The first option, redirect, is not GDPR-compliant, because then the "consent" cannot be considered freely given, and thus is not valid
The second option is really borderline, and could work out for a US-only news website, for example (arguing it doesn't cater to European residents), but would be non-compliant for a business which knowingly serve European residents.
> The first option, redirect, is not GDPR-compliant, because then the "consent" cannot be considered freely given, and thus is not valid.
I don't quite understand the reasoning on that one. In Europe, and pretty much everywhere else, there are a bazillion interactions every day in the form of one party offering to provide some good or service only if the other party agrees to something.
For example, the grocery store will only give me food if I agree to let them charge my credit card.
Why is consent considered freely given when I give someone money for a good or service because if I do not do so they will not provide the good or service, but not freely given when I click "agree" on a privacy policy disclosure because if I do not do so they will not provide the good or service?
Basically, GDPR forbids bartering of PII/tracking information with goods and services.
Why? Presumably because most users don't see the real cost of giving away their personal data (either they never recognize the cost, or see it too late).
To make sure this is held up, the GDPR uses some tools; one is that consent is freely given, the other is ban on tie-in sales: you cannot demand PII from users that isn't necessary for the service you provide.
If you provide news or stories as a service, you cannot demand location data from your users, because you can provide the service without that.
So, obviously, I Am Not a Lawyer, but this seems easy to explain: when you go to the grocery store and buy something, you tacitly enter into a contract (which is exchanging money for food), where both parties agree.
For someone to use your personal information, they need to have one of the 6 legal basis to do so under the GDPR. One of those legal basis is to have a contract with you (in which case, the contract will define what's allowed and what's not). Another of those legal basis is "consent", which is the one being the most discussed, as it is generally the only one ads can hope to use, so let's ignore the 4 others (legitimate interest, public interest, vital interest, legal requirement, you can easily see why trackers for ads targeting don't fit any of those).
It is generally admitted (or at least I think it is, feel free to dig around for a better source for or against that assertion) that visiting a site is not entering into a contract (probably because a contract has to be fair, and giving up personal information without your knowledge just by visiting a site isn't actually a fair? I don't know that, IANAL).
That means the only legal basis ads companies (or the site that host them) have to use your personal data is to have your consent, which is strictly defined in the GDPR (and other posters have discussed how this definition is mostly ignored)
Under GDPR consent can’t be “freely given” when it’s bundled as a condition of service unless the consent they’re asking for is necessary in order to perform the service. To use your example:
The grocery store doesn’t need to ask if you consent to paying for an apple because if you didn’t consent there wouldn’t be any transaction to perform.
Now if you paid for your apple and the cashier said okay hand over your phone so I can poke around a bit because there’s some fine print that says by nature of walking through the front doors you agree to allow the store to look through your phone. Did you consent to that? Of course not.
Consent wasn’t “freely given” because the store is requiring you disclose information (the contents of your phone) as a condition of service (you can’t even walk through the door without “consenting” let alone make a purchase) and that information isn’t necessary in order for the store to complete the transaction.
GDPR says they have to ask you first (usually in the form of a giant irritating banner as soon as you walk in the door) and that if you say no they have to let you buy your apple anyway.
> GDPR says they have to ask you first (usually in the form of a giant irritating banner as soon as you walk in the door) and that if you say no they have to let you buy your apple anyway.
Can you link to source for this (the part that says you can't deny access)?
Perhaps I’ve oversimplified a bit. GDPR has a paragraph that’s often called the “coupling prohibition” - Article 7(4):
> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
It somehow says a whole lot and not much at the same time. Since every member state and everyone who has to comply needs to interpret what GDPR means there are various “recitals” that offer official guidance. One of those is Recital 42 - Burden of Proof and Requirements for Consent[1] which says:
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
So a person must be able to refuse consent “without detriment” and the company is meant to provide an equivalent, but necessarily identical, service to those who do not consent.
What that means exactly is, of course, the subject of much litigation. For example is it a “detriment” to require a subscription fee to those who do not consent to information sharing? So far one ruling (Austria) has said no, provided the fee is reasonable while another (UK) has said yes, the equivalent service must also be free.
As far as how the coupling prohibition should or will apply to a company like facebook - where harvesting user data is the entire business model - I think that is yet to be clearly determined. As are most of the nuances and technicalities in GDPR.
Edit: I should also note that consent is just one avenue to legally allow a company to process user data under GDPR. It’s not the only avenue.
This really shouldn't be left to interpretation, both Article 7(4) and Recital 42 define what is "freely given consent" and in no way limits the actions i can take as a site owner. It is clear that a "cookie wall" isn't considered a "freely given consent" so you can't process personal data based on that.
Correct you can’t process personal data based on it. And the underlying implication is that none of the consent you’ve obtained via a cookie wall is valid because you haven’t given any users the opportunity to “refuse without detriment” (because their options are to consent or see nothing). So the information you’re processing on behalf of users who clicked “I agree” - even the users who do in fact knowingly and willingly agree to the information processing - might be lacking a legal basis.
"When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
Preventing you from seeing the page you request if you do not consent seems a lot like the provision of a service conditional on consent. Obviously, that's for a judge to decide, but the law seems very clear from my perspective (IANAL, that's not legal advice).
>Preventing you from seeing the page you request if you do not consent seems a lot like the provision of a service conditional on consent.
You are correct. However, the prohibition against "a service conditional on consent" can be overcome (inter alia means "among other things") and one of the ways it can be overcome is if the user is given a choice to instead select "a consent-free equivalent service for a reasonable remuneration."[1]
This is the result of a ruling by the Austrian Data Protection Authority (DPA) evaluating an case in which users could access an Austrian newspaper by either (a) consenting to personalized advertising or (b) paying a subscription fee of 6 Euro / month.
The DPA found that these options were not considered a "significant detriment" to users (i.e. it was not considered coercive) and was therefore valid.
It's worth noting that the UK found otherwise, saying that "for the user to have a genuine choice, a consent-free alternative would have to be offered free of charge."[2]
-----
[1] Austrian Data Protection Authority (case no. DSB-D122.931/0003-DSB/2018)
I have read this and (IANAL) view this as a definition for what is "freely given consent". If you force users to give consent in order to use service, it isn't freely given consent. It doesn't say that you must provide the service.
I think the heart of the matter is "not necessary for the performance of that contract".
Privacy advocates argue that it's not necessary to track people to perform the purpose of a site (like, displaying news items).
Publishers argue that it's necessary to track and display ads in order for the business to be sustainable, without which they cannot continue serving news (+ ads).
I guess we'll have to wait and see what the courts have to say about this.
Maybe publishers have will have to show how much their revenue suffers if they stop tracking.
Another consideration is the demand for "privacy by design and default" (https://gdpr-info.eu/art-25-gdpr/). It might be hard to argue that business built on tracking users fulfills the criteria for that.
- consent requires, among other things, that permission be given freely;[1]
- so, if coercion is involved then consent does not exist;[2]
- and, preventing user access to content unless that user agrees to be tracked is likely considered to be coercive.
Therefore if a user grants permission to be tracked only in order to gain access to that site's content, that granted permission would not be considered consensual because that permission was not given freely.
(the above is not legal advice but I do have a law degree; I also work for a NGO that produces apps that teach people about consent)
(I thought I could still edit the above response but it looks like time has expired)
I wanted to add that the freely given requirement can be very granular / fact intensive. This later comment shows one way (renumeration) the above can be accomplished without coercion: https://news.ycombinator.com/item?id=23762945
The first option, redirect, is not GDPR-compliant, because then the "consent" cannot be considered freely given, and thus is not valid
The second option is really borderline, and could work out for a US-only news website, for example (arguing it doesn't cater to European residents), but would be non-compliant for a business which knowingly serve European residents.