On your first visit to the website for Der Spiegel, Germany’s leading online news source, you’re faced with a choice: buy a €4.99 monthly subscription or give up your data.
T-Online, Bild, Die Welt, and a variety of other news sites offer the same choice. Want private browsing? Cough up or kick rocks. The new privacy headache cropping up in some central European countries has been dubbed a “cookie paywall,” and it could make surfing the web very expensive.
You’ve probably seen websites that make you accept or reject cookies before you view any content. A cookie paywall throws up a more significant roadblock, forcing you to pay to avoid tracking. The feature is one way online businesses are trying to navigate European privacy rules and remain profitable. Incognito Mode can’t get you out of this one. With a U.S. federal privacy law on the horizon, onerous cookie paywalls could be a vision of the future for the American internet, too, if regulators aren’t careful.
“It’s a win-win for the websites. They get paid with data or they get paid with money,” said Cristiana Santos, an assistant professor of privacy and data protection law at Utrecht University, and co-author of an upcoming research paper (PDF) examining cookie paywalls: “Your Consent Is Worth 75 Euros A Year – Measurement and Lawfulness of Cookie Paywalls.” The paper will be presented at the 2022 Workshop on Privacy in the Electronic Society in November.
Santos and her co-authors analyzed websites across Central Europe. While they remain uncommon, the researchers recorded a number of them among the 13 of the most popular news sites in Austria and Germany.
Santos and company also found that privacy is pricey. The paper documents how it would cost a whopping €728 a year (about $706) to avoid tracking on just those 13 websites. When the researchers checked Der Standard, an Austrian newspaper, it cost €75 a year to avoid tracking on that website alone. Would you pay for your privacy on a site-by-site basis? How much would you fork over?
The cookie popups that have started to plague web browsing in both Europe and the US are already full of dark patterns, design tricks that nudge or confuse you into making a decision that you might not choose otherwise. In fact, even when you do manage to make an effort to protect your privacy, you might not be successful. When you say no to cookies, a lot of websites track you anyway. The cookie paywall takes this to its logical extreme: forget about design tricks, they’re forcing the issue by getting your wallet involved.
People value their privacy, and some people do shell out for tools like virtual private networks (VPNs) to protect it. But to the typical consumer, personal data hasn’t historically been worth much. A 2020 study from the Technology Policy Institute found most people would trade almost any aspect of their online privacy for less than $10. If it’s a choice between data and a subscription fee, most people will probably choose to save the cash.
“As only a tiny minority would pay this fee across a large number of digital services, data exploitation would become the default for most Europeans,” said Wolfie Christl, a researcher who investigates the data industry. “I hope that regulators, courts and policymakers recognize this threat and put a stop on it.”
The General Data Protection Regulation (GDPR), Europe’s sweeping privacy law, requires companies obtain your consent before they collect and process your data. The law says that consent is supposed to be “freely given,” but there’s enough room for interpretation that regulators in Austria and France have ruled that the cookie paywall model isn’t blatantly illegal. So far, the European Data Protection Board, which oversees how GDPR is applied across the EU, hasn’t weighed in.
Right now, cookie paywalls aren’t common in the United States. There are no overarching privacy laws at the federal level, and even the strictest state privacy laws don’t force companies to get permission before they track you. They’re only obligated to give you a way to opt-out. Most consumers don’t bother, so it’s still easy for companies to monetize your data—but that could change.
“These US opt-out requirements don’t create as much pressure or incentive for companies to move to a ‘consent or pay’ model,” said Christine Lyon, global co-head of data privacy and security at the law firm Freshfields. If more stringent federal privacy laws pass, though, cookie paywalls could come to America, Lyon said.
When privacy comes with a price tag, the brief history of the web indicates that most people won’t break out their credit cards to protect their data. That lax approach could undermine the entire purpose of laws like the GDPR.
Coercing people into giving up their privacy with a financial penalty doesn’t make for meaningful, freely given consent, said Santos, the co-author of the research. “We could see this practice being spread around and legitimized. The business model here can surely be replicated.”