The discovery of a new guidance published by the European Data Protection Board (EDPB) has shaken up the adtech industry. This revelation has major implications for big platforms like Meta, who have built their business on targeted advertising.
The EDPB’s confirmation, released on a Wednesday, will have a significant impact on how privacy regulators interpret the General Data Protection Regulation (GDPR). The EDPB’s full opinion on the controversial “consent or pay” approach spans an extensive 42 pages.
Other large platforms that rely on ad-funded models should also take note of the detailed guidance provided by the EDPB. However, it seems that Meta may be standing in the crosshairs, as their business model heavily relies on surveillance and tracking.
The reason for this is due to Meta’s implementation of a “consent or pay” model for European users since November 2023. This gives users a choice between agreeing to be tracked and profiled for ad targeting or paying a monthly subscription for an ad-free version of the platform. However, the Board has deemed this binary choice to be unsustainable, particularly when there is an imbalance of power between individuals and data controllers, especially for those who rely heavily on the platform.
According to Anu Talu, the chair of the EDPB, platforms must provide users with a real choice for their privacy. She stated, “Online platforms should give users a real choice when employing ‘consent or pay’ models. The current models often force individuals to either give up all of their data or pay a fee, which leads to most users simply agreeing to the data processing without fully understanding the implications of their decision.”
The EDPB notes that negative consequences are likely to occur when large online platforms use a ‘consent or pay’ model to obtain consent for the processing.
The EDPB also states that in most cases, it will not be possible for large online platforms to comply with the GDPR’s requirement for valid consent if they only offer users a choice between consenting to targeted advertising or paying a fee, as Meta currently does.
The Board defines large platforms as entities designated as very large online platforms under the EU’s Digital Services Act or gatekeepers under the Digital Markets Act – a category that Meta falls under as they operate both Facebook and Instagram.
The Board goes on to state that if controllers do choose to charge a fee for access to an alternative that does not include targeted advertising, they must also offer a free alternative without behavioural advertising and with minimal personal data processing.
The EDPB also reminds platforms that other core principles of the GDPR, such as purpose limitation, data minimisation, and fairness, still apply to consent mechanisms. They are also responsible for ensuring that their processing is in line with the GDPR.
Meta’s Response
In response to the EDPB’s opinion, Meta’s spokesman Matthew Pollard claimed that their “subscription for no-ads” model complies with EU laws. However, the Ireland’s Data Protection Commission, who oversees Meta’s GDPR compliance, declined to comment as the case is currently ongoing.
Since the launch of their subscription model last year, Meta has consistently argued that it complies with relevant EU regulations. However, they have seized upon a single line from the July 2023 ruling by the EU’s top court, where the judges did not explicitly rule out the possibility of charging for a non-tracking alternative as long as it was “necessary” and “appropriate.”
In contrast, the EDPB’s opinion clarifies that this line was not the central element in the CJEU’s decision and argues that the charging of a fee should only be considered if it enhances the freedom of choice for users.
However, the EDPB’s opinion does not preclude the possibility of charging for a non-tracking alternative entirely. Nonetheless, it strongly encourages platforms to provide non-intrusive alternatives to advertising, such as contextual or topic-based advertising, as a way to ensure that consent is freely given.
In addition, the EDPB plans to release broader guidelines on consent or pay models and engage with stakeholders to develop these guidelines further. This will have significant implications for European news publishers, who have been early adopters of the consent or pay approach.
For a tech giant as dominant and well-resourced as Meta, it’s hard to see how it can dodge asking why they aren’t offering less privacy-intrusive alternatives – and if not, asking regulators to do something about it.
However, this new opinion by the EDPB will make it harder for adtech giants like Meta to continue to exploit forced consent tactics. Founder and Chairman of privacy rights nonprofit noyb, Max Schrems, believes that while the opinion makes it clear that Meta cannot rely on the “pay or okay” approach, the Board has not gone far enough.
Schrems argues that the EDPB should have taken a clearer stance on the illegality of this model, as there are still thousands of pages where this issue hasn’t been addressed. But with the EDPB’s latest intervention, it seems that Meta may need to start considering more privacy-friendly alternatives, or they will face further scrutiny from EU regulators.