Legitimate Interest is the New Consent -- Large-Scale Measurement and Legal Compliance of IAB Europe TCF Paywalls

TL;DR

This study investigates the prevalence and legal compliance of cookie paywalls on top websites, revealing widespread reliance on legitimate interest and a lack of adherence to DPA guidelines.

Contribution

It provides the first large-scale measurement of cookie paywalls' use of the TCF and analyzes their legal basis, highlighting widespread non-compliance with regulations.

Findings

431 cookie paywalls identified, all using TCF

Paywalls rely heavily on legitimate interest, often conflated with consent

No clear correlation between paywall presence and legal guidelines

Abstract

Cookie paywalls allow visitors of a website to access its content only after they make a choice between paying a fee or accept tracking. European Data Protection Authorities (DPAs) recently issued guidelines and decisions on paywalls lawfulness, but it is yet unknown whether websites comply with them. We study in this paper the prevalence of cookie paywalls on the top one million websites using an automatic crawler. We identify 431 cookie paywalls, all using the Transparency and Consent Framework (TCF). We then analyse the data these paywalls communicate through the TCF, and in particular, the legal grounds and the purposes used to collect personal data. We observe that cookie paywalls extensively rely on legitimate interest legal basis systematically conflated with consent. We also observe a lack of correlation between the presence of paywalls and legal decisions or guidelines by DPAs.