“Pay or consent” mechanisms, also known as ad-free subscription models, have recently gained great traction and simultaneously came under scrutiny by regulators. In these business models, data subjects are given a choice between giving their consent for data processing for purposes beyond what is necessary for the execution of the contract nor an admissible legitimate interest (such as personalized advertising) or paying a monthly subscription, to gain access to a digital service and its content.
These models raise several questions regarding the nature of data protection as a fundamental right, personal data as counter-performance, which have already been previously discussed in the EU during the legislative procedure and approval of two consumer law directives, Directive 2019/770 on the supply of digital content and services, and Directive 2019/2161, on the modernization of consumer law (Directive Omnibus). However, these new practices have led to greaterscrutiny on the admissibility of consent as a valid legal basis for processing in the context of social media and personalized advertising.
Succinctly, the General Data Protection Regulation (GDPR) stipulates that consent for data processing must meet certain criteria, including being freely given, specific, informed, and unambiguous. Controllers must pay close attention to ensure that consent is given voluntarily, particularly in cases where providing a service or fulfilling a contract relies on consent for data processing that is not strictly necessary for the contractual obligations.
Meta’s new policy and its origins
This greater focus came about due to Meta’s announcement of the adoption of this model for their social media platforms in October, for the EU, EEA and Switzerland. Users in these jurisdictions are required to either consent to data processing and have adds on their Facebook and Instagram feeds or pay a monthly subscription (12.99€ for a service, plus 8€ for both).
Meta had previously attempted to rely on other legal basis for processing. When the GDPR came into force in 2018, it changed its terms and conditions to make the processing of data for behavioral 2 advertising necessary for the execution of the contract. After several years of ligation, and a decision of EDPB, the Irish Data Protection Commission deemed this practice to be non-compliant with the GDPR in January 2023. Meta still attempted to switch the legal basis for legitimate interest, but it was deemed insufficient. Meta was banned by the Norwegian Data Protection Authority from processing personal data for behavioral advertising on the basis on execution of the contract and legitimate interests. This initial temporary ban in Norway was afterwards made permanent and extended to the whole EEA and confirmed by the European Union Court of Justice (CJEU)’s decision on C-252/21 Meta Platforms.
Complaints to Data Protection Authorities and request to EDPB
After Meta’s announcement, several stakeholders began procedures to challenge the admissibility of this model:
• NOYB, the data protection NGO which has challenged Meta’s practices in the past, filed a complaint with Austrian DPA, arguing that this mechanism placed a 251€ yearly price on data subjects’ fundamental right.
• BEUC, similarly placed complaints with consumer protection authorities, arguing from a consumer law approach. Finally, the Norwegian Data Protection Authority, with the support of the data protection authorities of the Netherlands and Hamburg asked the EDPB to issue an opinion on this matter.
Prior decisions regarding the admissibility of “pay or consent”
“Pay or consent” mechanisms have been adopted by services providers in the past (most commonly by news websites and newspapers) so these mechanisms have already been analyzed by some data protection authorities in the past:
• The Austrian DPA found that derStandard, an Austrian newspaper, had implemented a pay or consent model through a cookie banner which infringed the GDPR.
• The Lower Saxony DPA concluded that the heise.de, an influential german tech-focused newspaper, had improperly implemented a pay or consent model.
• The Danish Data Protection Authority decided that GulogGratis, an online marketplace, had set up a pay or consent model that was partially invalid. It processed data on the basis of 3 consent for both behavioral advertising and statistical purposes. For the DPA, the consent was valid in regard to former but improper for the latter, as it wasn’t properly justified nor could data subjects’ consent to it separately.
• The Conference of Independent Data Protection Supervisory Authorities of the Federal Government and the Länder published a decision detailing that in theory, pay or consent models could be valid under certain conditions.
While not a DPA; the European Union Court of Justice (CJEU)’s decision on C-252/21 alluded to the validity of consent for behavioral advertising given to access a social network such as Facebook if there is an equivalent adequately priced paid option without these data processing activities.
EDPB much awaited position
The EDPB deliberated on this matter during its plenary session on February 13th, but has yet to publish a decision regarding the request made by the Norwegian, Dutch, and Hamburg Data Protection Authorities. In addition to devising an opinion addressing these practices in the context of large online platforms, the EDPB acknowledged the need for broader guidelines to be applicable across a wide range of services and economic activities. However, the adoption of these guidelines has been postponed until after the decision has been published.