The Conference of Independent Federal and State Data Protection Authorities (DSK) recently issued a decision regarding so-called pure subscription models on websites. This involves the tracking of user behavior, also known as tracking. The DSK has now decided that the tracking of user behavior can in principle be based on consent if a tracking-free model is offered as an alternative, even if this is subject to payment.
However, the service that users receive under a paid model must be an equivalent alternative to the service obtained through consent. The consent must also meet all the effectiveness requirements standardized in the General Data Protection Regulation (GDPR), in particular the requirements listed in Art. 4 No. 11 and Art. 7 GDPR.
Whether the payment option is to be regarded as an equivalent alternative to consent to tracking depends in particular on whether the user is given equivalent access to the same service for a fee customary in the market. Equivalent access generally exists if the offers cover the same service, at least in principle.
If users take advantage of the offer within the scope of a “tracking-free” subscription and do not give any additional consent, they may not use the service in accordance with Section 25 (2) of the German Data Protection Act. 1 of the Telecommunications and Data Protection Act (TTDSG), only those storage and readout processes are carried out that are absolutely necessary for the telemedia service they have expressly requested. Subsequent processing of personal data is only permitted if the requirements of the GDPR, in particular the legal permissions pursuant to Art. 6 Para. 1 DS-GVO and, depending on the individual case, Art. 9 DS-GVO, are fulfilled.
The effectiveness of consent from non-subscribers must be ensured in the case of so-called pure subscription models. To the extent that there are multiple processing purposes that differ substantially, the requirements for voluntariness must be met to the extent that consent can be granted on a granular basis. Among other things, this means that users must be able to actively select the individual purposes for which consent is to be obtained (opt-in). Only if purposes are very closely related can bundling of purposes be considered. A blanket overall consent for insofar different purposes cannot be effectively granted.
In addition, the consents must meet the other requirements of the GDPR, in particular those relating to transparency, comprehensibility and information for the data subjects from Art. 4 No. 11 and Art. 7 Para. 2 GDPR.
As a lawyer, I can assist in drafting or reviewing T&Cs and privacy statements to ensure that they comply with the requirements of the GDPR. Particularly when obtaining consent, it is important to observe the requirements of the DPA and the GDPR in order to avoid legal conflicts and fines.
In summary, the DSK’s decision regarding pur-subscription models on websites is an important clarification regarding obtaining consent. Companies should comply in order to avoid legal conflicts and to strengthen the trust of their users with regard to the protection of their personal data.