Bundling Consent and GDPR - The UK's ICO position

Simon Roth
Simon Roth

We have recently reported the problems that may arise when you bundle consent under GDPR, i.e. make your willingness to provide a service contingent upon the user's consent to the processing of personal data (in the form of, say, cookies). The Information Commissioner Office (ICO), the UK's privacy watchdog, has now taken a strict approach to this issue in a warning given to the Washington Post.

Bundling consent under GDPR is a problem because of art. 7(4) GDPR. This subsection requires the data protection authority to take «utmost account […] of whether […] the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.», when it assesses whether the data subject's consent was freely given (and thus whether the consent is valid).

Recently, the Supreme Courts of Austria and Italy have expressed different views on whether this wording implies an absolute prohibition to bundle consent (Austria's position) or rather a presumption that can be rebutted by showing for example that the user would have been free to obtain the services elsewhere (Italy's position). We have reported these cases here.

The answer to whether you can bundle consent or not is particularly pressing in the field of journalism. Different news outlets have taken a "consent-or-pay" approach when it comes to asking their users to consent to tracking measures. This model requires the users to pay a subscription fee if they want to access the online articles without tracking cookies being stored and processed on their computer.

Such an approach has been implemented by the Washington Post but also by European newspapers, like the Austrian newspaper Standard (www.derstandard.at).

As reported by The Register, in a warning recently issued to the Washington Post, the ICO has now followed the strict Austrian case law on the bundling issue. It held that the "consent-or-pay" mechanism, which Washington Post implements and which you can see above, did not comply with the GDPR because it did not provide for a «free alternative to accepting cookies».

Sooner or later, the interpretation of art. 7(4) GDPR is hopefully going to be the subject of a judgment by the Court of Justice of the European Union. Until then, nobody really knows the precise nature of this provision although there are good arguments to corroborate the view that it provides only for a rebuttable presumption.

Meanwhile, all data controllers should confirm if consent is the appropriate basis for a particular processing operation. As this case and other cases show, the data protection authorities are applying a high threshold to ascertain if consent has been given validly or not.

More Blog posts

Team Up
You have a project, case, legal issue or anything else you want to ask us? We are passionate to find out how we can team up with you to get it done.
Let's get in touch