A recent UK decision on online ad-tracking consent attracts my attention as it targets a novel attempt by the Washington Post towards GDPR compliance, which seemingly puts a price tag on privacy rights for users to avoid online tracking when enjoying the service. I find this decision is not convincing and could cause a tough dilemma for business compliance.
According to The Register, the Information Commissioner’s Office (ICO) – the UK’s GDPR enforcement agency – issued a violation warning against the Washington Post (“the Post”) for not offering GDPR-compliant subscription options. The Post provided three levels of packages to users in the EU – a free one with limited access, then $6 and $9 ones both with four-week unlimited access. When placing an order, subscribers are required to “consent to the use of cookies and tracking” to receive personalized ads, except those who choose the premium $9 package which will be ad-free and tracking-free (see the picture below). The ICO found the consent obtained in this manner not freely-given as users did not have free alternatives to consenting to be tracked, and accordingly, asked the Post to provide ad tracking-free options in all the offered packages.
While a wide discussion around this case is focused on the issue of extraterritorial enforcement of the GDPR (the Post is a US-based entity), I find the ICO’s reasoning on the substantive issue and its implications interesting as well, and I would like to dig in to them below.
This is a case about conditionality – whether the Post can tie the provision of services to a request for users’ consent to cookie tracking, while charging an extra $3 for a tracking-free option. The most relevant law is GDPR Article7(4): “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” This law basically means, if a service provider asks users to consent to data processing (“otherwise we will not provide the service to you”), and the provision of that service itself does not need that data, then the consent might not be freely given, thus violating the GDPR. For example, the Post can ask a subscriber to provide home address for newspaper delivery, but may not ask for other information like the user’s hobby because it’s not necessary for the Post to deliver the paper. However, this is not absolute under the law. The phrase “inter alia” (among other things) indicates that whether the performance of a contract needs the data is just one factor –among others – to consider in deciding whether a consent is freely-given. As the WP29 Guidelines, the authoritative GDPR interpretation, suggests, if the data collection is not what the service itself needs, the consent may still be deemed freely-given where a genuinely equivalent choice is offered to users to choose freely between being tracked or not.
Under the strict interpretation suggested by the WP29 Guidelines, I find it difficult to argue that the collection of personal data for targeted ads purposes is necessary for the Post to fulfill its contract performance – to deliver articles to users either in physical or digital forms. Therefore, the key question turns to whether for users, the $9 ad tracking-free package is a genuinely equivalent option to the $6 one mandating ad tracking consent. The ICO said no, because an option charging an extra $3 is not a free alternative. If the ICO’s interpretation prevails, this will cast a shadow over the targeted advertising business and hurt other businesses relying on targeted advertising, like many internet companies.
The current model of online content business heavily relies on targeted advertising. While it has been widely criticized for privacy concerns, whether an internet ecosystem with less targeted ads will holistically be better for users is complicated and unclear. For the Post, it hires thousands of journalists and staff to investigate and write quality articles which should sell at a price, and its “lost” revenue on the free and $6 packages are compensated by targeted ads. Actually, the users subscribing to these two packages do not really get a free or discounted service. Rather, they pay with their information. I tried to imagine what the Post might do if it finally needs to comply with the ICO decision. It may cancel the two cheaper options, only keeping the $9 one, or start to deliver non-targeted ads instead in the cheaper options, which don’t need tracking consent any more but may make users see more ads in order to maintain the revenue (targeted ads usually sell at a much higher price). Neither way looks good for the Post: the first one will lose users, and the second one will hurt user experience which, again, leads to losing users.
For online content business in general, the popular business model provides free content to users and earns revenue from targeted ads. With diminished targeted ads, they need to find other ways to offset the lost revenue. From where? Can the business just stop providing free content and charge for access? Research shows that many people would not pay for all online content. The ICO’s rigid interpretation, requiring free alternative, is based on a misconception that the user’s information is not part of the price in the free or discounted deal in exchange for content that is not supposed to be free. This creates a tough dilemma for business.
Nor am I convinced by the rationale that people would not feel free to consent when facing the temptation to save $3 on a newspaper subscription. And this effectively denies people the freedom to trade their information for the benefits they desire. On the other hand, I am wondering whether the ICO fixated on the wrong point. A critical question is that whether people can really make well-informed consent to give away their information. Professor Daniel Solove doubted this in his 2013 Harvard Law Review paper Introduction:Privacy Self-Management and the Consent Dilemma, explaining that people generally are not able to give meaningful consent and understand the full implications of giving away their data because of certain problems (cognitive and structural) which are often nearly impossible to overcome. When consent is not meaningful, is it still meaningful to fixate on the nuance of how the consent is given as in the Post case?
Because of these thorny issues, I think rather than grappling with the freely-given consent issue, a better focus for the ICO is to investigate whether the Post responsibly uses and protects the collected data, and gives users meaningful control over their data. Furthermore, there is a more haunting question which we should keep exploring – how the law should be made and enforced to ensure effective protections for privacy rights while also offering realistic solutions for business to adopt and prosper.
*Thanks to Professor Daniel Solove for the valuable comments and insights on my draft.