DPA decision hits home for German news outlets
The Data Protection Authority of Lower Saxony (LfD) in Germany has declared the “Pay or Okay” practice of the German-language tech news site, heise.de, as unlawful. A considerable decision, it carries massive implications for several German news pages utilising similar models.
Heise.de offered users two choices, either paying for a monthly subscription or allowing their personal data to be processed for advertising and other purposes. Originating in 2021, this method has now been deemed illegal by the LfD. The ruling follows on the heels of a similar verdict by the Austrian Data Protection Authority (DSB) against a similar practice on an Austrian news site earlier this year.
Intensifying debate around “pay or okay”
The LfD decision added fuel to the growing “Pay or Okay” discussion in Germany. Reiterating the Austrian DSB’s standpoint, the LfD judged heise.de’s “Pay or Okay” implementation in 2021 as illegal and issued a reprimand.
Although open to the “Pay or Okay” concept in principle, the LfD found the application on the news site to be non-compliant with the law, particularly in not offering the option for users to provide specific consent for certain purposes. This judgement echoes the guidelines of the Conference of German Data Protection Authorities (DSK). In March 2023, the DSK explicitly voiced its concerns over the lack of specific and transparent consent on websites employing “Pay or Okay” models.
Warnings from legal professionals
Data Protection Lawyer at noyb, Felix Mikolasch, criticised the “Pay or Okay” solutions as a “take it or leave it” system, requiring users to either consent to everything or pay. Mikolasch said, “The GDPR requires ‘specific’ consent to each type of processing,” and expressed the opinion that a reprimand was not enough to deter others from using such methods.
Processing personal data without consent
The LfD’s research revealed that heise.de processed users’ personal data as soon as the website was accessed, setting tracking cookies before consent could be given.
Concerns over consent
The LfD further criticised heise.de for unlawful and methodical nudging to influence users for its benefit, as well as for not obtaining informed, specific, or freely given consent. It also highlighted difficulties in revoking previously given consent at a later time.
Ignoring disproportional costs
In a complaint to the LfD, noyb also highlighted the disproportionate costs of heise.de’s “Pay or Okay” solution, citing it as 428 times more costly for users to protect their privacy than what the company earns by processing their data. Noyb’s complaint, which also pointed out the complication in signing up for the paid subscription, was disregarded in the LfD’s decision.
Further measures post decision
Following the LfD’s decision, heise.de transitioned to a more intricate banner. Users are first presented with two options: paying €4.95/month or giving their consent. Only on the second layer can they opt to reject all purposes except advertising. However, questions arise as to how many users on the web navigate to the second layer of a cookie banner, making the option to reject any other purpose practically invisible.
—
If you are looking to launch a new project, you need a data team that is aware of the most recent developments in terms of tech and regulations. We have some of the top data and software candidates in Germany. Speak to a PL Talents expert today.