Not necessarily.

It is a common practice for controllers to charge consumers different amounts depending upon whether they consent to certain types of processing.  For example, a controller might offer consumers a 15% discount if they consent to provide their email address for direct marketing, or a controller might impose a fee if a data subject does not consent to allow the electronic processing of certain paperwork (i.e. ,where the  consent to processing would lower the controller’s administrative costs).

Sometimes controllers have expressed confusion about whether the GDPR permits a controller to incentivize consent.  That confusion may be due in part to guidance provided by the Article 29 Working Party – the predecessor to the European Data Protection Board – which, in its discussions of consent, expressed concern that consent might not be freely given if there is an “imbalance of power” between a controller and a data subject.¹  The Working Party indicated that such an imbalance might arise if there were “substantial extra costs” imposed upon a data subject if they did not consent.² 

The reference to “substantial extra costs” must not be taken out of context.  The examples that the Working Party offered of power imbalances included situations such as when a government agency seeks consent from a data subject as a precondition to paving roads, or when an employer seeks consent from an employee as a precondition of continued employment.³  The main focus of the Working Party was to note that consent is ineffective if a data subject faces an imminent and realistic risk of “deception, intimidation, coercion or significant negative effects.”⁴  The prior examples provide an illustration of the magnitude of negative effects that negate free choice – e.g., the loss of basic government services, or the loss of family income.  Given that backdrop, it seems clear that the Working Party’s reference to “substantial extra costs” was not intended to imply that a $10 surcharge, a $1 per day fee, or a promotional discount, would negate the effectiveness of consent.  Such a view would ignore the Working Party’s choice to describe the extra costs that would need to be at issue as “substantial.”

The Working Party reiterated the view that charging a fee does not necessarily negate the effectiveness of consent in a later discussion of situations in which the provision of a service was “conditional” upon obtaining consent.   While the Working Party called the tying of a service to a request for consent as “undesirable,” it stopped short of stating that it was per se unlawful or ineffective.⁵  It then analyzed a hypothetical situation in which a bank asked its customers for consent to allow third parties to use their payment information for direct marketing.  The Working Party took the position that if the bank denied data subjects “banking services” completely, or threatened to close a data subject’s “bank account” if the consent was not provided, the consent would be ineffective as it could not be characterized as “freely given.”⁶  Conversely, if the bank proposed an “increase of the fees” charged to data subjects if they withheld their consent, the Working Party stated that whether the consent was rendered ineffective would be “depend[ent] on the case.”⁷  The equivocation suggests that whether or not the imposition of an increased fee rendered the consent ineffective would depend on other factors such as whether the fee was “substantial” or reasonably related to the loss in value to the controller from not being able to share the data subject’s information.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. WP 259 Rev.01 at 6.

2. WP 259 Rev. 01 at 7.

3. WP 259 Rev. 01 at 7.

4. WP 259 Rev. 01 at 7.

5. WP 259 Rev. 01 at 8.

6. WP 259 Rev. 01 at 9.

7. WP 259 Rev. 01 at 9.

[View source.]