German Data Protection Authorities on pure subscription models – pay or okay with tracking?

On March 22, 2023, the Conference of Independent German Federal and State Data Protection Supervisory Authorities (“DSK”) passed a resolution regarding the evaluation of so called pure subscription models (“Pur-Abo-Modelle”) on websites (PDF). Even though the resolution is not legally binding, it represents the expectations of the German supervisory authorities and should therefore be examined carefully.

Background

Many websites, in particular the online presences of daily newspapers and magazines, offer so-called "pure subscriptions" for access to content, which involve a monthly fee to be paid by website users for (ad)tracking-free use of the website. When the respective website is called up, a corresponding notice often appears in the cookie banner to sign up for the paid pure subscription or to give consent to user tracking and to continue surfing free of charge. The question of the permissibility of these subscription models is legally relevant because it is questionable whether website users have a genuine freedom of choice to provide their personal data or not, so that consent may not be given freely in such cases.

Resolution of the DSK

The DSK considers the pure subscription models to be lawful in principle but requires a case-by-case assessment and the fulfillment of several criteria.

In summary, this involves the following requirements:

• When a pure subscription is signed, no tracking may take place without additional consent, unless the storage and access processes in the user's terminal equipment are absolutely necessary for the desired telemedia service in accordance with Sec. 25 Par. 2 No. 2 TTDSG.
• For the following processing of personal data, a legal basis within the meaning of Art. 6 (1) or Art. 9 GDPR is required.

In addition, the DSK addresses the fact that obtaining consent as an alternative to the pure subscription is legally possible if the subscription model represents an equivalent alternative to the service obtained through consent and consequently enables similar access to the content of the website. In this context, the DSK speaks of a customary market price for the subscription service but leaves open when a customary market price can be assumed.

Furthermore, the requirements for effective consent pursuant to Art. 7 GDPR must be met. In this context, the DSK emphasizes that a general and broad consent for various purposes cannot be effectively given because it is not freely given, and that only a division into different consents for the respective purposes (e.g., via several opt-ins) can be considered as a possible solution.

Outlook and recommendations

What is particularly interesting about the resolution is that for the first time, the DSK explicitly considers pure subscription models to be permissible under certain conditions, thus creating more legal certainty. With regard to the requirements, it refers to its Guidance for providers of telemedia services (OH Telemedien 2021, version 1.1., PDF), which is probably already known to many companies.

Against this background, we recommend that existing cookie banners in which such a pure subscription model is offered, should be checked against the criteria mentioned by the DSK.

According to our point of view, the following criteria should be considered in particular:

• The cookie banner should contain sufficient information about the purposes of the tracking. In particular, if there are various purposes that differ significantly, it should be possible to obtain separate consent for each purpose (e.g., via several opt-ins) independently of the other purposes.
• The information in the banner must be accurate in terms of content and must not be misleading about the true purpose of the data processing.
• No tracking of users for advertising purposes or for analysis must take place before they have made a decision.

However, the DSK did not address the question of what price for such a model can still be assessed as reasonable and thus does not conflict with the voluntary nature of consent. In this regard, noyb had already filed several complaints against website operators with pure subscription models in 2021, complaining, amongst others, about the price imbalance between consent to tracking (companies receive a few cents for the user data) and the costs for the subscription model (often around 5 EUR per month), which would preclude a freely given consent.

How much the price may ultimately be in order to be able to assume that consent is freely given has not yet been finally clarified. In this regard, it is certainly possible to take competitors' offers as a guideline, but this does not provide absolute legal certainty. On the other hand, such a situation also offers opportunities for argumentation.