[alkonaut]

The service cannot be dependent on the acceptance of third party cookies, no. That is, the service provided to those that reject third party cookies cannot be worse (slower or incomplete, for example) compared to the visitors who accept cookies.

So you can supply an ad supported version and a paid version without ads, but you cannot require that those that choose the ad supported version must accept tracking ads.

[dogma1138]

I have gotten confirmation from several DPAs that state a very different interpretation.

You can’t segregate the same service, two distinct services one that is provided with ads that include 3rd party cookies and a separate paid service that does not is perfectly fine.

What you cannot do is to create multiple tiers in a free service based on different levels of tracking.

[alkonaut]

That sounds like an extremely business friendly interpretation of the regulation. Creating a separate service (the paid one) shouldn’t in any way change the circumstances for the first service (the one with ads).

What you are describing sounds like a business can simply declare “well untargeted ads doesn’t pay enough so the options are tracking ads or paid subscriptions”. The regulation shouldn’t and doesn’t let a site make that decision. It would make it completely useless!

[dogma1138]

DPAs including the German on are quite “business” friendly unless it will be challenged in court.

You can’t force someone to provide their business at a loss.

As long as you don’t penalize or segregate users based on their decision alone it does not run afoul of GDPR, neither does blocking someone completely you just need to have a valid business reason for doing that and it has to be tied to the nature of the service including how it’s funded.

[alkonaut]

> You can’t force someone to provide their business at a loss.

Of course not. But no one is forced to provide the ad funded service at all.

[dogma1138]

No but it’s a valid business model.

It’s not upto the DPAs to regulate things at this level just like you could run an astrology service and collect PII to give people readings, astrology is horseshit but you won’t run into issues with GDPR if you request users to give you their birthday and email to get spammed with BS on a daily basis.

[alkonaut]

> you could run an astrology service and collect PII to give people readings

Processing or possibly even keeping a birthdate for an astrology newsletter is clearly a legitiamate interest for the subscriber of that newsletter.

> but it’s a valid business model.

What is? Showing ads to provide a service is a valid business model yes. Showing tracking ads or blocking those who don't accept the ads - no.

But "I need to show the ads to keep the lights on" is NOT a legitimate interest to the visitor. The reason for handling the personal infrmation needs to be a hard requirement to provide service itself. Not merely part of the "business model". You cannot set up a separate service (paid subscription) and argue that because that other service exists, your ad-funded service deserves special exceptions from the GDPR e.g. that it can show ads which are tracked or else users are blocked. It's pretty clear in the regulation that "cookie walls" aren't allowed, just like pre-checked/assumed consent isn't.

[notimetorelax]

I was careful in my post to write tracked vs untracked. Sure they can show the ads, just don’t track me unless I consent.