Subscription Management Platforms under the GDPR

Abstract

In recent times there has been an increase in cookie tracking, where users’ data are collected through web cookies. Due to privacy concerns, many regulations have been developed — such as the General Data Protection Regulation (GDPR) —, to regulate information gathering. To ensure compliance with the GDPR, cookies tend to be managed through cookie banners, where users can 1) accept all, 2) reject all, or 3) customize their choice regarding which data can be collected. Recently, there has developed a new cookie paywall, where instead the choices are to either 1) accept all tracking or 2) subscribe to a service to avoid tracking and advertisements. The services providing these cookie paywalls have been named Subscription Management Platforms (SMPs), and the goal of this thesis is to discover what SMPs are technically and legally under the GDPR, and how they relate to standard cookie banners. The results show that SMPs can work as a wrapper to existing cookie banners, where all subscribed users automatically reject all cookies but the non-subscribed must accept all cookies. In this case, the legal responsibility falls to the cookie banner, as the SMP does not handle the consent signal. Additionally, we found that SMPs can collect at least as much information and personal data as regular cookie banners. We also raise several questions about the nature and ethics of SMPs. As SMPs force users who do not pay to accept all tracking, they essentially make privacy a luxury and may increase cookie tracking.