The imminent disappearance of third-party cookies and Google’s announcement of its new Anti-Tracking Protection feature that will come into effect from January 2024, has made many developers and websites look for alternatives to create their own user database, to while they can continue generating income.
Recently, elDiario.es has been involved in a controversy, following a banner in which it showed two options to its users: browsing for free without advertising, for which cookies must be accepted; or browse without advertising in exchange for paying a subscription starting at 1 euro per week.
This situation has caused various reactions from some users on X, who have been confused about whether this practice is legal or not, according to the General Data Protection Regulation (GDPR).
¿Esto es siquiera legal según el RGPD? ¿Pagar para no aceptar las cookies? 🤔 Otra cosa sería pagar para acceder, vale, pero ¿aceptar las cookies o pagar? pic.twitter.com/j0dsvmc1u1
— José M. Alarcón Aguín 🌐 (@jm_alarcon) December 9, 2023Legal or illegal?
While it is true that many websites can survive thanks to third-party cookies, which allow them to display advertising and personalized ads to their audiences, the user cannot be denied the right to reject them when entering a site and the button must be visible enough.
However, the new Guide published in July by the Spanish Data Protection Agency (AEPD), specifies that there may be some websites in which non-acceptance of third-party cookies may prevent access to the website or content, but In this case, the user must be correctly informed and an alternative offered, which does not necessarily have to be free.
Although from this perspective El Diario’s practice could be legal, the AEPD has begun a more in-depth investigation to clarify the case. To have a more technical view on this matter, we have asked Paula Ferrándiz, eIP&IT Lawyer, at LetsLaw, who has offered us a fairly complete explanation of the situation:
«First of all, we must indicate that the General Data Protection Regulation (GDPR) gives users the right to reject the use of cookies, whether they are technical cookies, necessary for the operation of the website, or third-party cookies, used for marketing or analytics purposes. With the new modification introduced in the Guide for the Use of cookies, the European Data Protection Committee requires that the option to accept and reject cookies be implemented in the same way, preventing the reject button from being hidden. The deadline established to implement these changes ends on January 11, 2024.
Secondly, in accordance with the commotion caused among Internet users by the inclusion of a paid banner to reject cookies, we must point out that the new Guide published by the Spanish Data Protection Agency (AEPD) in July 2023 leaves this possibility open (with nuances): «There may be certain cases in which non-acceptance of the use of cookies prevents access to the website or total or partial use of the service, provided that the user is adequately informed about this. and an alternative, not necessarily free, is offered to access the service without having to accept the use of cookies. As established by Guidelines 05/2020 on the consent of the CEPD, the services of both alternatives must be genuinely equivalent, and it will also not be valid for the equivalent service to be offered by an entity other than the publisher.
In any case, the nuances about the case are multiple. As Paula explains to us, «However, as the Guide indicates, “there may be certain assumptions”, so it is not applicable to every situation, nor in any way. The AEPD has initiated an investigation into this practice, warning that this practice may be illegal and that it may be sanctioned with fines of up to 20 million euros or 4% of the annual global business volume.
From our perspective, a priori, we understand that no basis of legitimation of article 6 GDPR seems to support the legitimacy of the processing of personal data necessary to offer behavioral advertising in these circumstances. Therefore, our precautionary recommendation is to avoid this system and, to the extent that we have more information regarding the position adopted by the competent bodies regarding data protection, we will inform you.
