Paid access is okay, so is showing advertising, and even requiring that you pay to access a service (they don’t have to give it away for free). What isn’t okay is requiring either paying or selling your data (selling away privacy) for advertising.
So yes businesses are doing something okay by offering a paid version, but it doesn’t matter if they’re saying “pay or let us sell your data” as the latter is illegal.
There’s an obvious workaround - require the payment for everyone, and on the side offer to pay the customer $x (which coincidentally is the same as the payment needed) for personal information.
I don't think this trick would do anything - you're still conditioning a contract on consent (and it's no more necessary than before), so still don't have "freely given consent" if you wanted to rely on that basis for data processing.
> > Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
"The latter is illegal" has been a point of debate since the GDPR was inacted because it is certainly not obvious in the GDPR.
IMHO, decisions that have upheld that it is indeed illegal have tended to be "militant" and ignored that users had a genuine choice, and in fact 3 options: Accept cookies, etc or pay or leave. In practice we see that 99% of users choose to accept cookies/tracking, but this is not because the choice isn't genuine, it is because they don't care about cookies/tracking as long it means free access and that pisses off some people.
You cannot say that users as a whole accept cookies/tracking as it’s heavily region dependent. At a previous job we implemented a cookie consent banner and tracked statistics of accept/reject, and while some regions were very high (95+%), Germany was particularly low (70%), so it’s hard to paint a picture in a general way.
Regardless, I’m not sure if you’re right that it’s contentious about what is allowed with respect to GDPR here. My understanding is that it is illegal to do what’s here (not just in Austria but in the GDPR directly), and the companies that do this are doing it in bad faith (and/or following in the footsteps of Meta), and in reality what they’re doing is banking on the fact that going through the courts takes a long time. We wouldn’t even be having this discussion if these companies just put ads without tracking/selling user data, which, as mentioned, is fine.
I was taking data from the OP's quote: "However, "pay or okay" gets 99.9% of users to agree to online tracking.". Anyway that's nitpicking as whatever the exact number it is the vast majority.
> My understanding is that it is illegal to do what’s here (not just in Austria but in the GDPR directly),
That's exactly my point. The GDPR does not say that it is illegal. It says that people must have a genuine choice, "genuine" meaning free of coercion. Now, "accept or be fired", "accept or you can't have surgery" are obviously not genuine choices. But arguing that "accept or you need to pay to access this news website" is the same and not a genuine choice is almost pushing the interpretation ad absurdum (what are genuine choices, then?), hence my previous comment.
> We wouldn’t even be having this discussion if these companies just put ads without tracking/selling user data, which, as mentioned, is fine.
The real world never so simple. In the real world if they don't "just" do that it is probably because it isn't working commercially.
> That's exactly my point. The GDPR does not say that it is illegal. It says that people must have a genuine choice [...] arguing that "accept or you need to pay to access this news website" is the same and not a genuine choice is almost pushing the interpretation ad absurdum
"Genuine choice" alone isn't sufficient - from the GDPR:
> > Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
It seems difficult to argue that DerStandard's "pay or okay" approach satisfies this - and indeed the court found it did not.
My impression as a non-lawyer is that the "freely given consent" basis is intended to cover where users opt to give data truly of their own violition, but is instead being used as the "continue on selling data as we were" basis (funnel users into clicking a button, then use that as a carte blanche for effectively any processing).
> The real world never so simple. In the real world if they don't "just" do that it is probably because it isn't working commercially.
I feel the problem is that as soon as one party starts using invasive ads, other parties are at a relative disadvantage and will be paid less than before if they don't follow suit. Seems like the kind of game theory problem that the market is bad at, but regulation can resolve favorably.
Why should selling your personal data be illegal?