The European Data Protection Board (EDPB) has released new guidance that significantly impacts advertising technology companies like Meta, suggesting a shift in how consent mechanisms are handled within the EU.
This guidance critiques the “consent or pay” models used by platforms like Facebook and Instagram, where users are either forced to consent to data tracking for advertising or pay for an ad-free experience.
The EDPB, comprising data protection authorities from across the EU, asserts that such practices might not comply with the General Data Protection Regulation (GDPR), advocating for real choice in privacy options for users.
How Do ‘Consent or Pay’ Models Affect Users?
Since November 2023, Meta has been implementing this model across the European Union, presenting users with a stark choice: agree to be tracked and profiled for advertising purposes or opt for a paid, ad-free version of their platforms.
This approach, according to the EDPB, risks an imbalance of power between the user and the data controller and likely fails to meet the GDPR’s standards for valid consent. The detailed opinion, spanning 42 pages, was confirmed on a recent Wednesday, aiming to guide EU privacy regulators on interpreting these consent practices under the GDPR.
Advocating for Genuine User Choice
Anu Talu, chair of the EDPB, emphasized in a press release the necessity for online platforms to offer users genuine options regarding their privacy. Current models, which force users to either surrender their data or incur a cost, do not adequately inform users of the implications of these choices, according to Talu. She advocates for a model where the fundamental right to data protection is not contingent upon payment.
The guidance from the EDPB notes that it would generally not be feasible for large platforms that use consent or pay models to meet the GDPR’s requirements for valid consent. This is especially pertinent if the only options available to users are:
- Consenting to personal data processing for behavioral advertising, or
- Paying a fee.
It defines large platforms as entities identified as very large online platforms under the EU’s Digital Services Act or gatekeepers under the Digital Markets Act — as is the case with Meta.
The opinion suggests that large platforms should explore alternatives that do not involve payment for non-tracking based services. Offering a free version of the service that either uses less personal data or relies on non-behavioral advertising methods, such as contextual advertising, is advised. This approach would better align with GDPR’s valid consent standards by demonstrating that consent is genuinely freely given.
Moreover, the EDPB stresses that GDPR principles like purpose limitation, data minimization, and fairness continue to apply to all consent mechanisms. Platforms are also encouraged to adhere to the principles of necessity and proportionality and to prove that their data processing practices are generally compliant with the GDPR.
Meta’s Response to Regulatory Pressure
Meta, responding to the EDPB’s guidance through spokesman Matthew Pollard, downplayed the impact of the new guidelines, citing a 2023 ruling by the Court of Justice of the European Union (CJEU) that upheld the legality of their subscription model for personalized advertising.
However, the EDPB’s document subtly counters Meta’s interpretation of the CJEU’s decision, noting that the court’s ruling did not definitively endorse the model but rather stipulated that any such fee must be “necessary” and “appropriate.”
Meanwhile, Ireland’s Data Protection Commission, which monitors Meta’s GDPR compliance, has not commented on any specific actions it might take following the new EDPB guidance, though it noted that its review of Meta’s consent model is ongoing.
The EDPB’s guidance could reshape how consent is sought and given across the tech industry, especially among giants like Meta, who have relied heavily on user data to drive their advertising revenues. This might prompt a broader reevaluation of consent practices across the sector, particularly as the EDPB plans to develop more comprehensive guidelines on consent-or-pay models and engage with stakeholders in the future.
Privacy rights groups, such as noyb led by Max Schrems, have criticized the EDPB’s statements for not decisively declaring the “consent or pay” model illegal, suggesting that the guidance, while comprehensive, leaves room for ongoing legal ambiguity and debate.
Related News:
Featured Image courtesy of DADO RUVIC/REUTERS