EU Privacy Protection: Groups Urge Meta to Abandon ‘Consent or Payment’ Strategy

Additionally, in a notable step last month, the European Union opened a formal investigation into whether Meta’s tactic breaches obligations that apply to Facebook and Instagram under the competition-focused Digital Markets Act (DMA). The Board’s opinion on “consent or pay” is expected to provide guidance on how the EU’s General Data Protection Regulation (GDPR) should be applied in this area. It’s worth noting the Board’s opinion will look at “consent or pay” generally, rather than specifically investigating Meta’s deployment. Nor is Meta the only service provider pushing “consent or pay” on users. “However, the current ‘Consent or Pay’ model sets in stone a coercive dynamic, leaving users without an actual choice.

Ahead of a full meeting of the European Data Protection Board (EDPB) this week (April 16 and 17), which is expected to produce guidance on a controversial tactic used by Meta to force Facebook and Instagram users to consent to its tracking, almost two dozen civil society groups and nonprofits have penned an open letter urging the bloc’s data protection bodies not to endorse a strategy they say is intended to bypass the EU’s privacy protections for commercial gain.

Many of the signatories, which include the likes of EDRi, Access Now, noyb and Wikimedia Europe, signed a similar open letter to the EDPB in February. But with the Board expected to adopt an opinion on so-called “consent or pay” (aka “pay or okay”) as soon as Wednesday this is likely to be the last chance for the rights groups to sway hearts and minds on an issue they warn is “pivotal” and has “profound significance” for the future of data protection and privacy in Europe.

“As you prepare to shape guidelines on the ‘Consent or Pay’ model, we urge you to refrain from endorsing a strategy that is merely an effort to bypass the EU’s data protection regulations for the sake of commercial advantage and advocate for robust protections that prioritise data subjects’ agency and control over their information,” they write, adding: “Emphasising the need for genuine choice and meaningful consent aligns with the foundational principles of data protection legislation, the larger context of all relevant CJEU rulings and serves to uphold the fundamental rights of individuals across the EEA [European Economic Area].”

Meta, which refers to its implementation of the consent or be tracked tactic as “Subscription for no ads”, was contacted for a response to the group’s concerns. Company spokesman, Matthew Pollard, emailed us a statement (below) — in which it claims the offer is compliant with EU laws:

‘Subscription for no ads’ addresses the latest regulatory developments, guidance and judgments shared by leading European regulators and the courts over recent years. Specifically, it conforms to direction given by the highest court in Europe: in July, the Court of Justice of the European Union (CJEU) endorsed the subscriptions model as a way for people to consent to data processing for personalised advertising.’

A raft of complaints have been filed against Meta’s implementation of pay or consent since it launched the “no ads” subscription offer last fall, under EU privacy and consumer protection laws. Additionally, in a notable step last month, the European Union opened a formal investigation into whether Meta’s tactic breaches obligations that apply to Facebook and Instagram under the competition-focused Digital Markets Act (DMA). That probe remains ongoing.

The EU also recently questioned Meta about “consent or pay” using oversight powers it has to monitor larger platforms’ compliance with the Digital Services Act (DSA), a sister regulation to the DMA — which also applies to Meta’s social networks, Facebook and Instagram.

The Board’s opinion on “consent or pay” is expected to provide guidance on how the EU’s General Data Protection Regulation (GDPR) should be applied in this area. However it looks relevant to the DMA too, as the newer market contestibility law builds on the bloc’s data protection framework — referring to concepts set out in the GDPR, such as consent.

This means guidance from the EDPB, a GDPR-focused steering body, on how — or, indeed, whether — “consent or pay” models can comply with EU data protection rules is likely to have wider significance for whether the mechanism is ultimately deemed compliant by the Commission in its assessment of Meta’s approach to the DMA.

It’s worth noting the Board’s opinion will look at “consent or pay” generally, rather than specifically investigating Meta’s deployment. Nor is Meta the only service provider pushing “consent or pay” on users. (The tactic was actually pioneered by a handful of European news publishers.)

Nonetheless, it is likely to have major implications for the social networking giant — either making it harder for Meta to claim its subscription tactic is GDPR compliant; or, if the EDPB ends up endorsing a controversial model where users have to pay to obtain their rights, champagne corks will surely be popping at 1 Hacker Way as Meta prevails over Europeans’ privacy.

The rights groups behind the open letter say the fact of penning two letters on this topic a few weeks apart reflects “widespread apprehension about the consequences” of “consent or pay” being rubberstamped by privacy regulators.

Privacy rights group noyb and others have warned that a green light for the tactic won’t only reward Meta either: They suggest it’ll open the flood gates to apps of every stripe and type to leverage economic coercion to force users to be tracked — gutting key planks of the EU’s flagship data protection regime.

The letter points to concerns expressed by the Commission following its opening of a DMA investigation into Meta’s deployment of “Consent or Pay” as a regulated gatekeeper — in which the EU cited misgivings that “the binary choice imposed by Meta’s ‘pay or consent’ model may not provide a real alternative in case users do not consent”; and could, therefore, lead to a continuing accumulation of personal data and loss of privacy for users.

They also argue that the payment relied upon in the “consent or pay” model “could be deemed a degradation of service conditions”, which they suggest breaches Article 13(6) DMA — “which corresponds to the fairness principle under Article 5(1)(a) GDPR”. “Given that both acts refer to Article 4(11) GDPR, this underscores pressing need to protect freely given consent consistently in the context of the DMA as well as under the GDPR,” they add.

The letter further notes the Commission has previously expressed doubts that consent or pay is “a credible alternative to tracking” — in relation to efforts to encourage businesses to simplify cookie consent flows (aka the “Cookie Pledge”) — because of the “extremely limited” number of consumers who agree to pay in lights of how many different apps and websites they may use each day.

It also points out the EDPB’s response to the Commission’s Cookie Pledge proposal contained what they couch as a clarification “that this ‘less intrusive’ option should be offered free of charge”.

“This insistence on genuine user choice underscores the fundamental principle that consent must be freely given,” it goes on. “However, the current ‘Consent or Pay’ model sets in stone a coercive dynamic, leaving users without an actual choice. The continued acceptance of this model undermines the fundamental principles of consent and perpetuates a system that prioritises commercial interests over individual rights.”

We reached out to the EDPB for a response to the letter, and with questions about the upcoming opinion on “consent or pay”, but it had not responded at press time.

Avatar photo
Kira Kim

Kira Kim is a science journalist with a background in biology and a passion for environmental issues. She is known for her clear and concise writing, as well as her ability to bring complex scientific concepts to life for a general audience.

Articles: 836

Leave a Reply

Your email address will not be published. Required fields are marked *