Adtech giants like Meta must give EU users real privacy choice, says EDPB
The European Data Protection Board (EDPB) has published new guidance which has major implications for adtech giants like Meta and other large platforms.
The guidance, which was confirmed incoming Wednesday as we reported earlier, will steer how privacy regulators interpret the bloc’s General Data Protection Regulation (GDPR) in a critical area. The full opinion of the EDPB on so-called “consent or pay” runs to 42-pages.
Other large ad-funded platforms should also take note of the granular guidance. But Meta looks first in line to feel any resultant regulatory chill falling on its surveillance-based business model.
This is because — since November 2023 — the owner of Facebook and Instagram has forced users in the European Union to agree to being tracked and profiled for its ad targeting business or else they must pay it a monthly subscription to access ad-free versions of the services. However a market leader imposing that kind of binary choice looks unviable, per the EDPB, an expert body made up of representatives of data protection authorities from around the EU.
“The EDPB notes that negative consequences are likely to occur when large online platforms use a ‘consent or pay’ model to obtain consent for the processing,” the Board opines, underscoring the risk of “an imbalance of power” between the individual and the data controller, such as in cases where “an individual relies on the service and the main audience of the service”.
In a press release accompanying publication of the opinion, the Board’s chair, Anu Talu, also emphasized the need for platforms to provide users with a “real choice” over their privacy.
“Online platforms should give users a real choice when employing ‘consent or pay’ models,” Talu wrote. “The models we have today usually require individuals to either give away all their data or to pay. As a result most users consent to the processing in order to use a service, and they do not understand the full implications of their choices.”
“Controllers should take care at all times to avoid transforming the fundamental right to data protection into a feature that individuals have to pay to enjoy. Individuals should be made fully aware of the value and the consequences of their choices,” she added.
In a summary of its opinion, the EDPB writes in the press release that “in most cases” it will “not be possible” for “large online platforms” that implement consent or pay models to comply with the GDPR’s requirement for “valid consent” — if they “confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee” (i.e. as Meta currently is).
The opinion defines large platforms, non-exhaustively, as entities designated as very large online platforms under the EU’s Digital Services Act or gatekeepers under the Digital Markets Act (DMA) — again, as Meta is (Facebook and Instagram are regulated under both laws).
“The EDPB considers that offering only a paid alternative to services which involve the processing of personal data for behavioural advertising purposes should not be the default way forward for controllers,” the Board goes on. “When developing alternatives, large online platforms should consider providing individuals with an ‘equivalent alternative’ that does not entail the payment of a fee.
“If controllers do opt to charge a fee for access to the ‘equivalent alternative’, they should give significant consideration to offering an additional alternative. This free alternative should be without behavioural advertising, e.g. with a form of advertising involving the processing of less or no personal data. This is a particularly important factor in the assessment of valid consent under the GDPR.”
The EDPB takes care to stress that other core principles of the GDPR — such as purpose limitation, data minimisation and fairness — continue to apply around consent mechanisms, adding: “In addition, large online platforms should also consider compliance with the principles of necessity and proportionality, and they are responsible for demonstrating that their processing is generally in line with the GDPR.”
Given the detail of the EDPB’s opinion on this contentious and knotty topic — and the suggestion that lots of case-by-case analysis will be needed to make compliance assessments — Meta may feel confident nothing will change in the short term. Clearly it will take time for EU regulators to analyze, ingest and act on the Board’s advice.
Contacted for comment, Meta spokesman Matthew Pollard emailed a brief statement playing down the guidance: “Last year, the Court of Justice of the European Union [CJEU] ruled that the subscriptions model is a legally valid way for companies to seek people’s consent for personalised advertising. Today’s EDPB Opinion does not alter that judgment and Subscription for no ads complies with EU laws.”
Ireland’s Data Protection Commission, which oversees Meta’s GDPR compliance and has been reviewing its consent model since last year, declined to comment on whether it will be taking any action in light of the EDPB guidance as it said the case is ongoing.
Ever since Meta launched the “subscription for no-ads” offer last year it has continued to claim it complies with all relevant EU regulations — seizing on a line in the July 2023 ruling by the EU’s top court in which judges did not explicitly rule out the possibility of charging for a non-tracking alternative but instead stipulated that any such payment must be “necessary” and “appropriate”.
Commenting on this aspect of the CJEU’s decision in its opinion, the Board notes — in stark contrast to Meta’s repeat assertions the CJEU essentially sanctioned its subscription model in advance — that this was “not central to the Court’s determination”.
“The EDPB considers that certain circumstances should be present for a fee to be imposed, taking into account both possible alternatives to behavioural advertising that entail the processing of less personal data and the data subjects’ position,” it goes on with emphasis. “This is suggested by the words ‘necessary’ and ‘appropriate’, which should, however, not be read as requiring the imposition of a fee to be ‘necessary’ in the meaning of Article 52(1) of the Charter and EU data protection law.”
At the same time, the Board’s opinion does not entirely deny large platforms the possibility of charging for a non-tracking alternative — so Meta and its tracking-ad-funded ilk may feel confident they’ll be able to find some succour in 42-pages of granular discussion of the intersecting demands of data protection law. (Or, at least, that this intervention will keep regulators busy trying to wrap their heads about case-by-case complexities.)
However the guidance does — notably — encourage platforms towards offering free alternatives to tracking ads, including privacy-safe(r) ad-supported offerings.
The EDPB gives examples of contextual, “general advertising” or “advertising based on topics the data subject selected from a list of topics of interests”. (And it’s also worth noting the European Commission has also suggested Meta could be using contextual ads instead of forcing users to consent to to tracking ads as part of its oversight of the tech giant’s compliance with the DMA.)
“While there is no obligation for large online platforms to always offer services free of charge, making this further alternative available to the data subjects enhances their freedom of choice,” the Board goes on, adding: “This makes it easier for controllers to demonstrate that consent is freely given.”
While there’s rather more discursive nuance to what the Board has published today than instant clarity served up on a pivotal topic, the intervention is important and does look set to make it harder for mainstream adtech giants like Meta to frame and operate under false binary privacy-hostile choices over the long run.
Armed with this guidance, EU data protection regulators should be asking why such platforms aren’t offering far less privacy-hostile alternatives — and asking that question, if not literally today, then very, very soon.
For a tech giant as dominant and well resourced as Meta it’s hard to see how it can dodge answering that ask for long. Although it will surely stick to its usual GDPR playbook of spinning things out for as long as it possibly can and appealing every final decision it can.
Privacy rights nonprofit noyb, which has been at the forefront of fighting the creep of consent or pay tactics in the region in recent years, argues the EDPB opinion makes it clear Meta cannot rely on the “pay or okay” trick any more. However its founder and chairman Max Schrems told TechCrunch he’s concerned the Board hasn’t gone far enough in skewering this divisive forced consent mechanism.
“The EDPB recalls all the relevant elements, but does not unequivocally state the obvious consequence, which is that ‘pay or okay’ is not legal,” he told us. “It names all the elements why it’s illegal for Meta, but there is thousands of other pages where there is no answer yet.”
As if 42-pages of guidance on this knotty topic wasn’t enough already, the Board has more in the works, too: Talus says it intends to develop guidelines on consent or pay models “with a broader scope”, adding that it will “engage with stakeholders on these upcoming guidelines”.
European news publishers were the earliest adopters of the controversial consent tactic so the forthcoming “broader” EDPB opinion is likely to be keenly watched by players in the media industry.