Either accept these commercial profiling cookies or pay the subscription to this newspaper. In other words, you can decide how to pay: with your money or with your personal data.
This is the reality that many newspapers, including those of the GEDI group, are presenting to their readers. However, it is not just an Italian fact: already Le Monde started this policy several weeks ago, after many twists and turns of the French regulatory authorities on the subject of “cookiewalls”.
The problem with the cookie wall is not the cookie wall
by Andrea Monti
But let’s take a step back and order. Is it lawful, under national and European Union law, to place the user-consumer in front of the invincible dualism: cookie versus paid subscription? The matter is governed by two legislative sources of EU origin: the 2002 “e-privacy” directive and the GDPR, of 2016. The first explicitly regulates the case of cookies (information files that websites store on the user’s computer while browsing the web) and is considered “lex specialis” (ie a law that specifies a sector of a broader law), compared to the GDPR. The paradox, however, is that the “special” law is 12 years older than the general law. In other words, the special law is less up-to-date and less protective than the general law. And this creates a headache for jurists and authorities.
Spotify, Netflix and newspaper cookies
by Riccardo Luna
On the one hand, the 2002 directive states that consent is necessary to accept profiling cookies, but it can also be provided implicitly, simply by continuing to browse a website. On the other hand, the GDPR has reinforced the requirements of “consent”, asking that this be unequivocal (ie: ignoring a warning does not mean consent), fully informed and “free”. Furthermore, the GDPR clarifies that consent (for the processing of personal data not strictly necessary for a contractual relationship) is not “free” if it is set as a necessary condition for the use of goods or services. In other words, if a site tells me “to use our online content, give me consent to know your commercial preferences and your browsing history”, this site is violating the GDPR. But is it also violating the 2002 e-privacy directive? Not explicitly.
The practice of conditioning the use of a site to the acceptance of cookies is called “cookiewall” and the legal dispute underlying this problem has already been well addressed by the French Privacy Guarantor (CNIL), which in 2021 first sanctioned Google and Facebook for the use of cookie walls, but then – after losing the appeal to the Council of State – she had to retrace her steps and allow cookiewalls, albeit with many caveats and “case by case” considerations.
The European Data Protection Board (the European college of all national privacy authorities) had already issued an opinion on this issue in 2017: if the user has the possibility to choose between accessing a service by accepting cookies and a ‘genuinely equivalent’ alternative that does not require providing personal data, consent is free. One wonders whether “to pay” is a “genuinely equivalent” alternative.
The Italian Privacy Guarantor recently stated that it will deal with the matter and will give its own decision on the matter. In the meantime, however, there are many considerations that we can make, as also emerged from the conference – organized in Florence last Friday by the Vice-President of the Privacy Guarantor – on the marketing of personal data, to which even the writer had the pleasure of being invited as a speaker.
A healthy pragmatism would force us to observe the reality that has existed well before the choice of some Italian online newspapers: the choice between paid services or services with more advertising and cookies has already been a reality for decades. But what are the consequences of this reality?
The greater risk is that those with less financial resources feel forced to agree to provide more personal data, through cookies, rather than accept paid services. This would mean that privacy would become a “luxury good”, the prerogative of people with greater economic resources. But can a fundamental right be a “luxury good”?
The corollary is that the “poorest” subjects (less willing to pay to protect their data) would be the subject of more personalized, more aggressive and effective advertising, in a spiral of exploitation of the economic and social vulnerabilities of users: those who have less, the more it is manipulated.
And even before answering on the merits, one would ask: is it acceptable that personal data (compared by Stefano Rodotà to the components of our digital “body”), expressive of our integrity, identity and personality, are recognized as “commodities” of exchange?
Can we think of a different internet, where profiling cookies are prohibited, except for specific objections? It seems a secondary and irrelevant question, but sometimes a click is enough to sell our dignity.