Adtech giant Meta’s bid to continue tracking and profiling users of Facebook and Instagram in Europe, despite the strict data protection laws in the bloc, is facing a second challenge from privacy rights advocacy group noyb.
The group supports a new complaint against the company, being filed with the Austrian data protection authority. This complaint alleges that Meta is breaching EU law by giving users a difficult choice to withdraw their consent for tracking ads, while making it easier for users to agree to tracking.
Let’s rewind to last year, when Meta faced two major privacy decisions that invalidated its previously claimed legal bases for processing Europeans’ data for ad targeting. These decisions came after years of complaints from privacy campaigners.
HTML
- A claim from Meta followed, stating that it would switch to obtaining consent for tracking. However, the choice presented to users who do not want to be tracked and profiled is to pay for monthly subscriptions for ad-free versions of its products.
- Those who wish to continue using the services for free must agree to tracking.
- Meta claims this is valid consent under the General Data Protection Regulation (GDPR).
- However, noyb and supporting complainants disagree.
noyb’s previous complaint against Meta, filed with the Austrian DPA in November 2021, focused on the steep cost that users must pay to opt out of tracking (a monthly fee of €9.99 on web or €12.99 on mobile per linked account). noyb argues that this cost is disproportionate to the value the company derives from each user.
This second complaint addresses the difficulty that Meta makes it for users to withdraw their consent to tracking under this arrangement. Withdrawing consent requires users to sign up for a monthly subscription, while agreeing to tracking is as simple as clicking ‘okay’.
The issue at hand is that the GDPR states consent must be as easy to withdraw as it is to give. noyb’s follow-up complaint targets the friction inherent in Meta charging users for privacy protection.
In a press release, noyb states, “Once users have consented to being tracked, there’s no easy way to withdraw it at a later date. This is illegal. Despite Article 7 of the GDPR clearly stating that ‘it shall be as easy to withdraw as to give consent’, the only option to ‘withdraw’ the (one-click) consent is to buy a €251.88 subscription. In addition, the complainant had to navigate through several windows and banners to find the page where he could actually revoke consent.”
Massimiliano Gelmi, a data protection lawyer at noyb, commented, “The law is clear: withdrawing consent must be as easy as giving it in the first place. It is painfully obvious that paying €251.88 per year to withdraw consent is not as easy as clicking an ‘Okay’ button to accept tracking.”
Penalties for confirmed GDPR breaches can reach up to 4% of global annual turnover. However, Meta, which made $116.61BN in 2022 through tracking and profiling its billions of users for targeted ads, is more concerned about potential regulatory action that could force it to offer users a truly free choice to deny tracking. This could significantly impact its regional tracking-ads business, as around 10% of its global ad revenue comes from EU users.
The Austrian DPA published an FAQ last month on the topic of cookies and data protection. It discusses the controversial practice of “pay or okay”, in which companies charge for consent. The DPA states that this can be considered an alternative to consent but is only valid if the GDPR is fully respected. This includes consent being specific (not bundled), the company not having a monopoly or quasi-monopoly on the market, and the price for the payment alternative being appropriate and fair (not presented as a sky-high fee).
However, the DPA also notes that there is no existing case law from the European Court of Justice on “pay or okay”. Therefore, the FAQ represents its current view and many privacy experts expect that the issue will need to be settled through a referral to the CJEU.
In the meantime, complaints filed against Meta with EU DPAs are typically referred back to the Irish Data Protection Commission (DPC), the company’s lead data supervisor under the one-stop-shop (OSS) mechanism of the GDPR. This means that noyb’s complaints against Meta’s “pay or okay” tactic will likely end up on the desk of the DPC in Dublin. The Irish regulator has claimed to be reviewing Meta’s approach since the company announced the idea in summer 2021.
If the DPC decides to launch a formal inquiry into Meta’s approach, it could take years before a final decision is reached. In fact, another noyb complaint against the company’s legal basis for ads, filed in May 2018, was not decided until January 2023. This decision is now under legal appeal by Meta in Ireland.
In that case, the DPC acted on instruction from the European Data Protection Board (EDPB), which had to intervene and settle disputes between EU regulators. Therefore, a prompt crackdown on Meta’s manipulation of consent appears unlikely. However, other DPAs have the power to take action to mitigate data risks in their own markets and protect local users. They can also ask the EDPB to make their interim measures permanent and EU-wide. This happened last year when Norway’s DPA petitioned the EDPB over Meta’s legal basis for ads. By then, the company had already switched to claiming consent, avoiding regulatory intervention.
noyb is calling on the Austrian DPA to order Meta to comply with European data protection law and provide an easy way for users to withdraw their consent without paying a fee. They are also urging the imposition of a fine “to prevent further violations of the GDPR”. The group is also asking the Austrian DPA to initiate an urgency procedure, citing recent CJEU case law which suggests that DPAs have a duty to provide effective protection of data protection rights and that data subjects have the right to an urgency procedure in specific situations. However, the Austrian authority has so far resisted taking emergency measures.
So, while these regulatory complexities continue, the bottom line for Facebook and Instagram users in Europe is that their privacy remains in the hands of Mark Zuckerberg. They can only escape tracking and profiling by completely abandoning the dominant social networks, as Meta has been able to continue harvesting and using their personal data for targeted ads despite the years of scrutiny and sanctions against the company. As legal bases for processing personal data become more limited for the adtech giant, the way it presents the choice for consent is now the focus of privacy action.
