Finger tapping icon on mobile phone screen showing EDPB guidance for data protection regulators on Meta's consent or pay model

EDPB Issues Guidance to Data Protection Regulators on Meta’s ‘Consent or Pay’ Model: “Real Choice” Must Be Offered

Long-awaited guidance on Meta’s ‘consent or pay’ model has been issued to data protection regulators by the EU’s Data Protection Board,  and the determination is that large platforms will likely be required to offer some sort of third option that allows users to opt out of targeted advertising profiling without having to pay a subscription.

The issue is essentially a last stand for Meta in its bid to avoid complying with General Data Protection Regulation (GDPR) requirements regarding consent for targeted advertising, having exhausted all of its other potential exemption options. While the guidance makes it clear that Meta’s ‘consent or pay’ model will continue to be legally perilous, it also does not provide an entirely clear picture of what that third “real choice” option must look like.

Long-awaited guidance from data protection regulators seen as a blow to “pay or ok” models

The European Data Protection Board (EDPB) has issued non-binding guidance that finds Meta’s ‘consent or pay’ model is unlikely to be found valid if the only choice for consumers is to either give up all of their personal data, or pay a subscription fee for privacy.

The guidance to the data protection regulators calls for an “equivalent alternative” to the paid option that does not have a fee attached to it; otherwise, at least for operations that meet the “large platform” definition, they are very likely to be found in violation of the GDPR.

The board names some specific factors that data protection regulators must consider when developing this “third option,” and when opting to allow users to pay for privacy. Platforms must consider whether there is “an imbalance of power between the individual and the controller,” or if the individual would have a reasonable need (i.e. LinkedIn for business connections and job hunting) to use the service that might compel them to pay a fee they might otherwise find unacceptable and lack for similar options that have comparable size and reach.

Platforms also must consider the appropriateness of any fee they might charge. Meta’s ‘consent or pay’ model has run into issues with this already, with privacy crusader Max Schrems noting in a GDPR complaint that the company charges more than it would reasonably expect to make from ad revenue from the average user.

Meta’s ‘consent or pay’ likely headed back to the drawing board

The guidance ultimately determines that models like Meta’s ‘consent or pay’ are not going to pass muster in terms of GDPR review, but it will take action by regional regulators to initiate any kind of enforcement action. In Meta’s case that would be a decision for Ireland’s Data Protection Commission, which directly governs it in the EU, but three other data protection regulators also have investigations into the model open: those of Hamburg, Norway and the Netherlands.

As it stands, the guidance would also only apply to platforms designated as “Very Large Online Platforms” (VLOP) under the Digital Services Act. However, the ruling might also apply to platforms designated as gatekeepers under the Digital Markets Act.

While all of this seems to shoot down Meta’s ‘consent or pay’ model, it does not offer complete clarity for the future of privacy-preserving subscription schemes. The guidance appears to greenlight them so long as the fee is “appropriate” and they are paired with some sort of free privacy-protecting alternative. However, exactly what that alternative must look like remains unclear.

As the company worked its way through possible GDPR exceptions to gathering user consent, Meta’s ‘consent or pay’ structure was likely saved for last as it was almost certain to run into GDPR difficulties once pressed by data protection regulators. But the guidance does clarify one important aspect of the process: large platforms are being asked to collect explicit user consent to do targeted ad profiling, and this standard may well be applied to smaller platforms upon further review by regulators.

Meta’s ‘consent or pay’ has been in place since November, charging about €10 monthly for ad-free access to Facebook and Instagram. The company pledged to cut that to €6 in March after complaints about the pricing as compared to its usual ad revenue per user. The scheme rolled out just before a ban on its behavioral processing practices that was initiated by Norway’s data protection regulators went into effect, essentially ending Meta’s last attempt at a GDPR exemption from user consent. Consumer advocacy groups in the EU have been almost universal in condemnation of the model, arguing that it will be adopted by just about every other large platform if it is upheld legally and that in turn will cause the internet to segment into paywalled services that will be too costly to maintain access to.