According to a recent decision by the Lower Saxony Data Protection Authority (LfD), the popular German-language tech news site heise.de has been found to be operating illegally with its “Pay or Accept” approach. This ruling has significant implications for other German news pages that employ similar models on their websites.
The “Pay or Accept” model used by heise.de required users to choose between paying a monthly subscription fee or allowing their personal data to be processed for advertising and various other purposes. However, the LfD deemed this approach illegal under the law. This follows a similar decision made earlier this year by the Austrian Data Protection Authority (DSB) regarding an Austrian news page.
The LfD’s ruling was based on the fact that heise.de did not provide users with the option to give specific consent for certain purposes, as required by guidelines set forth by the Conference of German Data Protection Authorities (DSK). The lack of transparent and specific consent raised concerns among data protection experts, who argue that users should have the ability to control how their personal data is used.
Felix Mikolasch, a data protection lawyer at noyb, stated that common “Pay or Accept” solutions are essentially a “take it or leave it” system, where users must either agree to everything or pay. He emphasized that the General Data Protection Regulation (GDPR) requires specific consent for each type of processing. While Mikolasch welcomed the LfD’s decision, he also expressed concern about whether a mere reprimand would deter others from using such approaches in violation of GDPR requirements.
Further investigation conducted by the LfD revealed additional issues with heise.de’s practices. The website was found to process user data as soon as it was opened without requiring any action from the user. Additionally, it was determined that consent given by users was not sufficiently informed, specific, or freely given. The LfD also noted that revoking consent was not made easy, which further undermined the legality of data processing activities.
Likewise to this to these issues, concerns were raised about the disproportionate costs associated with heise.de’s “Pay or Accept” solution. According to estimates by noyb, it is significantly more expensive for users to protect their privacy than it is for the company to process their data. Furthermore, signing up for the paid subscription was found to be much more complex compared to simply consenting to being tracked.
Despite the LfD’s decision, heise.de has implemented an even more complicated banner on its website. Users are now presented with two layers of options: in the first layer, they can either pay a monthly fee or give their consent; and in the second layer, they can opt out of all purposes except advertising. However, studies have shown that only around 2 percent of users proceed to the second layer of a cookie banner, effectively limiting their ability to decline other purposes.
Felix Mikolasch from noyb criticized this new approach and suggested that it undermines the LfD’s decision. He vowed to continue fighting against such practices and called for stronger measures against “Pay or Accept” models that conflict with GDPR requirements.
The implications of this ruling extend beyond heise.de and serve as a warning for other German news pages using similar approaches. It highlights the importance of obtaining specific and transparent consent from users while also considering their right to protect their personal data without facing exorbitant costs.