The Price of Privacy: How Paywalled Cookie Banners are Redefining Digital Revenue Streams

Since the GDPR came into being, we've all become familiar with cookie banners on our favourite websites. They allow us to customise the amount and type of data we feel comfortable sharing before using a site. Recently a number of major European publishers have rolled out some very interesting changes to better monetise people who don't want to share their data. Now users who don't want to share their data are being asked to pay a subscription instead to get access. This "Pay or OK" model is an attempt to offset the lower revenue publishers get when advertisers can't access user data.

Is this a legal move under the GDPR - blocking access unless data is shared or a subscription bought? Is it a better deal for privacy-conscious users who want to see their favourite ad-supported sites survive? And what price are these publishers putting on the privacy of their users?

Introduction

Consent Management Platforms (CMPs), or "cookie banners", have become a common feature of websites throughout Europe and beyond in recent years. These CMPs allow users to accept all cookies a website wishes to use, reject them all, or fine-tune their consent to allow only some cookies. Cookies are used for things like remembering logins to sites, but can also be used for building a profile, which can be sold to advertisers.

A typical consent management pop-up

For many ad-supported online publications, users refusing to consent to cookies used for personalised advertising can lead to a significant drop in ad revenue. Depending on the site niche and userbase, personalised ads can deliver in the region of 50% more revenue than the non-personalised kind. The legislation which led to the creation of these CMPs state that it's not legal to outright block someone who says "no" to their data being shared, so what can publishers do to try to fill this revenue gap when they see users declining consent? A number of large European publications have begun changing their CMPs in an effort to plug this gap. Rather than the traditional "Accept" and "Reject" buttons, the options on these sites are now closer to "Accept" and "Reject tracking by paying a small fee". The "Reject" option is modified to ask users to make up the difference in lost revenue by paying a small amount to gain access.

Pay to continue without tracking cookies - bild.de example

It's an interesting approach from publishers struggling in a cut-throat market, but is it legal?

Where did the cookie banners come from?

Cookie banners come from two pieces of European legislation:

• ePrivacy Directive: This directive deals specifically with privacy in electronic communications. It introduced specific requirements for obtaining user consent for storing and accessing information on a user's device, including the use of cookies.
• General Data Protection Regulation (GDPR): This is a comprehensive data protection law which significantly strengthened the rules on personal data and privacy in the EU, including stricter requirements for consent. Under GDPR, consent must be clear, informed, freely given, specific, and unambiguous, which further influenced the design and functionality of cookie banners to ensure compliance.

Between them, these pieces of legislation mandate that consent should be both informed and "freely given". Informed consent means that it's clear to a user what they're agreeing to. "Freely given" means that they're not forced into given consent by the threat of losing access to the underlying service. This means that publishers can't block access to the site based solely on the non-acceptance of non-essential cookies - known as a "cookiewall".

Problems for publishers?

The challenge many publishers face is that they are largely ad-supported. Display ads tend to pay much better when they act on more data for targeting ads. Unfortunately this typically involves sharing data with a huge network of potential advertisers, ad networks, and middlemen in the technical stacks involved. Many users would prefer this data not be shared - products from that one accidental click on amazon following you around via ads on other sites can be an unsettling experience!

This leads to a scenario where a number of users will reject consent for cookies. Publishers have a choice between adapting their site code to show less lucrative ads, or in some cases a simpler technical choice of showing no ads at all - neither of which are great for the continued financial well-being of the publisher.

The revenue struggles here have led a number of publishers to attempt to skirt the legislation, by making the "Reject" option hard to find, or confusingly-labelled. The various Data Protection Commissioners (DPCs) around Europe have reiterated that consent should be prominent and as easily given as withheld. These publishers largely make the bet that it's best to stay alive via the increased revenue from personalised ads and deal with a potential DPC investigation if and when that happens.

New Developments: The Paywall Approach

In response, publishers in countries like Spain and Germany have introduced a novel concept, linking a paywall to the "reject" option. On websites such as elpais.es and bild.de users are presented with a stark choice: accept cookies or pay a small fee to access content. This fee works like a paywall, giving access to a version of the site without tracking cookies, or in many cases, any display ads at all. This model, while controversial, has opened up a potentially-valuable new revenue stream for publishers. Alberto Martín, a PM with Axel Springer in Spain, has written a great thread which goes into the choices made in the Spanish market in particular.

El Pais "Pay and Reject Cookies" option

Online news publishers aren't the first to try this move in Europe - it's a similar approach to the model taken by Facebook, who now charge EU users for ad-free access to Instagram and Facebook.

This increased revenue is potentially good news for publishers. But is it strictly legal? Does it count as a restriction in access for users who don't consent?

Legal Perspectives and Varied Responses

This approach seems to tread a fine line legally, particularly concerning the GDPR's principle of 'freely given' consent. In Spain, the AEPD has tentatively approved this model under specific conditions.

There may be certain cases in which the non-acceptance of the use of cookies prevents access to the website or the full or partial use of the service, provided that the user is adequately informed and an alternative, not necessarily free, is offered for accessing the service without accepting the use of cookies.

The Austrian, French and Danish DPAs have already indicated that the paywall system is a valid solution as long as the subscription to the site has a modest and fair cost so that it does not constrain the user’s free choice. The definition of "modest and fair" is not laid out, but is consistent with what the Spanish authorities have said.

This means that publishers are not obliged to support more costly, cookie-free users at no additional charge, but by the same token have to be reasonable in the alternatives they offer. "Reject all cookies for €1m per month" would be a pretty unreasonable alternative to cookie acceptance. Well, maybe not if you're running a lifestyle magazine for billionaires, but for most of us, that level of pricing would certainly not pass the sniff test!

While the authorities listed above have been broadly supportive in theory, by contrast, in Germany there has already been an explicit ruling against this type of implementation:

The LfD found that the consent banner used on heise.de in July 2021, did not provide granular consent options. Instead, users were asked to provide blanket consent by clicking the “Accept” button. In this case, blanket consent refers to a situation where users provide a general consent that encompasses all purposes without being able to make individual choices for each specific purpose.

A key note in this decision is that the publishers presented only "Accept" or "Reject and pay"-type options. The German authorities found fault with the way the options were presented. There was a lack of a middle-ground option, to give fine-grained consent - accepting some cookies and refusing others.

From the excellent write-up at Iubenda.com:

The key takeaway from the DSB’s decision is that if a “pay or okay” system is used, users should have the option to give granular consent instead of just a general one. It’s important to note that the DSB reached this decision specifically because users were only given a choice between paying or allowing all their data to be processed without the option for more granular consent.

A number of other European DPCs have remained silent to date, highlighting the challenge of ensuring consistent compliance across the whole region.

Future Implications

As we can see from the guidance above, publishers need to be careful about how these approaches are worded, presented, and implemented. A variety of opinions from different Data Protection authorities means it's important for publishers to stay on top of the prevailing winds within the legislative ecosystem. This is certainly an area that will be easier for larger publishers to navigate, given the superior resources they'll have to hand.

Integration of a paywall into user consent choices raises critical questions about the future of online advertising and the extent to which user privacy can be traded for content access. Will this lead to a more privacy-conscious internet, or create a divide between those who can pay for privacy and those who cannot? As publishers and users continually adapt to an ever-changing digital landscape, it's important that a balance be struck between respecting the privacy of users, and giving publications a viable path to monetise their content.