The Danish Data Protection Authority has made two important decisions regarding cookies and consent. The topic is the consent requirements in Article 4 of the GDPR.
In one case, the Data Protection Authority decided that access to a website can be conditioned by either consenting to cookies for marketing and statistics or by actually paying for the service. The price for access was so low that the Data Protection Authority believed that the data subject had a real choice. At the same time, the Data Protection Authority stated that the use of information for statistics was not a necessary part of the alternative to payment and the company was ordered to either substantiate such necessity or allow for separate consent.
The Data Protection Authority's opinion is that visitors to a website, under certain conditions, can be considered to have a real and voluntary choice when the website offers visitors content against obtaining consent to the processing of personal data, as long as the company also offers an alternative way of accessing the content that does not involve the processing of personal data. However, this requires that the content offered by the company must be largely the same, regardless of whether the visitors give consent or, for example, pay to access the content or service.
This is a bit intricately worded in the decision, but I understand it to mean that they cannot "bundle" statistics production into the consent solution and that a separate consent is required for this, or that they have to demonstrate the "necessity" they have for using the information. It is somewhat unclear whether the requirement of necessity is then linked to consent or to the use of a legitimate interest – presumably it is the latter.
The second case concerned the sharing of articles in a newspaper with friends. The reader could share articles either by consenting to cookies for marketing and statistics or by taking out a subscription. The Data Protection Authority has the following important statements in the decision:
"A consent is not given voluntarily if the data subject does not have a real or free choice and control over information about him-/herself. Any form of inappropriate pressure or influence on the data subject's free will means that the consent is invalid.
A data controller can to a certain extent motivate the data subject to give consent by the fact that there is an advantage associated with consent. Membership in a company's loyalty scheme can, for example, involve discounts that may motivate the customer to consent to receiving advertising material from the company. The discount or the benefits that a consent to a loyalty scheme entails do not exclude that the consent can be considered to be voluntary.
However, it is important to be aware of whether a lack of consent entails negative consequences for the data subject who does not want to give consent, e.g., in the form of additional costs."
Here, the Data Protection Authority found that it was not a genuine consent, as the services were not the same in scope depending on whether one paid or consented. The Data Protection Authority emphasized that by consenting users gained access to share "unlocked" articles, while by paying they gained access to all articles. Because these were not comparable services, they did not consider the consent to be a free choice.
Also in this case, the Data Protection Authority could not see that statistics were a necessary part of the alternative to payment.
Both cases are mentioned on the Danish Data Protection Authority's website here: https://www.datatilsynet.dk/pr....