General statements of the opinion

According to the EDPB, in most cases, so-called 'large online platforms' do not meet all requirements for valid consent within the meaning of Articles 6(1)(a) and 7 of the General Data Protection Regulation (GDPR) if they only offer the user a binary choice between consenting to processing for behavioral advertising or paying a fee, whereby the specificities of the individual case always have to be taken into account. This means that the EDPB does not consider the consent or pay model to be unlawful per se - but tends to be rather critical, especially if this is used by so-called large online platforms (regarding this vague term, see below).

Offering an alternative to data processing that only requires payment of a fee should not be the default way. Rather, large online platforms should offer an equivalent alternative that does not involve the payment of a fee, as otherwise, data subjects would not have a free choice. Alternatively, there should at least be a third alternative that does not involve paying a fee but includes a form of advertising that does not require any processing or at least only the processing of less personal data.

The EDPB also deals with the legal requirements of the GDPR for valid consent and mentions the principles of necessity and proportionality, transparency, purpose of limitation, and data minimization in this context. It also mentions the principle of fairness, according to which the reasonable expectations of the data subjects and a possible imbalance of power should be taken into account, and dark patterns, such as deceptive or manipulative language or design, have to be avoided.

In terms of the voluntary nature of consent, it is also of fundamental importance whether the non-granting or withdrawal of consent is associated with disadvantages for the data subject and whether consent is necessary for access to products or services.

Finally, the imbalance between the data subject and the controller should also be considered, which should always be assessed on a case-by-case basis. The position of the large online platform on the market, possible lock-in or network effects, and the dependence of the data subject on the service offered provide indications for this assessment.

Implications and enforceability

The opinion is not directly legally binding for controllers or processors, as the EDPB is not a legislative body.

In addition, the EDPB uses the wording 'should' for key statements from the opinion, such as the fact that there should be another, non-fee-based alternative for processing for behavioral advertising. The use of the term also suggests that the opinion can be seen more as a kind of recommendation.

Due to the fact that the opinion addresses behavioral advertising of large online platforms, the use case seems to be rather limited at first glance.

However, the EDPB provides guidance on the requirements for valid consent in its opinion, which can generally be taken into account when interpreting the provisions of the GDPR. It is very likely that the national authorities will rely on the opinion since the EDPB is composed of the heads of the national data protection authorities. In this respect, the opinion provides important practical guidance for data processing in the context of behavioral advertising and the requirements for valid consent for these purposes and can be regarded as a kind of 'EU-wide framework condition' from a supervisory authority perspective.

Furthermore, as there has been no uniform opinion on this topic to date, the position of the EDPB will presumably also carry considerable weight in future decisions by the European Court of Justice (ECJ) and national courts.

Changes of practice from platforms regarding offering a third free choice

Recently, more and more website operators (at least in Germany) have decided to implement a pay or consent model. Although previous official statements have set out specific requirements for the design of a cookie banner, e.g., regarding that the single action of accepting constitutes consent to both, the use of cookies and subsequent processing or transparency requirements, which also needs to be observed when implementing the pay or consent model, these requirements have often only been implemented inadequately. In this respect, it will be interesting to see to what extent companies implement the new requirements. The fact that only large online platforms are named as addressees could possibly prompt companies not to take any further action. Nevertheless, this circumstance should be considered with caution. This is because the EDPB's requirement can be seen as a general benchmark. Finally, it is mentioned in several places that it should always be considered on a case-by-case basis whether the granting of consent can be classified as freely given. This question arises not only for large online platforms and not only in relation to behavioral advertising purposes, but for tracking in general.

The EDPB already provides indications of what the implementation of an equivalent alternative could look like. For example, it mentions contextual or general advertising or advertising based on topics the data subject selected from a list of topics of interests, whereby it always needs to be ensured that only personal data that is necessary for the purpose of placing the advertisement would be processed. In addition, clear information is required with regard to data processing and an interface design avoiding any dark patterns and enabling to obtain consent for each separate purpose if tracking for multiple purposes takes place.

With regard to the information to be published by the controller, the EDPB points out that the recipients of the personal data, a possible third country transfer, processing of data irrespective of the consented behavioral advertising, the right to withdraw and its consequences, information on the cross-use of data, and the extent to which the data is shared with third parties have to be mentioned. The latter will be particularly relevant for companies that use third-party CMP platforms and have implemented them on their websites. Finally, the EDPB states that users should not be misled into giving their consent by being provided with ambiguous information. In this respect, terms such as 'simply continue' or 'continue without payment' are classified as inadmissible, as they do not constitute valid consent.

Implications of the opinion on other European legal frameworks

The opinion of the EDPB does not only have an impact on the GDPR but also affects other European regulations. For example, Article 5(2)(a) of the Digital Markets Act (DMA) requires consent for the use of personal data by gatekeepers for the provision of advertising services if end users use the services of third parties who in turn use the gatekeepers' core platform services. This refers, for example, to the case where a company's service runs via a gatekeeper's operating system.

The GDPR regulates the conditions under which consent is valid. The EDPB also refers to ECJ case law, according to which two EU legal acts of the same hierarchical value do not establish priority of one over the other and should be applied in a compatible manner, that enables a coherent application. In this respect, the general principles regarding consent should also be taken into account for these legal regulations.

Due to the fact that the ePrivacy Directive also refers to the concept of consent in the Data Protection Directive 95/46/EC and therefore to the GDPR, the requirements mentioned in the EDPB's opinion also needs to be taken into account with regard to the design of cookie banners.

Large online platforms and other possible addresses of the opinion

According to the opinion's title and definition of the scope, so called 'large online platforms' shall be addressed. The EDPB clarifies that the definition in Article3(i) of the Digital Services Act (DSA) applies to the concept of online platforms, but is not limited to it. Rather, a case-by-case decision should be made to evaluate whether a platform can be regarded as a large one.

From a practical point of view, there is clear criticism to be made here: the EDPB uses a terminology for the addressees of the opinion that is neither legally defined nor does it contain clear requirements from the user's point of view. In the end, it is therefore not clear to readers when a so-called 'large online platform' would exist from the EDPB's perspective.

The EDPB cites the number of data subjects ('platforms that attract a large amount of data subjects as their users'), the position of the company on the market, the scope of the processing ('whether it conducts 'large scale' processing'), such as the number of data subjects, the amount of data, and the geographical scope of the processing activity, as criteria. The EDPB also refers to the definition of gatekeepers in Article 3(1) of the DMA. However, the EDPB also clarifies that the opinion does not only apply exclusively to large online platforms, but can also generally be taken into account in the context of consent for processing for advertising purposes ('The factors highlighted in this Opinion will typically apply to large online platforms, but not exclusively. Some of the considerations expressed in this opinion may prove useful more generally for the application of the concept of consent in the context of 'consent or pay' models'). This is also supported by the fact that the opinion mainly deals with the requirements for valid consent under the GDPR, taking into account the principles in Articles 5 and 7 of the GDPR. These principles apply to all website operators who obtain consent for behavioral advertising. In this respect, the freedom of choice of the binary consent or pay model is also likely to be problematic for smaller platforms and news media websites, whereby the specific circumstances of the individual case should always be taken into account in order to be able to assess whether the user can make a free choice and consent can therefore be regarded as valid.

Other interesting findings of the opinion

Another interesting aspect of the opinion is that the EDPB considers a period of one year to be appropriate in the context of behavioral advertising with regard to the period of validity of consent. As the GDPR itself does not set a specific time limit, this could also be used as a general standard for other processing operations based on consent. However, the EDPB explicitly states in this regard that controllers should conduct this assessment on a case-by-case basis.

With regard to withdrawal of consent, the EDPB also expressly points out that the controller does not only have to terminate further processing but also needs to delete the data if there is no other legal basis for further storage. Moreover, the withdrawal does not only concern the processing of the data but also the storage or access to the data in the user's terminal equipment in accordance with the ePrivacy Directive. In particular, this is relevant when the controller uses large advertising networks to target individuals and track them across several websites. In such cases, the controller has to ensure that this processing by third parties does not continue in the event of a revocation.

Dr. Carlo Piltz Partner
[email protected]
Alexander Weiss Associate
[email protected]
Piltz Legal, Berlin