German Data Protection Authority Declares “Pay or Okay” Model Unlawful
The Data Protection Authority of Lower Saxony (LfD) has ruled that the popular German-language tech news site heise.de’s “Pay or Okay” approach, which required users to choose between paying for a monthly subscription or allowing their personal data to be processed for advertising and other purposes, is illegal. This decision follows a similar ruling by the Austrian Data Protection Authority earlier this year, raising concerns for other German news pages employing a similar model.
Lack of Specific Consent” Cited as Reason for Unlawfulness
The LfD determined that heise.de’s implementation of the “Pay or Okay” model in 2021 did not comply with the law as it failed to offer users the option to provide specific consent for each purpose. The decision aligns with guidelines issued by the Conference of German Data Protection Authorities (DSK). Although the LfD acknowledged that the model could be permissible in principle, the lack of specific and transparent consent on heise.de’s website violated the GDPR.
Data Protection Lawyer Criticizes Inadequate Consequences
Felix Mikolasch, a Data Protection Lawyer at noyb, expressed his support for the LfD’s decision. However, he highlighted that a mere reprimand is insufficient to deter others from adopting similar “Pay or Okay” models. Mikolasch criticized the prevalent “take it or leave it” system, where users are forced to consent to all types of processing or pay. He emphasized the need for explicit consent to each processing activity as required by the GDPR.
Website’s Pre-Consent Data Processing Uncovered
The LfD’s investigation revealed that heise.de processed users’ personal data as soon as the website was opened, even before any action was taken. This meant that tracking cookies were set before users had the chance to provide their consent. The revelation further strengthened the LfD’s case against the news outlet’s non-compliance with data protection regulations.
Issues of Transparency and Free Consent Highlighted
In addition to the “Pay or Okay” model, the LfD pointed out that heise.de engaged in unlawful and manipulative nudging techniques to influence users for its own benefit. The authority concluded that the consent obtained from users was not sufficiently informed, specific, or freely given. It also raised concerns about the difficulty of revoking consent at a later stage, suggesting a lack of legal grounds for data processing on the website.
Concerns Over Disproportionate Costs and Complex Subscription Process
Privacy advocacy group noyb raised concerns about the exorbitant costs for users to protect their privacy using the “Pay or Okay” model on heise.de. The estimated cost was found to be 428 times higher than the earnings from data processing. Additionally, noyb highlighted the complexities involved in signing up for the paid subscription compared to the simpler process of “consenting” to being tracked. However, these concerns were not addressed in the LfD’s decision.