therefore be inadmissible to require a blanket consent for the cookie-based analysis of user behavior on the one hand and the sending of newsletters on the other as a mandatory requirement for free use of the site.
Likewise, consent to cookie-based tracking must not be combined with consent to push notifications.
The DSK has not sufficiently decided to what extent the granularity must also be guaranteed for the web analysis, i.e. the visitor tracking itself.
It is therefore questionable whether the area of ”tracking of surfing behavior” can be covered with a mandatory consent, or whether in this regard it must also be broken down into different processing purposes, of which only one may be specified and the others must be able to be selected voluntarily.
It is at least conceivable and obvious that
the cookie-based measurement of the success of advertisements for statistical purposes, conversion tracking to track user actions after clicking on an advertisement and the creation of pseudonymised usage profiles about interests, activities, location and demographic characteristics for better statistical success measurement
serve the same processing purpose.
On the other hand, another processing purpose, which should not be included in the general consent and regulated separately via a voluntary opt-in, should be to display pseudonymised user profiles for displaying interest-based advertisements on your own or on third-party websites (so-called “remarketing/retargeting). The purpose here is data processing to monetize sales promotion interests of third-party advertisers and not processing to optimize (own) advertising
4.) Only required storing and reading operations in pure mode
Finally, in order for a pure subscription model to be operated in compliance with data protection regulations, it is imperative to ensure that in the paid model without granting tracking consent, information is only read out and stored on the end device used if this is necessary for the operation of the website and the Provision of the essential page functions is absolutely necessary.
No (hidden) tracking measures may therefore take place without (then mandatory voluntary) consent, since on the other hand the alternative relationship between a free offer with tracking and a paid offer with tracking protection would in fact be devalued.
IV. Conclusion
Pure subscription models or cookie paywalls are designs on websites where the user can choose between a free and a paid usage model. A mandatory tracking consent is linked to the free use, while the paid version does without storage and readout processes for analysis purposes.
Previously controversial in terms of data protection law, the DSK has now published requirements that must be met for pur-subscription models to be operated in compliance with data protection regulations.
The necessary granularity of consent is particularly noteworthy here. In the free model, no general consent may be obtained for all advertising-related processing purposes, but only one purpose must be defined as requiring mandatory consent. Processing for other purposes (in addition to tracking for web analysis, such as sending newsletters, push notifications or retargeting) must continue to be voluntary.
Tip: Do you have any questions about the post? Feel free to discuss this with us in the
Entrepreneur group of the IT law firm on Facebook.