Before the internet, traditional advertising allowed us to ‘pay’ for some or all of the cost of the media we consumed using our attention. Now we ‘pay’ for many otherwise free products - and contribute to the cost of others - with a combination of our attention and our data. Online media, search and social apps are obvious examples. But this basic business model extends to sectors and industries as varied as games, ecommerce, and podcasting. Importantly, this model may also help power tomorrow’s new and innovative consumer offerings.
The shift from attention to attention and data raises a range of weighty policy issues, including as regards the applicable privacy rules. Australia is considering these as part of a broad-ranging review of its privacy law. The Government’s recent Discussion Paper (which follows its October 2020 Issues Paper) offers a range of options on this topic for further consultation. Given the complexity of the issues this cautious approach is sensible.
But there are also signs that in regulating the data part of ‘payment’ by attention and data Australia may choose to follow aspects of Europe’s privacy laws: the GDPR and related ePrivacy Directive. In fact, Europe offers a cautionary tale in this context. It seems that Europe gave insufficient thought in advance to how the GDPR would impact paying with data, and since coming into force the relevant provisions have proved to be an enduring source of complexity and uncertainty for firms and regulators alike. The better approach may be for Australia to think upfront and in detail about what it wants and then carefully encode its views in the updated privacy law. This will give clarity from the outset for all firms that want to use a pay with data model, and make it easier for regulators to take action against those that ignore the rules - confident that such action aligns with broader policy goals.
What are the policy choices?
The need to be transparent with consumers about any pay with data model should not be controversial. But other issues are less straightforward. Two are particularly complex and important:
- Can the offer of a product or service be conditional on the consumer agreeing to a pay with data model?1 This is the so-called ‘take-it-or-leave-it’ approach.
- If the consumer has a choice over whether to pay with data, when (if ever) can a firm use a pay with data model on an opt-out - rather than opt-in - basis? The distinction matters given that consumers often do not vary default settings. On the other hand, requiring opt-in consent too frequently may degrade the consumer experience.
On these issues, the Discussion paper contains ideas that echo aspects of the European regime:
- The Discussion paper raises the possibility that the take-it-or-leave-it approach could only be used if paying with data were ‘necessary’ to provide the product or service.2 A similar necessity test circumscribes the types of data processing that can be justified under the GDPR’s contractual ground, and also features in the GDPR’s approach to ‘free’ consent.
- The Discussion Paper raises the possibility that consumers should be given an opt-in choice in relation to any data processing that ‘is not strictly necessary for the service’ in question.3 The Paper also asks whether opt-in consent should be required for ‘direct marketing’, a term which it seems would cover most if not all pay with data models.4 GDPR consent (which is similarly opt-in) plays a significant role in the European regime.
How has Europe fared?
In the three and a half years since the GDPR came into force, Europe has struggled to reach a consensus on how the GDPR’s ‘necessity’ test applies to pay with data models.
- The Irish Data Protection Commission recently ruled in a groundbreaking draft decision that personalised advertising is ‘necessary’ for Facebook’s service (for the purposes of the GDPR’s contractual justification). But many - including the non-profit NOYB that brought the case - view this as heretical, and earlier European regulatory guidance largely points the other way.
- It is perhaps inevitable that Europe’s ‘necessity’ test would create controversy. It is not clear whether the test refers to economic necessity (i.e., the data is needed for the firm to be financially viable) or technical necessity (i.e., without the data the firm cannot provide the product or service - even at a loss), or some mixture of the two. Either way, further complexities arise. If the test is economic, can the firm seek to earn a modest profit, or is it only ‘necessary’ to process data to the point where the firm breaks even? If the test is technical, how are the core ‘necessary’ elements of the product or service to be distinguished from optional extras? All these difficult yet important questions were seemingly left to regulators and the courts to decide once the GDPR came into force.
The European picture is similarly complicated as regards GDPR consent and online advertising.
- The Discussion Paper cites an ‘Update Report’ by the UK’s privacy regulator, the ICO, on real-time bidding (part of the infrastructure of online targeted advertising). This June 2019 Report listed systematic instances of apparent non-compliance with the GDPR, including in relation to consumer consents. A recent Opinion makes clear that - more than two years later - the ICO still has concerns. But no firm has been fined or given an enforcement notice: the ICO’s Opinion merely sets out its expectations for future advertising technologies. This suggests that the reality of imposing the GDPR on the ad tech industry has proved to be, in practice, complicated.5 Indeed, the UK is now exploring using its new post-Brexit freedom to depart from the GDPR.
- More generally, Europe is still largely populated with sites that specifically make it easier for consumers to agree to tracking cookies (as used in online advertising) than to disagree, contrary to the GDPR’s apparent requirements. Although there are signs that some privacy regulators may finally be taking action here, this long-standing and pervasive gap between the apparent rules and firm compliance prompts the question whether those rules were appropriate in the first place.
Finally, there has been a growing awareness in Europe that the GDPR has led to a more complex overlap between privacy and competition policy - with the risk of tensions that might undermine one or more of the underlying policy aims.
A way forward
In charting a way forward on regulating pay with data models, there are at least three high-level questions for Australia to consider:
- What mechanisms should be used to limit the potential for excessive or exploitative approaches? European privacy regulation is in a sense a form of blanket price control insofar as it is generally thought to prohibit firms from requiring consumers to ‘pay’ with data (consumers are supposed to have a free choice). Is it conceptually clearer to use competition policy to police exploitative data ‘pricing’? Should ‘pricing’ generally be left to the market but with some basic guardrails, i.e., some pay with data models that are deemed so manifestly excessive that no consumer should be free to consent to them?
- How are the aims of competition policy and privacy regulation best reconciled in this context? For instance, should Australia avoid imposing requirements relating to pay with data models that large incumbents may find easier to satisfy than rivals (including rivals that are ecosystems of smaller firms that in aggregate provide a similar offering - as can happen in ad tech)? Does Australia want to promote competition between firms on the basis of privacy?
- Are there any existing or emerging industries that Australia is content to see undergo radical change? It is arguable that the GDPR necessitates radical change in the European ad tech industry, although it is less clear that this was what Europe specifically wanted. Would Australia be content with this outcome? Are there other industries that might be substantially affected by any proposals - and is this desired?
These questions are difficult. But it may be best for Australia to tackle them now, before new laws are created. The alternative risks the European experience: a new regime that creates years of uncertainty about the rules that apply to a central business model in the modern consumer economy.
Download the PDF here
- A related question is whether the consumer’s agreement to a pay with data model can be ‘bundled’ with other terms. For instance, can the offer of an extra product feature be conditional on the consumer agreeing to a pay with data model? Here Australia is considering
- This appears to be the implication of the discussion in Chapters 14 and 16 of when the exercise of a right to object might legitimately lead to the product or service being withdrawn.
- See Proposal 12.1.
- See Chapter 16.
- In a separate development, the Belgian privacy regulator has recently found a key ad tech compliance tool to be in breach of the GDPR.