Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
110 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Legitimate Interest is the New Consent -- Large-Scale Measurement and Legal Compliance of IAB Europe TCF Paywalls (2309.11625v3)

Published 20 Sep 2023 in cs.CY

Abstract: Cookie paywalls allow visitors of a website to access its content only after they make a choice between paying a fee or accept tracking. European Data Protection Authorities (DPAs) recently issued guidelines and decisions on paywalls lawfulness, but it is yet unknown whether websites comply with them. We study in this paper the prevalence of cookie paywalls on the top one million websites using an automatic crawler. We identify 431 cookie paywalls, all using the Transparency and Consent Framework (TCF). We then analyse the data these paywalls communicate through the TCF, and in particular, the legal grounds and the purposes used to collect personal data. We observe that cookie paywalls extensively rely on legitimate interest legal basis systematically conflated with consent. We also observe a lack of correlation between the presence of paywalls and legal decisions or guidelines by DPAs.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (37)
  1. AEPD “La AEPD actualiza su Guía sobre el uso de cookies para adaptarla a las nuevas directrices del Comité Europeo de Protección de Datos” In AEPD, 2023
  2. Belgian DPA “Decision on the merits 21/2022 of 2 February 2022 Complaint relating to Transparency & Consent Framework”, 2022 URL: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-english.pdf
  3. Article 29 Working Party “Opinion 03/2013 on purpose limitation (WP203)”, 2013
  4. Belgian DPA “IAB Europe case: The Market Court refers preliminary questions to the Court of Justice of the EU — Autorité de protection des données - Gegevensbeschermingsautoriteit”, 2022 URL: https://www.dataprotectionauthority.be/iab-europe-case-the-market-court-refers-preliminary-questions-to-the-court-of-justice-of-the-eu
  5. Brussels Markets Court “IAB Europe (C-604/22)”, 2022 URL: https://www.iccl.ie/wp-content/uploads/2022/09/English-Judgement-Markets-Court-07-09-2022_Redacted.pdf
  6. CNIL “Cookie walls : la CNIL publie des premiers critères d’évaluation — CNIL”, 2022 URL: https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookie-walls/la-cnil-publie-des-premiers-criteres-devaluation
  7. Court of Justice of the European Union “Judgment in Case C-40/17 Fashion ID GmbH and Co.KG v Verbraucherzentrale NRW eV” ECLI:EU:C:2019:629, 2019
  8. Court of Justice of the European Union “Judgment in Case C‑131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” ECLI:EU:C:2014:317, 2014
  9. Cyren “Website URL Category Check” In Cyren, 2023 URL: http://www.cyren.com/security-center/ip-reputation-check
  10. Data Protection Law Scholar Network “DPSN International Data Protection Day work-in-progress event on Friday 27th January 2023 online” Section: post, 2023 URL: https://dataprotectionscholars.network/post/dpd2023-registrations/
  11. Data Protection Lower Saxony “Decision of the Data Protection of Lower Saxony regarding der Standard”, 2023 URL: https://noyb.eu/sites/default/files/2023-07/11VerwarnungPurAboModellfinalgeschwrztp_Redacted.pdf
  12. Datatilsynet “Cookie walls”, 2023 URL: https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/cookies/cookie-walls
  13. ECJ “Case C-252/21: Request for a preliminary ruling from the Oberlandesgericht Düsseldorf (Germany) lodged on 22 April 2021 — Facebook Inc. and Others v Bundeskartellamt”, 2021
  14. EDPB “Guidelines on Consent under Regulation 2016/679”, 2020
  15. EDPB - EDPS “EDPB-EDPS Joint Opinion 2/2022 on the Proposal of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)”, 2022
  16. European Data Protection Board (EDPB) “EDPB Opinion 4/2007 on the concept of personal data (WP 136), adopted on 20.06.2007”, 2007
  17. WP29 “Opinion 04/2012 on Cookie Consent Exemption (WP 194)”, 2012
  18. European Data Protection Board (EDPB) “Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects”, 2019
  19. European Data Protection Board (EDPB) “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP 217)” https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf, 2014
  20. Euractiv “Austria challenges EU newspapers’ pay-or-cookie walls” Section: Media In www.euractiv.com, 2023 URL: https://www.euractiv.com/section/media/news/austria-challenges-eu-newspapers-pay-or-cookie-walls/
  21. European Parliament “DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)”, 2002
  22. “On Compliance of Cookie Purposes with the Purpose Specification Principle” https://hal.inria.fr/hal-02567022 In Proc. International Workshop on Privacy Engineering (IWPE), 2020
  23. German DPA “DPA decision on ”Der Standard””, 2023 URL: https://noyb.eu/sites/default/files/2023-04/Standard_Bescheid_geschw%C3%A4rzt.pdf
  24. IAB Europe “IAB Europe Transparency and Consent Framework” Accessed: Dec. 12, 2022, https://iabeurope.eu/transparency-consent-framework/, 2023
  25. “Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation” In Proceedings 2019 Network and Distributed System Security Symposium, 2019 DOI: 10.14722/ndss.2019.23386
  26. Célestin Matte, Nataliia Bielova and Cristiana Santos “Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework” arXiv:1911.09964 [cs] arXiv, 2020 URL: http://arxiv.org/abs/1911.09964
  27. Célestin Matte, Cristiana Santos and Nataliia Bielova “Purposes in IAB Europe’s TCF: Which Legal Basis and How Are They Used by Advertisers?” In Privacy Technologies and Policy 12121 Cham: Springer International Publishing, 2020 DOI: 10.1007/978-3-030-55196-4˙10
  28. “Your Consent Is Worth 75 Euros A Year - Measurement and Lawfulness of Cookie Paywalls” In Proceedings of the 21st Workshop on Privacy in the Electronic Society Los Angeles CA USA: ACM, 2022, pp. 213–218 DOI: 10.1145/3559613.3563205
  29. noyb ““Pay or Okay” - the beginning of the end?”, 2023
  30. noyb ““Pay or Okay” on tech news site heise.de illegal, decides German DPA”, 2023
  31. noyb “News Sites: Readers need to ”buy back” their own data at an exorbitant price?!”, 2021 URL: https://noyb.eu/en/news-sites-readers-need-buy-back-their-own-data-exorbitant-price
  32. “Keeping out the Masses: Understanding the Popularity and Implications of Internet Paywalls” arXiv:1903.01406 [cs] arXiv, 2020 URL: http://arxiv.org/abs/1903.01406
  33. Cristiana Santos, Nataliia Bielova and Célestin Matte “Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners” In Technology and Regulation, 2020, pp. 91–135 URL: https://doi.org/10.26116/techreg.2020.009
  34. TCF “TCF 2.2 Launches! All You Need To Know - IAB Europe”, 2023 URL: https://iabeurope.eu/all-news/tcf-2-2-launches-all-you-need-to-know/
  35. Michael Veale, Midas Nouwens and Cristiana Santos “Impossible Asks: Can the Transparency and Consent Framework ever authorise real-time bidding after the Belgian DPA decision?” In Technology and Regulation 2022, 2022, pp. 12–22 DOI: 10.26116/techreg.2022.002
  36. WP29 “Opinion 15/2011 on the definition of consent”, 2011 URL: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf
  37. WP29 “Working Document 02/2013 providing guidance on obtaining consent for cookies”, 2013 URL: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Victor Morel (11 papers)
  2. Cristiana Santos (17 papers)
  3. Viktor Fredholm (1 paper)
  4. Adam Thunberg (1 paper)
Citations (1)
View on Semantic Scholar

Summary

Analysis of Legitimate Interest and Consent Commingling in IAB Europe TCF Paywalls

The paper "Legitimate Interest is the New Consent -- Large-Scale Measurement and Legal Compliance of IAB Europe TCF Paywalls" presents a comprehensive analysis of the implementation of cookie paywalls across the top one million websites, with specific attention to legal compliance concerns. The paper gives particular focus to the reliance on the Interactive Advertising Bureau Europe Transparency and Consent Framework (TCF), examining how it conflates consent with the legitimate interest as legal grounds for data collection.

Core Findings

The researchers developed an automated crawler to identify cookie paywalls, uncovering 431 paywalls in total, all utilizing the TCF. A striking detail is the geographical concentration of these paywalls in Germany, a country explicitly critical of them legally. This distribution is particularly interesting given the nuanced positioning of Data Protection Authorities (DPAs) in countries such as Germany, France, and Austria, reflecting broader ambiguities in regulatory stances across Europe.

A focal point of the paper is the analysis of how the TCF is utilized by these paywalls, specifically regarding the legal basis for data tracking and processing. The paper notes that there is a prevalent reliance on legitimate interest alongside consent. This raises significant legal and ethical questions since under the General Data Protection Regulation (GDPR), the legal basis for processing data for personalized advertising is consent.

The financial model of cookie paywalls is another area of investigation. The paper finds that while paywalls typically cost between €2 and €4 per month, the vast majority of users (99.9%) opt to give consent and thus be tracked, rather than pay the fee, highlighting potential issues of user coercion.

Technical and Legal Implications

The paper highlights significant inadequacies in the TCF system's ability to ensure compliance with GDPR requirements, particularly regarding the conflation of consent and legitimate interest. This finding suggests that further technical improvements and regulatory clarifications are required. Moreover, the paper divulges that even paid users can still be tracked under the guise of legitimate interests, sometimes under vague and inappropriate purposes such as "Develop and improve products."

Future Implications and Developments

Considerations for future research and policy are extensive. From a technical standpoint, there is a need to develop mechanisms to accurately distinguish between different legal bases used within the TCF. Legal frameworks might benefit from more harmonized DPAs positions or guidance from the European Data Protection Board (EDPB) regarding the lawfulness and pricing strategies of cookie paywalls.

The paper’s results bolster a call for improved oversight mechanisms and clear differentiation between consent and legitimate interest to protect user privacy effectively. The looming update of the TCF to version 2.2, which aims to address some of these compliance issues, will be a development worth scrutinizing.

Conclusion

This paper provides a critical examination of the nuanced practices surrounding cookie paywalls and highlights substantial areas where legal compliance could be improved. The findings underscore the importance of ongoing research into more granular technical and legal solutions to align online tracking frameworks with European privacy laws more closely. As the regulatory environment evolves, these insights will be instrumental in defining new boundaries in digital privacy rights and technological implementation.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube