Concept and Basics of Paying with Data
The term “paying with data” refers to the practice in which users take advantage of digital products or services and, in return, provide personal data instead of (or in addition to) a monetary payment. This model has gained significant importance with the rise of data-driven business models and digital platforms, especially in the context of social networks, search engines, and shopping portals. A central component is the provision of personal or anonymized information, which is used for economic or market research purposes.
Legal Classification of Paying with Data
Aspects of Data Protection Law
Paying with data in the European Union is primarily subject to the provisions of the General Data Protection Regulation (GDPR). It is essential that personal data is processed lawfully, purposefully, and transparently.
Lawfulness of Data Processing
According to Art. 6 GDPR, data processing is only permissible if at least one of the following conditions is met:
- The data subject has consented to the processing (Art. 6 sec. 1 lit. a GDPR).
- The processing is necessary for the performance of a contract or to carry out pre-contractual measures (Art. 6 sec. 1 lit. b GDPR).
- The processing is necessary to fulfill a legal obligation (Art. 6 sec. 1 lit. c GDPR).
- Other statutory foundations.
Because paying with data often involves a contract between the provider and the user, data processing can be necessary to fulfill the contract. However, an explicit consent according to Art. 7 GDPR is often required, especially when non-essential data is involved.
Information Obligations and Transparency
According to Art. 13 and 14 GDPR, providers using data as consideration must inform the data subjects comprehensively about the type, purpose, scope, and duration of data usage. This information obligation is central to the lawfulness of the business model.
Rights of the Data Subjects
When paying with data, the data subject has comprehensive rights (e.g., the right to information under Art. 15 GDPR, the right to erasure under Art. 17 GDPR, and the right to data portability under Art. 20 GDPR). These rights must be guaranteed even when data processing is part of a contractual consideration.
Contractual Law Aspects
Data as Contractual Consideration
With the entry into force of Directive (EU) 2019/770 (“Digital Content Directive”) and its implementation in German law (§§ 327 et seq. BGB new; “contract for digital products”), it is recognized that the provision of personal data as consideration for digital services can be treated by contract.
According to § 327 sec. 3 BGB, contracts in which consumers provide their personal data as consideration are equivalent to contracts involving a monetary payment. Thus, all statutory consumer rights relating to digital products apply to such business models, for example, warranty rights, information obligations, and rules for contract termination.
Distinction: Gratuitousness and Actual Consideration
The regulations do not cover cases where data is processed solely for purposes directly necessary to provide the service or when data is processed solely within the framework of legal obligations. The decisive factor remains whether the provision of data is to be regarded as (part of) the consideration for the contract.
Burden of Proof and Contract Interpretation
In case of a dispute, the provider must demonstrate that sufficient information regarding data processing was provided and that effective consent was obtained. Interpretation difficulties can arise in unclear contractual designs, especially when data processing is declared as a pre-contractual ancillary service.
Competition and Fair Trading Law Aspects
Deception and Transparency Obligations
If the processing of personal data is used as (part of) the consideration, a lack of or insufficient information about this fact can constitute an unfair business practice under §§ 3, 5 UWG. Advertising that conceals or trivializes data processing can be considered misleading.
Market Abuse
Large digital platforms could abuse their market power by collecting data. This falls under antitrust law (§§ 19, 20 GWB) and is monitored by the relevant supervisory authorities (e.g., Federal Cartel Office).
Consumer Protection Provisions
Withdrawal Rights
Contracts for digital services are generally subject to the provisions on the right of withdrawal (§ 355 BGB in conjunction with § 356 BGB). Consumers have the right to withdraw from contracts within 14 days without providing any reason—even if the consideration consists of providing data.
Information Obligations
There are extensive information obligations regarding the subject matter of the contract, the provision of services, and data processing (§ 312d BGB). If these are not fulfilled, penalties and possibly claims for damages or injunctive relief may result.
Tax Law Aspects
Since the provision of personal data as consideration economically represents an exchange of services, the question arises as to its treatment under VAT law. According to § 1 UStG, any supply or other service provided by an entrepreneur for consideration is taxable. Whether the transfer of data for a digital service is considered taxable consideration depends on the specific contractual and economic structure. So far, there are few concrete administrative instructions or supreme court decisions on this.
Conclusion and Outlook
Paying with data is a central element of the digital economy and is subject to a variety of legal regulations designed to ensure the protection of data subjects, transparency in data processing, and fairness of contracts. With the European and national recognition of data as contractual consideration, the model has acquired clear legal definition. Developments in data protection law, contract law, competition law, and consumer protection law will continue to significantly shape the “paying with data” business model and are of high relevance for providers and users alike.
Frequently Asked Questions
What are the legal foundations for paying with data in the European area?
In the European legal area, the General Data Protection Regulation (GDPR) is primarily decisive, especially Article 6, which governs the lawfulness of the processing of personal data. Article 7 GDPR, which sets requirements for consent, is also central. In addition, with the introduction of Directive (EU) 2019/770 (Sale of Goods Directive) and Directive (EU) 2019/771 (Digital Content Directive), contractual obligations have been explicitly extended to situations in which consumersreceive digital content or services by providing personal data—even where no payment flows. The so-called “paying with data” is often legally treated as a contract for value. National implementation, such as in the German Civil Code (BGB) in Germany (§ 327 BGB), concretizes these rules for domestic law.
What information obligations does a provider have when accepting data as payment?
Providers are obliged to clearly and transparently inform data subjects about the type, scope, and purpose of data collection, the legal bases used, possible recipients of the data, and the storage period, see Articles 13 and 14 GDPR. The information obligation also includes references to data subject rights (e.g., access, erasure, objection), the controller, and often also about data transfers to third countries. In digital contracts where data is provided as consideration, providers must explicitly inform about such equivalence to traditional payment and disclose which data are required for the provision of the service and which may be provided optionally.
Must explicit consent be obtained before data can be used as a means of payment?
Yes, as a rule, explicit consent is required according to Article 6 sec. 1 lit. a GDPR, unless another legal basis applies. Consent must be given voluntarily, specifically, in an informed manner, and unambiguously—for example, by taking an active action such as ticking a box. Tacit (“opt-out”) consents are not permissible. Consent may not be made a precondition for entering into a contract unless providing the personal data is actually essential for contract fulfillment (so-called coupling prohibition, Recital 43 GDPR).
What rights do consumers have when they “pay” with their data?
Consumershave all data subject rights under the GDPR, such as the right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), and data portability (Art. 20 GDPR). They can also object to further processing of their data (Art. 21 GDPR) and have the right to withdraw consent at any time with effect for the future. If consent is withdrawn, the provider must, if necessary, cease the contractual service and properly delete the data, unless retention is still required by law.
What are the legal consequences if the provider breaches data protection requirements when “paying with data”?
Violations are strictly sanctioned under the GDPR: Supervisory authorities can impose fines of up to 20 million euros or 4% of worldwide annual turnover (whichever is higher). In addition, data subjects can claim damages (Art. 82 GDPR). National civil courts can grant claims for injunctive relief and elimination, and, in competition law, also allow warnings from consumer associations. Furthermore, unlawful processing may render the entire contract void or voidable; the provider thus risks losing all rights arising from the contract if the contract was concluded without effective consent.
Is “paying with data” permissible for minors or particularly sensitive data?
Special protection provisions apply when processing personal data of minors. According to Art. 8 GDPR, in the context of information society services, consent for children under 16 is only valid if given by them or their legal guardians, although individual member states may lower this age limit to 13. For particularly sensitive data (Art. 9 GDPR, e.g., health data, biometric data), enhanced requirements additionally apply, and processing is usually only permitted in exceptional cases with explicit prior consent or on the basis of one of the exceptions listed in Art. 9 sec. 2 GDPR.
How does withdrawal of data consent affect the contract for digital content?
If consent is withdrawn or further use of the data is objected to, this has an immediate effect on the contract: If the provision of the digital content or services depended on the data processing, this may lead to termination of the contract. According to § 327m BGB (German law), the provider is obliged, upon withdrawal or exercise of the right to erasure, to delete the personal data and to end access to the digital product. Consumers may not suffer unreasonable disadvantages as a result of withdrawal. Obligations to reverse the transaction and, where applicable, compensation may arise if performance has already been received.
