The European Data Protection Board (EDPB) has published new guidance which has major implications for adtech giants like Meta and other large platforms.
The guidance, which was confirmed incoming Wednesday as we reported earlier, will steer how privacy regulators interpret the bloc’s General Data Protection Regulation (GDPR) in a critical area.
The full opinion of the EDPB on so-called “consent or pay” runs to 42-pages.
However a market leader imposing that kind of binary choice looks unviable, per the EDPB, an expert body made up of representatives of data protection authorities from around the EU.
“Online platforms should give users a real choice when employing ‘consent or pay’ models,” Talu wrote.
Yet a binary choice (aka “consent or pay”) is exactly what Meta is currently forcing on users in the region.
The European Data Protection Board (EDPB) has been meeting this week to discuss adopting an opinion on so-called “consent or pay”, following a request made back in February by a trio of concerned data protection authorities.
A spokeswoman for the EDPB confirmed to TechCrunch that it adopted an opinion on “consent or pay” on Wednesday morning, saying it will be published later today.
However the choice Meta gives EU users is a binary one: Either consent to its use of personal data for targeted advertisng or pay a monthly fee to access ad-free versions of its social networks.
But on the core issue of whether Meta’s mechanism complies with the EU’s long-standing data protection framework the Board’s opinion is key.
Additionally, in a notable step last month, the European Union opened a formal investigation into whether Meta’s tactic breaches obligations that apply to Facebook and Instagram under the competition-focused Digital Markets Act (DMA).
The Board’s opinion on “consent or pay” is expected to provide guidance on how the EU’s General Data Protection Regulation (GDPR) should be applied in this area.
It’s worth noting the Board’s opinion will look at “consent or pay” generally, rather than specifically investigating Meta’s deployment.
Nor is Meta the only service provider pushing “consent or pay” on users.
“However, the current ‘Consent or Pay’ model sets in stone a coercive dynamic, leaving users without an actual choice.
Users of the popular site Glassdoor, which lets anyone anonymously sign up to review companies they have worked for, say Glassdoor collected and added their names to their user profiles without their consent.
It also means this information can be obtained by legal process, such as a lawsuit or police demanding access to Glassdoor user data.
As Monica explained, Glassdoor will add a user’s real name (and potentially other information) to the user’s account without their permission if Glassdoor learns it.
As part of the acquisition deal, Glassdoor signed every user up for a Fishbowl account, meaning Glassdoor would have to change its terms of service so that every Glassdoor user could also be verified.
Mackey previously defended an anonymous Glassdoor user in court whose employer tried to unmask and identify their identity.
On Tuesday, digital EVP and competition chief Margrethe Vestager cast doubt on Meta’s privacy fee, telling Reuters: “I think there are many different ways to monetize the services that you provide.
“Consumers should be given time to reflect before making that decision, and not being put under pressure to accept it quickly.”As noted above, consumer protection groups have filed a number of complaints about Meta’s privacy fee — arguing Meta is breaching EU consumer protection and privacy rules.
There’s currently no way for users in the EU to use Facebook or Instagram and not be tracked.
They suggest Meta’s strategy is a blatant attempt to circumvent EU laws by making privacy an unaffordable luxury.
Vestager’s remarks also suggest the Commission already takes the view that Meta’s privacy fee is non-compliant with the DMA.
“[W]e await feedback from the Irish Data Protection Commission [DPC], our lead data protection regulator in the EU,” he added.
While Meta’s compliance with the GDPR is led by the Irish DPC, under the regulation’s one-stop-shop.
This structure does not mean the Irish authority gets final say on Meta’s compliance with EU privacy rules, though.
In the case of Meta, this has frequently led to objections from other data protection authorities which have landed stiffer enforcements than the DPC originally proposed.
So who gets the final say on the GDPR compliance of Meta’s consent mechanism is complex too.
“The trajectory of privacy and data protection is at a critical juncture, and it is imperative that all stakeholders, including tech giants like yours, uphold their responsibilities to safeguard these rights.
One of the signatories, Pirate Party MEP Patrick Breyer, summarizes Meta’s demand for a “privacy fee” as “economic coercion”.
noyb has subsequently filed another GDPR complaint against Meta’s model, focused on how easy/not is it for people to withdraw consent.
There are also a series of consumer protection complaints in the mix — which argue Meta’s approach breaches EU consumer protection rules.
Completing the circle, consumer right groups have filed as series of GDPR complaints against Meta’s ‘pay or okay’ model, too.
It’s been over two years since a key piece of the tracking-ads’ industry’s consent collection apparatus was found to breach European Union’s data protection laws.
A simple ‘yes or no’ to ad tracking is as much friction web users should get.
Critics dub the whole cynical approach compliance theatre: An attempt by the ad industry to evade data protection law and keep tracking and profiling web users en masse by packaging systematic non-compliance inside an industry standard framework.
However action requiring reform of the framework was suspended pending a final court ruling on the IAB’s appeal.
Plus the European Data Protection Board is due to weigh in with guidance soon.
Roku users around the country turned on their TVs this week to find an unpleasant surprise: the company required them to consent to an arbitration agreement in order to access their device.
Users (at least, this user) received an email the day before saying that “we have made changes to our Dispute Resolution Terms, which describe how you can resolve disputes with Roku.
We encourage you to read the updated Dispute Resolution Terms.
But there really is something rather despicable about totally disabling a user’s device until they agree, and having basically anything the user does count as agreement.
Don’t delay or, when people sue them over how they held devices hostage in order to coerce them into consumer-hostile dispute resolution terms, you won’t be able to join in on the fun.
Google has trailed another bundle of product tweaks ahead of Thursday’s deadline for compliance with the European Union’s Digital Markets Act (DMA).
Google’s blog post further notes that users “may” see “new consent banners asking them whether they would like to link their Google services“.
The adtech giant is the DMA gatekeeper with by far the largest number of regulated platforms — eight in total; namely: Google Maps, Google Play, Google Shopping, Google Ads, Chrome, Android, Google Search and YouTube.
Elsewhere on data for ads, Google appear to be relying on its advertisers to keep a pipeline of targetable user data flowing through its ad engines.
Some of what Google is trailing in today’s blog post also appears to be re-announcing changes previously announced and/or launched in recent weeks.
