Bundling consent under GDPR is a problem because of art. 7(4) GDPR. This subsection requires the data protection authority to take «utmost account […] of whether […] the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.», when it assesses whether the data subject's consent was freely given (and thus whether the consent is valid).
Recently, the Supreme Courts of Austria and Italy have expressed different views on whether this wording implies an absolute prohibition to bundle consent (Austria's position) or rather a presumption that can be rebutted by showing for example that the user would have been free to obtain the services elsewhere (Italy's position). We have reported these cases here.
The answer to whether you can bundle consent or not is particularly pressing in the field of journalism. Different news outlets have taken a "consent-or-pay" approach when it comes to asking their users to consent to tracking measures. This model requires the users to pay a subscription fee if they want to access the online articles without tracking cookies being stored and processed on their computer.
Such an approach has been implemented by the Washington Post but also by European newspapers, like the Austrian newspaper Standard (www.derstandard.at).
As reported by The Register, in a warning recently issued to the Washington Post, the ICO has now followed the strict Austrian case law on the bundling issue. It held that the "consent-or-pay" mechanism, which Washington Post implements and which you can see above, did not comply with the GDPR because it did not provide for a «free alternative to accepting cookies».
Sooner or later, the interpretation of art. 7(4) GDPR is hopefully going to be the subject of a judgment by the Court of Justice of the European Union. Until then, nobody really knows the precise nature of this provision although there are good arguments to corroborate the view that it provides only for a rebuttable presumption.
Meanwhile, all data controllers should confirm if consent is the appropriate basis for a particular processing operation. As this case and other cases show, the data protection authorities are applying a high threshold to ascertain if consent has been given validly or not.