Datatilsynet (Denmark) - 2021-31-4871

From GDPRhub
Revision as of 13:44, 22 February 2023 by 10.90.129.155 (talk)
Datatilsynet - 2021-31-4871
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 6(1)(a) GDPR
Article 58(2)(d) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.02.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 2021-31-4871
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

The Danish DPA held that GulogGratis, an online marketplace, operating a Pay-or-Okay consent mechanism, asked for consent in a way that complied with the 'freely given' requirement of Article 4(11) GDPR. The controller offered the choice between processing personal data or paying an access fee. This choice was freely given because the offered content was essentially equivalent in both cases. Also, the pricing of the access fee was not so disproportionally high that the data subject did not have a real a practical choice. However, the DPA reprimanded the controller for failing to demonstrate that it needed to obtain consent for certain statistical purposes.

English Summary

Facts

The controller is this decision was GulogGratis, an online marketplace. The data subject was a visitor of the controller's website (guloggratis.dk) and was presented with a cookie wall. There were two ways in which he could access the contents of the website.

First, he could consent to the use of cookies, which were used to collect his personal data (IP, ID and browser information) for statistical and marketing purposes.

Second, the data subject could buy access to the marketplace for DKK 29.00 (€3,89) a month.

On 5 April 2021, the data subject filed a complaint at the Danish DPA, because he could only access the website by giving consent to the processing of his personal data or, alternatively, by paying an access fee to. According to the data subject, the choice was to either sell his personal data, or to buy access. Therefore, the consent to processing of personal data could not be considered voluntary.

The controller also clarified its position. It stated that a user could consent to the use of cookies, which were used to collect the following personal data, IP address, ID and browser information. The controller collected this data for statistical and marketing purposes. It also clarified that its legal basis for this processing was Article 6(1)(a) GDPR.

The controller also considered that the main issue of this situation was whether the consent had been freely given, pursuant to Article 4(11) GDPR, which meant that the data subject should have a real choice. According to the controller, this could be the case when the data subject had another way of getting access to the same content, in comparison with the situation where the data subject would have consented to the processing of his personal data. The controller referred to the EDPB Guidelines on consent (05/2022) for this argument.

The controller also explained its reasoning why it was of the opinion that the consent was voluntary in this case. It considered that the procedure clearly informed data subjects about both options to get access. Furthermore, it also mentioned, among other things, that no cookies were set until consent was given, that the payment for getting access to the marketplace was not disproportionality expensive and that there was no harm or inconvenience in refusing or withdrawing the consent.

In its last argument, the controller stated that it understood that the lack of consent should not lead to harm or disadvantage on the part of the data subject. However, the controller could also not deliver its service ('a high quality online marketplace') free of charge. The controller was dependent on revenue, part of which was advertising revenue. If the data subject did not want to consent to the processing for advertising purposes, the data subject had the option to subscribe for DKK 29.00 (€3,89) a month, which the controller found a 'modest and proportionate payment' for access to the marketplace for one month.

Holding

First, the DPA determined that the controller offered two ways to get access to its marketplace, either by consenting to processing of personal data or by paying an access fee. The DPA also confirmed that the services offered in both of these scenarios were 'largely equivalent'. The pricing of the access fee was also not unreasonably high, in the sense that the pricing was not so high that the data subject did not have a real and practical choice between paying an access fee or giving consent for processing of personal data. Therefore, there were no negative consequences for not providing consent. The method used by the controller to obtain consent fulfilled the 'freely given' requirement of Article 4(11) GDPR.

Second, the DPA determined that the controller did not demonstrate that the processing of personal data for statistical purposes was a necessary part of the processing. The DPA reiterated that the controller had stated that it collected data for advertising purposes because this was a part of the controller's revenue. The DPA stated that the controller had not justified to what extent the processing of personal data for statistical purposes was also necessary for this advertising purpose.

Third, the DPA concluded that the controller had not assessed and demonstrated to what extent it was necessary to obtain consent for processing personal data for statistical purposes. This meant that the controller did not demonstrate that there was a freely given consent. Therefore, the controller failed to show that its processing had been lawful pursuant to Articles 6(1)(a) GDPR and 4(11) GDPR. Therefore, the controller violated Articles 5(2) and 5(1)(a) GDPR.

The DPA ordered the controller, pursuant to Article 58(2)(d) GDPR, to ensure that it collected consent in a way that was compliant with Article 4(11) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Gul and Gratis' use of cookie walls

Date: 08-02-2023

Decision Private companies Order No criticism Complaint Handled by the Data Council Basis of processing Cookies / processing of personal data about website visitors

The Danish Data Protection Authority has made two principled decisions regarding the use of so-called cookie walls. One concerns the use of cookie walls on Gul og Gratis' website.

Journal number: 2021-31-4871

Summary

Since the Norwegian Data Protection Authority focused on the processing of personal data about website visitors in early 2020, the Norwegian Data Protection Authority has received a number of inquiries about the use of so-called cookie walls.

On the basis of two concrete complaints, the Danish Data Protection Authority has decided to what extent Gul og Gratis' and Jysk Fynske Medier's use of so-called cookie walls was within the framework of the data protection rules.

The cases have been dealt with in the Data Council.

The Danish Data Protection Authority generally found that a method whereby the website visitor can access the content of a website or service in exchange for either giving consent to the processing of his personal data or for payment, meets the requirements of the data protection rules for a valid consent.

Gul og Gratis' use of cookie walls

With regard to Yellow and Free, the Danish Data Protection Authority specifically found that

The company offers an alternative to giving consent in the form of access for payment Payment gives access to a service that is largely equivalent to the service that can be accessed through consent The pricing of the payment alternative is not unreasonably high, i.e. that the pricing is not so high that the data subject does not really and in practice have a choice between the payment alternative and giving his consent

However, the Danish Data Protection Authority found that Gul and Gratis had not demonstrated that the processing of personal data for statistical purposes was also a necessary part of the alternative to payment.

The company was therefore notified of an order to either be able to demonstrate that this purpose is a necessary part of the alternative to payment, or to adapt the consent solution so that the visitors could give separate consent for this purpose.

Find the decision regarding Jysk Fynske Medier's use of cookie walls here.

Decision

The Danish Data Protection Authority hereby returns to the case where [X] (hereafter complainant) on 5 April 2021 complained to the Danish Authority about GULOGGRATIS.DK A/S' (hereafter GulogGratis) processing of personal data on the website guloggratis.dk, as only he can access the website's content by giving consent to the processing of his personal data or for payment.

The Danish Data Protection Authority initially notes that it is not clear from the case whether GulogGratis has processed the complainant's personal data in connection with the person's visit to guloggratis.dk, and if so, when.

With this decision, the Danish Data Protection Authority therefore takes a position on whether GulogGratis' current processing of personal data about visitors to guloggratis.dk takes place within the framework of the data protection regulation[1].

In this connection, the Danish Data Protection Authority exclusively takes a position on the question of whether GulogGratis' procedure for obtaining consent for the processing of information about website visitors on guloggratis.dk meets the data protection regulation's requirement that consent be voluntary, cf. the regulation's article 4, no. 11.

The matter has been dealt with in the Data Council.

1. Decision

After a review of the case, the Danish Data Protection Authority finds that GulogGratis has not demonstrated that the company's processing of personal data is in accordance with Article 6, paragraph 1 of the Data Protection Regulation. 1, letter a, and article 4, no. 11, cf. the regulation's article 5, subsection 2, cf. Article 5, subsection 1, letter a.

The Danish Data Protection Authority therefore finds grounds to notify GulogGratis of being able to demonstrate that the consent obtained from the visitors to guloggratis.dk meets the data protection regulation's requirement of voluntariness, cf. the data protection regulation's article 4, no. 11.

GulogGratis must be able to demonstrate that the processing of personal data for statistical purposes is a necessary part of the alternative to access for payment. Alternatively, GulogGratis must adapt its solution for obtaining consent, so that it is possible for the website visitors to give separate consent to the processing of personal data for statistical purposes.

The deadline for compliance with the order is 8 March 2023. The Danish Data Protection Authority must request to receive confirmation that the order has been complied with by the same date.

The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter d.

According to the Data Protection Act § 41, subsection 2, no. 4, anyone who fails to comply with an order issued by the Data Protection Authority pursuant to Article 58 of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter d.

Finally, in view of the fundamental questions in the case, which the Data Protection Authority has not previously had the opportunity to take a position on, the Danish Data Protection Authority finds that there is no basis for expressing criticism of GulogGratis in connection with the above.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

2. Case presentation

It appears from the case that, when the complainant visited the website guloggratis.dk, consent to the processing of personal data was requested via a solution with the following wording:

"Privacy and cookie policy

GulogGratis uses cookies and collects personal data about IP, ID and your browser for statistics and marketing purposes. Information is disclosed to business partners who store and/or access information on your device for the purposes of displaying customized ads and ad measurement, customized content, content measurement, audience insights, and product development. See further info under settings and personal data policy.

You can always change your settings below or withdraw your consent by clicking on the link to "Cookie settings" at the bottom of the page.

We point out that opting out of cookies or personalizing cookie settings is reserved for paying users. By clicking "OK", all cookies are accepted and free access to the website is granted. By clicking "Reject all" the login is allowed to run."

Complainants were presented below with the options "OK", "Reject all" and "Settings".

When choosing "Reject all", complaints were forwarded to a text box with the heading "GulogGratis wants to provide you with good quality content", which was accompanied by the following wording:

"Unfortunately, we cannot run a high-quality marketplace for free. We are therefore dependent on advertising revenue based on data. If you do not want us to collect your data, you can instead pay for access.”

Complainants had the options "Cookie Settings" or "Buy access".

By selecting "Buy access", the complainant was offered access to the content on guloggratis.dk for payment of DKK 29/month. and could at the same time refrain from giving consent to all cookies.

By selecting "Cookie settings", the complainant was directed to a page where the complainant could change his original choice and accept all cookies by selecting "Allow all cookies". On the page, complainants could also choose different purposes (marketing, statistics, functional and special purposes) and choose "Confirm my choices".

When selecting "Confirm my selections", without otherwise choosing all purposes, complaints were directed back to the page where complaints were presented with the option to purchase access to the content on guloggratis.dk.

2.1. GulogGratis' comments

GulogGratis has stated that if a user consents to the use of cookies on guloggratis.dk, personal data about IP address, ID and technical information about the browser used is collected for statistical and marketing purposes.

When a visitor accesses GulogGratis' website, they are greeted by a pop-up where they can choose to consent to the collection of personal data through the use of cookies. If the visitor does not wish to consent to this, he or she can use GulogGratis' online marketplace for a fee.

Use of consent as a basis for processing, cf. the data protection regulation, article 6, subsection 1, letter a, presupposes that it is a voluntary, specific, informed and unambiguous expression of will. In relation to GulogGratis' approach, it is the company's view that the doubt primarily concerns whether the condition of voluntariness has been met.

GulogGratis has stated that the condition of voluntariness must be seen in light of the fact that the visitor must have a choice and control over information about himself. Consent cannot therefore be considered voluntary if the visitor does not have a real or free choice.

The use of a consent solution, where access to the content is conditional on the visitor giving consent to personal data processing that is not strictly necessary for the provider to provide the service in question to the visitor, according to the European Data Protection Board, does not meet the data protection regulation's requirement for a valid consent. The situation is different if the website visitor is offered a real choice and can, for example, access the same content without having to give consent to the processing of personal data. In this connection, GulogGratis has referred to an example from the European Data Protection Board's guidelines on consent[2].

It is GulogGratis' assessment that the method for processing information about website visitors that GulogGratis has implemented meets the requirement of voluntariness. In this connection, GulogGratis has emphasized the following:

The procedure clearly informs about the two options No cookies are placed before the visitor has consented to this The payment required for access is not disproportionately expensive (DKK 29/month) This is similar content with and without consent There is the possibility for visitors to choose between several purposes. There is no harm or disadvantage in rejecting or withdrawing consent

GulogGratis has stated below that the company's assessment is also supported by a decision from the Austrian data supervisory authority regarding the news media "Der Standard". As the data protection regulation applies throughout the EU and uniform practice throughout the EU is intended, the rules should be applied consistently and uniformly throughout the Union as described in preamble recital no. 10 of the regulation.

The ruling by the Austrian Data Protection Authority concerned a news outlet that did not offer free access to content without consent to the collection of personal data for marketing purposes, but instead gave visitors a choice between giving consent or paying for access without the use of cookies. The Austrian data supervisory authority found that the news media Der Standard's consent solution met the requirement of voluntariness and emphasized in the decision:

that the two options were clearly stated that no cookies were placed before the user had agreed to cookies that the payment was proportionate and not disproportionately high that it was a question of equivalent services with and without consent that the paid access did not involve targeted advertising.

Finally, GulogGratis has stated that a lack of consent must not cause damage or inconvenience, for example in the form of negative consequences for a registered person who does not want to give consent. If the price for the paid access is disproportionately high, this could be an obstacle to the consent being considered valid. GulogGratis also does not have the ability to operate a high-quality online marketplace for free. GulogGratis is therefore dependent on income. Part of this revenue comes from advertising revenue. If a user wants access to GulogGratis' service without giving consent, payment for access without the collection of personal data through the use of cookies is set at DKK 29/month, which the company considers a modest and proportional payment for one month's access to everything content on the website.

2.2. Complainant's comments

The complainant has generally stated that he believes that the method that GulogGratis uses on guloggratis.dk is not legal, as the company, in the complainant's view, forces visitors to accept all of the website's cookies if the visitors want to use the website without payment.

It is the complainant's opinion that GulogGratis forces website visitors to either "sell" their private information or to pay with money, and that the consent cannot therefore be considered voluntary.

3. Reason for the Data Protection Authority's decision

3.1. Relevant legal regulations

This appears from the data protection regulation's article 6, subsection 1, letter a, that the processing of personal data is lawful if the data subject has given consent to the processing of information about the person concerned for one or more specific purposes.

A consent is defined in Article 4, No. 11 of the Data Protection Regulation as any voluntary, specific, informed and unequivocal expression of intent whereby the data subject, by declaration or clear confirmation, consents to the processing of personal data concerning the person concerned.

Consent will not be given voluntarily if the data subject does not have a real or free choice and control over information about himself. Any form of inappropriate pressure on or influence on the data subject's free will means that the consent is invalid.

A data controller can to a certain extent motivate the registered to give consent by the fact that there is an advantage associated with consent. Enrollment in a business benefit program may, for example, involve discounts, which motivate the customer to give consent to receive advertising material from the business. The discount or the benefits that a consent to a benefit program entails do not exclude that the consent can be considered to be voluntary.

However, it is important to be aware of whether a lack of consent entails negative consequences for the registered person who does not want to give consent, e.g. in the form of additional costs.[3]

From the European Data Protection Board's guidelines 5/2020[4] it appears, among other things, the following about the condition of voluntariness:

"37. The data controller can claim that his or her organization gives the data subjects a real choice if they can choose between a service that implies consent to the use of personal data for additional purposes and a similar service offered by the same data controller, which does not imply consent to the processing of personal information for additional purposes. As long as there is an opportunity to have the contract fulfilled or the service covered by a contract delivered by the data controller without giving consent to the second or further use of the personal information, this is not a conditional service. However, the two services must be identical.

38. The Data Protection Board does not believe that consent can be considered to have been given voluntarily if a data controller claims that a choice can be made between the data controller's service, which includes consent to the use of personal data for additional purposes, and a similar service offered by a other data controller. In this case, the freedom of choice would depend on what other market players do and whether the data subject finds the other data controller's services completely identical. It would also oblige data controllers to monitor market developments to ensure that consent to their data processing activities remains valid, as competitors may subsequently change their services. Based on this argument, consent based on an alternative provided by a third party is not in line with the GDPR, meaning that a service provider cannot prevent data subjects from accessing a service on the grounds that they do not have given consent.

39. In order for consent to be considered to be given voluntarily, access to services and functions must not be conditional on a user's consent to information being stored or access to information already stored in a user's terminal equipment being obtained (so-called cookie walls).

40. Example 6a: A website provider creates a script that prevents content from being visible, with the exception of a request to accept cookies and information about which cookies are inserted and for which purposes the data will be processed -easy. It is not possible to access the content unless you click on the "Accept cookies" button. Since the data subject has no real choice, his or her consent is not given voluntarily.

41. This is not a valid consent, as the provision of the service depends on whether the registered person clicks on the "Accept cookies" button. The data subject does not have a real choice.”

3.2. Is valid consent obtained?

It is the Danish Data Protection Authority's overall assessment that GulogGratis' approach, whereby the website visitor - either by giving consent to the processing of personal data or for payment - can access the content on guloggratis.dk, meets the data protection regulation's requirement for voluntary consent, cf. the regulation's article 6, PCS. 1, letter a, cf. article 4, no. 11.

The Danish Data Protection Authority has in particular emphasized that GulogGratis, with the procedure in question, offers an alternative to consent to the processing of personal data in the form of access in exchange for payment of DKK 29/month, that payment gives access to a service that is largely equivalent to the service that the visitors can access against consent, and that the pricing of the payment alternative is not unreasonably high, i.e. that the pricing is not so high that the registered person does not really and in practice have a choice between the payment alternative and giving his consent.

Failure to give consent therefore, in the Data Protection Authority's view, does not entail negative consequences for the visitors, and the method that GulogGratis uses to obtain the visitors' consent must therefore be considered to fulfill the requirement of voluntariness.

However, the Danish Data Protection Authority finds that GulogGratis has not demonstrated that the website visitors' consent to the processing of personal data, also for statistical purposes, is a necessary part of the alternative to paid access.

The Danish Data Protection Authority has emphasized that GulogGratis has only stated that GulogGratis is dependent on income in order to run a high-quality online marketplace, and that part of this income comes from advertising income, and that GulogGratis has not given reasons in which to the extent that processing of personal data for statistical purposes is also necessary for this.

Considering that GulogGratis has not assessed and demonstrated the extent to which it is necessary – as an alternative to access against payment – to obtain consent for the processing of personal data for statistical purposes, the Danish Data Protection Authority finds that GulogGratis has not demonstrated that the data protection regulation's requirement of consent voluntariness is fulfilled and thus that the processing is legal, cf. the regulation's article 6, subsection 1, letter a, and article 4, no. 11, cf. the regulation's article 5, subsection 2, cf. Article 5, subsection 1, letter a.

On this basis, the Danish Data Protection Authority finds grounds to issue GulogGratis with an order to be able to demonstrate that the consent obtained from the visitors to guloggratis.dk meets the data protection regulation's requirement that consent be voluntary, cf. the data protection regulation's article 4, no. 11.

GulogGratis must be able to demonstrate that the processing of personal data for statistical purposes is a necessary part of the alternative to access for payment. Alternatively, GulogGratis must adapt its solution for obtaining consent, so that it is possible for the website visitors to give separate consent to the processing of personal data for statistical purposes.

The deadline for compliance with the order is 8 March 2023. The Danish Data Protection Authority must request to receive confirmation that the order has been complied with by the same date.

The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter d.

According to the Data Protection Act § 41, subsection 2, no. 4, anyone who fails to comply with an order issued by the Data Protection Authority pursuant to Article 58 of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter d.

Finally, in view of the fundamental questions in the case, which the Data Protection Authority has not previously had the opportunity to take a position on, the Danish Data Protection Authority finds that there is no basis for expressing criticism of GulogGratis in connection with the above.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).

[2] European Data Protection Board, Guidelines 5/2020 on consent under Regulation 2016/679, v. 1.1

[3] The Danish Data Protection Authority's guidance on consent, section 2.3.

[4] Guidelines 05/2020 regarding consent according to regulation 2016/679, v. 1.1., page 12.