This is not a completely settled matter, but we can discuss some consequences and limitations. I will discuss legitimate interest, consent walls, and the special case of cookies.
When legitimate interest is OK
A legitimate interest is a great and very flexible legal basis.
However, not every interest is a legitimate interest.
Before this legal basis can be used, a balancing test must be performed.
Recital 47 provides factors to assist in this test:
- Relationship between subject and controller. “Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.”
- Expectations of the data subject. “At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.”
- Interests and rights of the data subject. “The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.”
- Fraud prevention. “The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”
- Direct Marketing. “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
- Recital 48 says that transfers within a group of undertakings can be a legitimate interest.
- Recital 49 says that network and information security can be an overriding legitimate interest.
Furthermore, an Art 35 Data Protection Impact Assessment (DPIA) may be required in some scenarios.
On that basis, we can consider whether online behavioural advertising / targeted ads can be covered by a legitimate interest.
- Clearly, the website operator has a legitimate interest in monetizing their site. Similarly, direct marketing can constitute a legitimate interest. However, it is not clear that this interest overrides the rights and interests of the data subject.
- The website operator is not the only data controller involved. Additionally, we have at least the ad network and possibly bidders in a realtime ad placement auction.
- The data subject only has a direct relationship with the website, not with the ad network.
- Today's web is largely financed by ads, so that the data subject must reasonably expect some advertisements.
- The data subject does not necessarily have a right in an ad-free experience, but has a right in controlling how their data is used. In particular, any use of their personal data must be transparent. This is not necessarily the case when ad networks are involved.
- When ads are shown, there is a clear legitimate interest in preventing clickfraud etc.
In my personal opinion this indicates that some types of targeted advertising can be GDPR-compliant when a legitimate interest is used.
However, targeted ads as common in the current world (World Wide Web ca 2018–2021) are unlikely to be compatible with a legitimate interest.
The major issue is the lack of relationship between users and data controllers, and the lack of transparency.
Effectively, targeted ads result in sharing personal data with an indeterminate number of unrelated data controllers.
I think the lack of transparency is fatal to the entire scheme,
but that some of these aspects are OK iff the data subject has given their consent.
More compliant advertising schemes would involve targeting only based on non-identifiable information (which can still be personal data under the GDPR definition), or would use contextual instead of user-based targeting. Such schemes are likely OK under a legitimate interest.
Fraud prevention in the context of ads gets pretty tricky though.
Here, we don't just have to consider the general requirements of the GDPR,
but also the specific requirements of ePrivacy and implementing laws such as the UK PECR.
I discuss this below together with cookies.
When consent walls are OK
The GDPR provides detailed conditions for consent in Art 7.
A key aspect of consent is that it must have been freely given, and not have been coerced in any way.
Art 7(4) discusses the case of making a service conditional on consent.
Usually, this is not allowed:
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
The phrase “utmost account” indicates that requiring unrelated consent is not allowed in nearly all situations.
However, this is not a total ban on such practices.
Recital 42 also says that consent is invalid “if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
In their guidelines on consent,
the EDPB discuss the concept of Detriment and Permissible Incentive in more detail and provide some examples.
On incentivized consent, they say:
The GDPR does not preclude all incentives but the onus would be on the controller to demonstrate that consent was still freely given in all the circumstances.
In your presented scenario, the data controller is offering a choice between the standard site and a more bare-bones tracking-free version.
In general, such an approach can be perfectly compliant.
However, there isn't actually a choice since the tracking-free version has different content from the standard version.
The lack of access is likely to be a “detriment” within the meaning of the GDPR.
Furthermore, consent to cookies is not necessary for showing the content.
This is evidenced (a) by the tracking-free version, and (b) by the cookie consent banner being purely cosmetic, with the content already being shown in the background.
While this content can be read e.g. with the browser's Reader Mode or by removing the banner with an ad blocker, such techniques are not apparent to the typical user.
Thus, it is very likely that the presented scheme is non-compliant.
However, it is likely that slightly different approaches do offer a genuine choice to the data subject.
For example, NPR has a text-only version of the site with full content, but without tracking or embeds.
Here, the incentive to consent is a better user experience, which is likely a Permissible Incentive.
Another presumably legitimate approach are consent-or-pay walls,
where the visitor is given a free choice between paying a reasonable amount or giving their consent to tracking.
See this article by Consent Guide for some analysis, including positions by some regulators.
About cookies
Cookies and other information on the end user's device is special.
Instead of the general requirements of the GDPR,
we must look at more specific laws like ePrivacy or implementing laws such as PECR in the UK.
Where they prescribe a particular legal basis such as consent,
this overrides the general provisions of the GDPR.
Per ePrivacy, using cookies or similar technologies is only allowed in three scenarios:
- the user has given their consent, where consent is defined by the GDPR;
- technical storage is used “for the sole purpose of carrying out the transmission of a communication”, e.g. caching in the browser or maybe session cookies; or
- the access is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service” (emphasis mine).
It is generally accepted that security practices are strictly necessary, and can therefore involve the setting of cookies without consent. From the GDPR perspective, the legal basis would be a legitimate interest.
However, fraud prevention for ads involves a service that was not “explicitly requested” by the user.
The user requested the content, not the ads around it.
This likely means that even though a site operator might have a legitimate interest in showing ads,
such ads typically involve cookies that still require consent.
Conclusion
When it comes to compliance, the current internet is a bit of a mess.
Few sites are fully compliant.
While the GDPR has led to an increase in transparency about tracking,
sites still rely on shaky legal bases.
However, things are changing.
Many browsers such as Firefox, Safari, and Brave are integrating increasingly stronger defenses against tracking.
By 2022, third party cookies that enable easy cross-site tracking will be effectively gone.
The online ad industry is looking for alternative tracking and targeting mechanisms.
One of these is Google's FLoC, which allows interest-based advertising without centralized tracking profiles.
Due to avoiding identifiable personal data, such a targeting scheme is more likely to be compatible with a legitimate interest.
However, the success of this technology is far from clear, also since it raises concerns about anti-competitive behaviour.
It also does not solve the problem of finding a suitable legal basis for fraud prevention.
