Balancing a free choice and monetization in Consent or Pay

My first article in a series on Consent or Pay argued why publishers lean towards this model as an alternative to traditional cookie banners. Now I explore what it takes to preserve freely given consent.

As a general remark, European data protection authorities (‘DPAs’) and the European Data Protection Board ('EDPB') have not imposed a blanket ban on Consent or Pay. EDPB certainly twisted and turned to discourage this model while not contradicting the EU Court of Justice in its opinion for large online platforms¹ (‘EDPB Opinion’). However, each DPA with a public point-of-view has presented criteria for freely given consent that can make Consent or Pay work. In this article I unpack the DPA guidelines and the EDPB opinion in search of consistent requirements.

The French DPA CNIL has published the most detailed guidelines² and argues cookie paywalls can be valid if:

• Users have an equivalent alternative to access the service without consent.
• The alternative is fair considering a potential imbalance of power³.
• The price of the alternative is reasonable.
• The paywall choice is limited to purposes that support the remuneration of the service.
• The paid alternative is limited to essential purposes⁴.

The Danish⁵, German⁶, Austrian⁷, Spanish⁸ and UK⁹ DPA have also acknowledged the legality of paywalls under similar conditions, albeit with less extensive arguments.

The EDPB Opinion starts from the four criteria for freely given consent in line with the EDPB guidelines on consent¹⁰:

• Consent refusal or withdrawal does not imply harm or damage.
• Users can’t feel pressured to accept because of the power of a controller towards a data subject.
• Access to a service can’t depend on processing activities that are not objectively necessary.
• Users have the freedom to make a choice for individual purposes.

Taken together, we distinguish four assessment criteria for Consent or Pay models. We discuss each in turn.

Figure 1: Overview of Consent or Pay requirements from EU DPAs

1. Reasonable price

Align the price of the pay option with the opportunity cost for behavioural advertising. Document the pricing analysis and justification.

A reasonable price is tied to the notion that users should be able to withdraw without detriment. The notorious one-liner from the EUCJ “[…] users are to be offered, if necessary for an appropriate fee, an equivalent alternative […]” implies a fee for an alternative option without behavioural advertising does not cause detriment by itself. However, the fee can’t be so high it effectively prevents users from refusing consent. The guidelines of the French, Danish and UK DPAs simply refer to a ‘reasonable’ or ‘appropriate’ price versus a price that is ‘unrealistically’ or ‘unreasonably’ high.

The EDPB Opinion, especially the proposal for a free alternative without behavioural advertising, seemingly lowers the bar for financial detriment. However, EDBP starts from the premise that large only platforms typically have a clear imbalance of power over the user and, hence, consent is only valid in exceptional circumstances when there are no negative consequences. A power imbalance is serious business. Examples include “deception”, “intimidation”, and “coercion” as well as “substantial extra costs”. This does not apply to the average publisher¹¹ that faces real competition and offers a range of digital subscriptions and price points.

EDPB and DPAs strongly encourage controllers to document their assessment of a reasonable price and demonstrate that the proposition allows for freely given consent. A conservative pricing approach aligns the price of Pay with the actual opportunity cost of behavioural ads per representative user (e.g., users with a median number of page views), which obviously preserves revenues. As a downside, the opportunity cost can vary strongly between websites and apps or popular versus niche titles.

Further reading

It is above my paygrade to discuss whether data protection authorities overstep when imposing pricing constraints and assessing market dynamics. Peter Craddock (articlev) and Etienne Drouard (article) have articulated this issue at length.

2. Equivalent and fair alternative

Offer at least one Pay option without behavioural tracking or any ads at all. Avoid combining a tracking-free experience with access to restricted content as the only alternative to Consent.

EDPB breaks down equivalence in terms of the absence of degraded quality and the suppression of functions¹². Practically speaking, publishers ideally limit the Consent or Pay trade-off to the delivery of behavioural ads and related data processing (i.e., creating a profile, selecting ads based on this profile, and measuring the performance). DPAs have expressed a similar point-of-view with the common counterexample of a ‘premium’ ad-free service and more content or features.

Publishers can combine a tracking-free experience with other subscriptions if they offer at least one fully equivalent experience. A common approach is offering a separate Pay subscription and handing a discount to existing subscribers.

On a final note, publishers wonder whether the strong recommendation for a “free alternative without behavioural advertising” applies to them. First, publishers likely don’t exert a clear imbalance of power over the user. Second, this proposition is just one possible alternative that ignores the market reality of contextual versus behavioural ads. Third, the concept has several conceptual flaws such as inconsistency with the guidelines on the technical scope of ePrivacy. I will dedicate my next post to a critical analysis of this option.

3. Granular choices

Limit the scope of the Consent versus Pay choice to profiling, targeting and measuring advertisements. Keep a purpose layer in the CMP with a ‘free’ choice for usage analytics, content recommendations and social media embeds. Integrate opt-in choices in the user experience of the Pay option (e.g., prompt to accept social media functionality next to a disabled embed)

As a starting point, users need to have separate consent choices for different processing operations. The EDPB Opinion doesn’t add much to that premise from the GDPR and shares contradictory examples. EDPB distinguishes “personalisation of content, personalisation of advertisements, service development, service improvement, audience measurement” in the context of real time auctions yet considers audience measurement part of the advertising purpose when discussing transparency.

The French DPA explicitly allows for bundling of ad-related purposes including frequency capping and ad performance measurement. Content recommendations and social media embeds require a separate choice. The Austrian DPA emphasized the importance of granularity in its decision against Der Standard and rejected the inclusion of analytical and social media purposes. The common pattern appears presenting the advertising purposes as one trade-off choice between Consent and Pay and offering separate opt-in choices for other purposes to all users.

Not all opt-ins are lost in Pay. Publishers can still encourage users to opt in through prompts within the reading experience such as inviting users to consent next to a blocked social media embed or indicating that the list of ‘most read’ articles can become ‘selected for you’ if they accept content recommendations.

4. Tracking-free Pay option

Remove all tracking for usage analytics, content recommendation and social media functionality by default.

Traditional consent banners offer three basic choices: accept all purposes, choose per purpose, or refuse all purposes. Consent or Pay models essentially offer the same options with a fee for refusal. Therefore, the Pay option only allows for essential purposes unless users provide a separate opt-in choice.

The ePrivacy Directive requires consent for any storage or access to information on a device¹³ – regardless of the presence of personal data – except for two narrowly defined exceptions¹⁴. EDPB still refers to the ancient WP29 Cookie Consent Exemption guidelines¹⁵ that only allow for very limited examples such as load balancing, authentication during a session, multimedia session, and UI customization. The French and Danish DPA similarly stress that Pay should be free from optional tracking and rule out content recommendations and marketing by default.

Limiting tracking is harder than it seems. Removing ads may cause layout issues. Tracking scripts are sometimes hardcoded or embedded in videoplayers and widgets. It makes sense to invest in an automated scanning solution to support this task.

What does good look like?

A concrete example brings these conceptual requirements to life. Let’s look at the Consent or Pay model of Der Spiegel.

Figure 2: Consent or Pay at Der Spiegel

Reasonable price

Der Spiegel prices Pay at € 0.99 per week for new subscribers. At face value, this price corresponds to market rates for comparable Pay fees and is in reach of monthly advertising revenues per user. Adding the price on the first screen of the CMP (BILD.de is an example) would improve transparency and remove friction as users now need to look for the price before making a final decision.

Equivalent and fair offer

The Pay option only differs in terms of the display of ads and related processing activities. It is fully compatible with any other subscription for content access or additional services. This setup supports a clean proposition for Consent or Pay and avoids the migrations of existing subscribers to a new service offer.

Granularity

Der Spiegel offers a free choice for content recommendations and social media plugins. Analytical tracking and direct marketing are required under ‘Consent’. Der Spiegel therefore applies a broad interpretation of purposes necessary for monetization. It is currently unclear whether the German DPAs follow this position, but it doesn’t necessarily conflict with the guidelines from the German Data Protection Conference¹⁶.

Tracking-free Pay

The website indeed limits tracking to a first-party analytical tracker and direct marketing requests. Social media embeds are properly blocked with an invitation to give a specific consent. Tracking from Google Ad Manager was limited to a compatibility check, which is arguably needed for the proper functioning of the site.

Summary

The emerging consent requirements for Consent or Pay present trade-offs for the price of Pay and scope of tracking but can lead to a compliant and financially viable result. Der Spiegel illustrates an approach worth considering.

If you want to dig deeper on these requirements or are looking for help in auditing an existing implementation, do reach out.