One of the largest German-language tech news sites, heise.de, made users choose between paying for a monthly subscription or having their personal data processed for advertising and many other purposes. The Data Protection Authority of Lower Saxony (LfD) decided that their “Pay or Okay” approach from 2021 was unlawful. This is yet another blow to news outlets that use such a model on their websites, after the Austrian Data Protection Authority (DSB) declared the implementation on an Austrian news page unlawful earlier this year.
In line with the Austrian DSB, the LfD declared the “Pay or Okay” solution used on heise.de in 2021 illegal and issued a reprimand. Although it took the view that “Pay or Okay” could be permissible in principle, it found that the approach taken by the news outlet didn’t comply with the law because it didn’t provide the option to specifically consent to certain purposes – a decision, that’s in line with guidelines of the Conference of German Data Protection Authorities (DSK). In March 2023, the DSK explicitly expressed its concern about the lack of specific and transparent consent on websites using “Pay or Okay” models, while not questioning the broader issue of users having to pay exorbitant prices to keep their personal data private.
Felix Mikolasch, Data Protection Lawyer at noyb: “Common ‘Pay or Okay’ solutions are a ‘take it or leave it’ system, where you have to consent to everything or pay. The GDPR requires ‘specific’ consent to each type of processing. We welcome the decision, but after years of violating the law, a reprimand is not an adequate solution for obscure “Pay or Okay” systems. A mere reprimand is not going to deter others from choosing this approach.”
According to additional research by the LfD, heise.de processed the user’s personal data as soon as the website was opened. No action was required for the website to do so, meaning heise.de set tracking cookies before a user could even give their consent.
In addition to the issues around “Pay or Okay”, the LfD pointed out that heise.de used unlawful and methodical nudging to influence users for its own benefit. The LfD also found that the user’s consent was not informed, specific or freely given. Furthermore, it wasn’t easy enough to revoke a previously given consent at a later point in time – leading the LfD to conclude, that there was no legal basis for processing the user’s data.
In its complaint to the LfD, noyb also raised the concern that the costs for the “Pay or Okay” solution on heise.de are extremely disproportionate. According to noybs internal estimates, it is 428 times more expensive for users to protect their privacy than what the company earns by processing their data. In addition, noyb raised the concern that signing up for the paid subscription is substantially more complicated than simply “consenting” to being tracked. All of these issues were ignored in the LfD’s decision.
Felix Mikolasch, Data Protection Lawyer at noyb: “We think there are more reasons why a ‘Pay or Okay’ solution conflicts with the GDPR, but the DPA already found the system from 2021 to be unlawful on other grounds.”
In the meantime, heise.de has reacted to the LfD's decision and moved to an even more complicated banner: On the first layer, users have the option of either paying € 4.95/month or consent to. Only on the second layer, they can choose to reject all purposes except advertising. The problem: According to studies, only about 2 percent of website users go to the second layer of a cookie banner - meaning that almost no one will see the option to reject any other purpose.
Felix Mikolasch, Data Protection Lawyer at noyb: “It seems that the LfD's decision has already been overtaken by the latest version of the "Pay or Okay" banner. We will of course go back to the LfD and continue to fight this practice.”