Skip to main content

"Allow Ads or Pay" - The Meaning of Freely Given GDPR Consent

| Categories: General Obligations; Consumer Rights;

[Translate to Japanese:] Freely given consent

Where processing of personal information is based on consent, the EU General Data Protection Regulation (GDPR) sets quite a few conditions that must be met so that the user’s consent is regarded effective and lawful. One of these requirements we want to look at in more detail is that consent must be “freely given”.

"Freely given" consent means, among others, that consent given under threat or extortion is invalid. Beyond such obvious situations, it requires that the user has a substantial choice. One example: Recently, we blogged about how supervisory authorities are pushing for opt-in consent for the use of cookies and web beacons. Is consent “freely given” if the options are that user either agrees to marketing cookies, or that he or she is blocked from viewing a website or at least have to pay for what was otherwise offered for free?

What does the law say?

Art. 7 (4) of the GDPR reads:

“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

What does this legalese mean? The data controller cannot link the decision of whether it enters into a contract with a potential customer to the condition that the customer consents to, for example, the use of his personal information to distribute marketing messages in a take-it-or-leave-it setup. The company may, on the contrary, ask the customer to consent in the context of concluding the contract - but may not decline the customer solely because he or she refuses to consent.

This concept makes sense when one considers the interplay with other grounds for lawful processing of personal data. Using customer data, for example, to issue invoices is necessary for the performance of the contract and therefore does not require consent. Consent must be obtained only where the purpose of the processing goes beyond the purpose of the contract, such as delivery of marketing messages, and no other legal justification like legitimate interests applies.

What do the supervisory authorities say?

The European Data Protection Board (EDPB), an EU body, issued guidance on the conditions for consent. It states:

“The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.”

The authorities argue that data controllers may not rely on other equivalent offers that are available on the market and do not require their users to consent to the use of personal data. Striving back to our initial example, the EDPB implies an answer to the question whether online service providers are allowed to block visitors from certain content: Such design may not be justified by the argument that users have the choice to look for another service provider.

Another important aspect in designing valid consent options is the notion of granularity. Where users consent to different purposes of data processing (e.g. marketing messages and sharing of the data in between a group), data subjects must have the option to consent or withhold consent for each of the purpose separately.

Furthermore, the data controller must be able to demonstrate that users can refuse or withdraw consent without detriment, i.e. that such behavior does not lead to extra costs or limited products or services. The EDPB vaguely acknowledges that the GDPR “does not preclude all incentives”, such as exclusive presales for subscribers of the company’s magazine who consented to its receipt, but leaves the onus of proof, and therefore the risk of non-compliance, with the data controller.

In employment contexts, consent is often likely to be considered unfree and therefore invalid. For non-EU companies, this apparently only applies to employees being subject to the GDPR. Where companies intend to implement new processing operations on employee data, in-depth legal review is recommendable. Other justifications than consent, such as legitimate interest, may be an appropriate alternative in the individual case.

What do the courts say?

Not much yet. The European Court of Justice, being the highest instance to rule on the interpretation of the GDPR, have not yet issued precedence on that topic. But this only seems like a question of time. Meanwhile, interesting rulings of national courts fuel the debate.

In August 2018, the Supreme Court of Wien, Austria, confirmed the abovementioned interpretation of Art. 7 (4) GDPR and ruled a clause invalid that included consent to the use of personal data for marketing purposes. The customer only had the choice to agree to the terms and conditions including that clause or to not enter into the contract.

In June 2019, the Higher Regional Court of Frankfurt, Germany, ruled on the validity of a consent given in the context of a free lottery. A website provider offered participation only on under the condition that the user consented to the receipt of marketing messages by 8 partner companies: No consent – no chance of winning. The judges ruled that such consent was freely given, arguing that it was up to the consumer to decide whether the disclosure of the request information in exchange for participation in the lottery was worth it.

In its reasoning, the court did not even discuss whether Art. 7 (4) GDPR had any impact in the given context. Why? It will probably remain the court’s secret. One possible explanation is that they did not consider participation in the lottery in question as a contract, which may be the case due to specific German law on lotteries. Another explanation could be that they simply have not taken account of this relatively new legal norm.

Outlook: monetization of data?

The GDPR gives companies, particularly online service providers, a hard time in monetizing user data. Authorities apply strict interpretations, clearly aiming to crush certain data-driven business models, or at least the idea of giving access to personal information as a consideration for the use of services.

An alternative strategic solution is the implementation of paywalls as an alternative to consent. With this design, users are offered the choice to either pay for content or to consent to the use of their data. This approach is also reflected in the Californian Consumer Privacy Act, becoming effective on January 1, 2020: Under this US State law, businesses may apply different pricing if the differences are reasonably related to the value provided to the consumer by the consumer’s data.

However, legal validity of such solution under the GDPR is not clarified yet and will probably be subject to legal disputes. Statements of the EDPB indicate that authorities will not accept that approach and instead push free service to become chargeable in general. The ruling of the Higher Regional Court of Frankfurt points in a different direction. The competence for final decisions remains in the hands of the courts, particularly the European Court of Justice. We stay tuned.

EU Commission Sets Timeline for New SCCs after the “Schrems” Judgement

In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs held in Brussels today, EU Commissioner Didier Reynders delivered remarks on what to expect for the future of international data transfers after the European Court of Justice has ruled the EU-US Privacy...


Data Mapping & the GDPR: "Records of Processing Activities"

Any privacy law implementation program is based a proper data mapping. But is it even a legal obligation? Under the GDPR, the answer is a clear "yes" for most of modern businesses. Article 30 requires companies to maintain so-called "records of processing activities" (also known as RPA or ROPA) with...

International Applicability

E U一般データ保護規則(G D P R)は日本にある我が社にも適用されるのでしょうか。

2018年5月に欧州E U一般データ保護規則 (GDPR)が施行されました。それはプライバシーを規定する法律ですが、データに依存するデジタルサービス提供者のみならず、世界中のすべての産業分野の、すべての大きさの会社が、その影響を受けることになりました。