ENTERPRISE | CONSUMER PRIVACY TIPS | DATA BREACHES & ALERTS | WHITEPAPERS

UK, Austria Differ on Whether Consent is Freely Given if the Choice Has a Small Fee

Consent is expected to be one of the first large areas of controversy in GDPR compliance, with multinational corporations already facing complaints about bundled or forced consent from consumers and regulators. The French DPA CNIL already accused a company of failing to gain proper consent, but gave the company time to bring itself into compliance before facing a penalty. Now, we are saying the first dispute between DPAs in their interpretation of what it means for consent to be freely given – as Austria has upheld a newspaper that charged a small fee and the UK told the Washington Post that it was in violation of GDPR.

Austria Upholds Small Fee to Remove Tracking in November 2018

The Austrian Data Protection Authority has upheld a newspaper’s decision to charge a six euro monthly subscription in order for the user to have both full access to the website and decline the use of cookies and tracking technology after a user brought a complaint arguing that the paper’s approach to consent was not valid under GDPR.

Summary-Irelands-Data-Protection-Annual-Report

According to the Article 29 Working Paper on consent adopted on November 28, 2017 and revised on April 10, 2018, consent is valid if the data subject is able to exercise a real choice and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if consent is withheld.

The Austrian DPA determined that a payment of six euros a month was not a significant negative consequence invalidating a person’s consent. The DPA also took into account that the individual could choose another news source and did not need to access the website.

UK Rejected the Validity of a Similar Choice in November

The Austrian DPA decision is in contract to an earlier decision out of the United Kingdom. The UK ICO faced a similar question and decided to invalidate cookie consents gathered by the Washington Post. The ICO received a complaint and determined that the Washington Post was not in compliance with its obligations under Article 7(4) of GDPR.

The Washington Post offered three options to users. The “free” option allowed the user to read a limited number of articles each month and required consent to use cookies and tracking by the Washington Post and third parties to provide personalized ads. The “Basic Subscription” cost $60 a year ($6 for 4 weeks) and also required the same consent to cookies and tracking for personalized ads. The “Premium EU Subscription” was $90 a year ($9 for 4 weeks) and the benefit of paying the additional cost was that there would be no on-site advertising or third-party ad tracking.

The conclusion reached by the ICO was that the consent to apply cookies was not freely given because the lack of a free alternative to accepting cookies meant that the consent was not freely given. The ICO instructed the Washington Post to offer an option that did not require acceptance of cookies at all subscription levels.

Disputes Could Pose Compliance Challenges

As a body of law is built up around GDPR over the next decade, organizations will have better guidance as to what is permitted on the margins. However, there is bound to be a transition period where the answer to some of the complex questions posed by the law in practice are not clear – even to the staff of the DPAs. Particularly around consent. This is demonstrated by the conflict between these two decisions. Organizations will either need to play it safe by respecting the most privacy protective decision, or trust that the DPAs will continue to allow organizations (acting in good faith) a grace period to bring their practices into GDPR compliance.

UK, Austria Differ on Whether Consent is Freely Given if the Choice Has a Small Fee

Contact

888-252-5653

About

Consumers

Businesses