In Part I, we discussed the European Commission’s (“Commission”) disapproval of Meta’s “pay or consent” subscription model. In Part II, we delve into the European Commission’s findings, prior findings by the European Data Protection Board (EDPB), and how those findings may affect future models where privacy is considered “for sale.”
The European Commission’s Findings Against Meta
The Commission’s preliminary view is that Meta’s model does not comply with Article 5(2) of the Digital Markets Act (DMA), which requires that users who do not consent to data combination must still have access to an equivalent service that uses less of their personal data. The investigation, which began in March 2024, highlighted that Meta’s model does not provide an equivalent service that uses less personal data for users who refuse consent. In other words, the model coerces users into consenting to personalized ads to avoid paying a fee, undermining their rights to freely consent to the use and processing of their personal data.
The Commission emphasized that compliance with the DMA means offering users an equivalent alternative that respects their data privacy choices without forcing them into consent through financial penalties.
Non-compliance with the DMA can lead to fines of up to 10% of a gatekeeper’s total worldwide turnover, increasing to 20% for repeated infringements. Additionally, the Commission can impose operational remedies, such as compelling Meta to divest parts of its business or restricting future acquisitions. Meta now has the opportunity to respond to these preliminary findings by examining the investigation documents and submitting a written defense. The investigation will conclude within 12 months from the opening of proceedings on March 25, 2024.
The EDPB’s Opinion on “Consent or Pay” Models
Earlier this year, the EDPB adopted Opinion 08/2024 in response to a request from the Dutch, Norwegian, and Hamburg data protection authorities. The opinion addresses the validity of consent to process personal data for behavioral advertising in “consent or pay” models implemented by large online platforms.
The EDPB defines “consent or pay” models as scenarios where users must either consent to the processing of their personal data (typically for behavioral advertising) or pay a fee to access the service without such data processing. The EDPB’s opinion specifically targets large online platforms, which, due to their significant user base and influence, require a consistent regulatory approach across the European Economic Area (EEA). This uniformity is crucial given the widespread impact on data subjects.
EDPB Chair Anu Talus highlighted the need for online platforms to provide users with a real choice, noting that current models often force users to either give away all their data or pay a fee. The EDPB considers that in most cases, such models do not comply with the GDPR’s requirements for valid consent, which must be freely given, informed, specific, and unambiguous.
The EDPB’s opinion stressed that consent must be given without any form of coercion or significant negative consequences for the user. A “pay or consent” model can only satisfy this requirement if the fee is not prohibitively high, ensuring that users have a genuine choice. The fee should not exclude users from essential services, especially those crucial for social or professional engagement. Users must fully understand what they are consenting to, including clear information on the nature and purpose of data processing and the consequences of giving or withholding consent. The EDPB stresses the importance of transparency and cautions against complex or deceptive designs that could mislead users, similar to the prohibition on “dark patterns” under U.S. state privacy laws.
Consent must be specific to distinct processing activities. Users should have the option to consent to various data processing purposes separately. The practice of bundling multiple purposes into a single consent request undermines the specificity required by the GDPR. The process for obtaining consent must be straightforward and clearly indicate the user’s intentions without any ambiguity. Users should be able to give their consent through clear, affirmative actions.
The Commission’s preliminary findings against Meta align closely with the EDPB’s Opinion 08/2024. Both regulatory bodies emphasize that Meta’s “pay or consent” model fails to provide users with a genuinely equivalent alternative to consent for data processing. The EDPB’s opinion highlights that such models often do not meet GDPR standards for valid consent, while the Commission’s findings indicate that Meta’s model violates the DMA by coercing users into consenting to certain data processing.
The EDPB recommends that platforms should provide an equivalent alternative that does not involve behavioral advertising and does not require a fee. This alternative should ensure that all users can access the service without being forced into a binary choice. If behavioral advertising is necessary, platforms should consider using less intrusive forms of advertising that do not rely on extensive data processing. This approach aligns with the GDPR’s data minimization principle, which mandates that only data necessary for the intended purpose should be processed. This is also in alignment with U.S. state privacy law requirements to only process “relevant and reasonably necessary” data.
Platforms must provide clear and comprehensive information about data processing activities, including detailed explanations of what data will be collected, how it will be used, and the potential impacts on users’ privacy. Transparency is crucial to ensure that users can make informed decisions.
The EDPB highlights challenges in balancing business models that rely heavily on advertising revenue with compliance requirements. Platforms must implement mechanisms that genuinely offer users a choice without coercion or undue influence. This includes setting appropriate fee levels and providing clear, understandable information about data processing practices. Platforms must continuously adapt their practices to meet evolving regulatory expectations, ensuring that user rights are consistently upheld.
Conclusion
The EDPB’s opinion underscores the importance of adhering to fundamental GDPR principles in the context of “consent or pay” models. It calls for large online platforms to ensure that their consent mechanisms are designed to offer real, uncoerced choices to users, maintaining the integrity of data protection rights. Compliance with these guidelines is crucial not only for legal adherence but also for fostering trust and transparency with users. Further, these concepts are present under U.S. law and there is a growing cooperation between U.S. privacy regulators and EU data protection authorities to address issues such as consent, targeting advertising, data minimization, and transparency.
The outcome of this investigation will have far-reaching implications for many businesses, setting a precedent for the enforcement of gatekeeper practices and the promotion of a fair and competitive digital market. This case exemplifies the EU’s commitment to regulating the power of large digital companies and fostering an open digital landscape. This case also provides insight into U.S. regulatory priorities and previews how privacy issues could be addressed under U.S. state privacy laws. Our team at Bradley will continue to monitor these developments.