Top EU Privacy Body Says “Consent or Pay” Approaches Must Offer a Real Choice

August 2023 saw one of the most significant developments in the world of online privacy. Meta announced that it would seek consent from users for behavioral ads in Europe. As we reported in December, Meta actually meant that anyone who wanted to protect their privacy from adtech would need to pay a subscription fee – €120 (about $130) per year on the web, or €156 (about $170) per year on iOS and Android – to remove ads.  

This represented a radical shift both in how social media is funded and how surveillance-based advertising is operated. In January 2024, the data protection authorities of Norway, the Netherlands, and Germany asked the EU’s top privacy body, the European Data Protection Board (EDPB), to issue an opinion on whether the so-called “consent or pay” system adopted by Meta was permitted under the EU’s GDPR privacy law.  

The EDPB has now published its views on the approach. It does not believe that “consent or pay” models can comply with the GDPR’s requirement for user consent. According to the EDPB, if users only have a choice between paying a fee or consenting to give up their privacy, they might “feel compelled to consent” to save money and retain access to important social networks.  The EDPB says:

When developing alternatives, large online platforms should consider providing individuals with an ‘equivalent alternative’ that does not entail the payment of a fee. If controllers do opt to charge a fee for access to the ‘equivalent alternative’, they should give significant consideration to offering an additional alternative. This free alternative should be without behavioral advertising, e.g. with a form of advertising involving the processing of less or no personal data. 

That last point is important, as the privacy organization noyb points out in its commentary on the EDPB opinion:

The EDPB also mentioned the possibility of introducing a third option beyond “Pay or Okay”, which has so far been largely ignored by the industry. In fact, there are many ways to monetise a website, such as contextual advertising, product placement, paid content or freemium models where certain content is only available for a fee. While the industry tries to limit the discussion to two options (“pay” or “okay”), the EDPB has emphasised that the GDPR does not limit other ways of funding products – even if they may be less profitable.

The EDPB opinion is not the end of the story.  As Max Schrems, chairman of noyb, writes: 

We are concerned that today’s first opinion is rather cautious and was based on limited facts. Once all the facts are on the table, we are confident that ‘Pay or Okay’ will be declared unlawful across the board. We know that ‘Pay or Okay’ shifts consent rates from about 3% to more than 99% – so it is as far from ‘freely given’ consent as North Korea is from a democracy. It is crucial to get all the relevant numbers for further decisions beyond Meta and larger platforms.

Will “Consent or Pay” Approaches Be Allowed?

The battle over whether paying for privacy will be permitted in the EU is not over. The last few months have seen plenty of activity from groups defending privacy, the adtech industry, and government bodies. For example, in February, eight groups from the BEUC network of EU consumer protection bodies filed complaints with their national data protection authorities against what Ursula Pachl, BEUC’s Deputy Director General, called Meta’s “unfair ‘pay-or-consent’ choice.”

At the beginning of March, the European Commission sent a formal request to Meta to provide more information about its “subscription for no ads” options on Facebook and Instagram. A few days later, 13 digital rights organizations sent an open letter to the EDPB urging it to “take a decisive stance against the controversial ‘Pay or Consent’ models”.

 In the UK, the Information Commissioner’s Office launched a “call for views” on the “consent or pay” approach. The same month, 39 members of the European Parliament sent an open letter to Sir Nick Clegg, Meta’s president of global affairs, to express their “deep concerns regarding [his] company’s ‘pay or okay’ approach.” EU antitrust chief Margrethe Vestager added her own warning to Meta about its new business model, reminding the company that there are many ways to pay for social media services, including making advertising contextual.  

Following this mounting criticism from EU officials, Meta offered to cut the monthly subscription fee for Facebook and Instagram by almost half. On the same day, several adtech industry organizations came out in support of the “consent of pay model” in an open letter to the EDPB. They claimed the allegation that the “consent or pay” model amounts to users having to pay to protect their personal data was “misleading.”

Most of the criticism against Meta’s “consent or pay” model has focused on its incompatibility with GDPR. At the end of March, the European Commission broadened the discussion by opening a non-compliance investigation against Meta under the new EU Digital Markets Act.  The European Commission said that it was “concerned that the binary choice imposed by Meta’s ‘pay or consent’ model may not provide a real alternative if users do not consent, thereby not achieving the objective of preventing the accumulation of personal data by gatekeepers.”

This is an important battle that’s actively engaging some of the most important players in the world of online privacy. The outcome matters because what happens in the EU tends to spread to the rest of the world. This could occur through laws in other countries being written based on the EU’s rulings, or through major online companies deciding to make EU compliance the global standard for their services.