DPAs seek EDPB position on ‘Consent or Pay’ model

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

New York Senate Passes Broad Health Data Consent Bill

New York Senate Bill S158D, which would require “valid authorization” for the sale or processing of “regulated health information”, passed through the New York State Senate and has been assigned to the Assembly Science and Technology Committee. 

TAKEAWAY

“Regulated Health Information” is defined broadly as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.”

It also expressly includes location or payment information related to an individual’s physical or mental health or any inference drawn or derived about an individual’s physical or mental health, resembling similar concepts in Washington and Nevada laws that will go into effect this year. 

Read more:

Guide to US State Privacy Laws

Comparing U.S. state privacy laws: Sensitive Data

EUROPE

DPAs seek EDPB position on ‘consent or pay’ Model

The Norway, Netherlands and Hamburg data protection authorities have requested that the European Data Protection Board (EDPB) issue a formal statement clarifying under which circumstances a service may legally offer a subscription model that allows users to consent to certain uses of their personal data, such as targeted advertising, as an alternative to paying for a subscription with money.

The EDPB should issue an opinion on the matter within the next 14 weeks. 

TAKEAWAY

A Consent or Pay model (also known as Pay or OK, or simply PUR in Germany) has been utilized by several online publications and services for years as a way to offer users a choice to pay for content subscriptions with data or money.

This practice has been previously addressed in guidance from Germany’s association of DPAs, as well as the French and Danish DPAs, both of which permit the practice as long as certain parameters are met, such as that the monetary subscription is a fair alternative at a reasonable price.

More recently, Meta adopted a “pay or ok” subscription model on Facebook and Instagram, leading to multiple complaints from privacy advocacy group noyb, which claims that the model violates GDPR by not obtaining consent that is “freely given.” It also claims that because withdrawing consent requires signing up for a monetary subscription, it is not as easy to withdraw consent as it is to give it.

It is not clear whether the recent request of the EDPB is rooted in the noyb complaints, but they are now seeking a harmonized approach to GDPR enforcement of this type of model. 

Read more:

How heise medien Delivered Flexible ‘Consent or Pay’

Meta to offer ad-free subscription plans in Europe

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.