Adtech giant Meta’s bid to keep tracking and profiling users of Facebook and Instagram in Europe in spite of the bloc’s comprehensive data protection laws is facing a second challenge from privacy rights advocacy group noyb. It’s supporting a new complaint, which is being filed with the Austrian data protection authority, that alleges the company is breaching EU law by framing a choice that makes it far harder for users to withdraw consent to its tracking ads than to agree.
Wind your mind back to last year and you’ll recall a couple of major privacy decisions against Meta (in January; and July) invalidated the legal bases it had previously claimed for processing Europeans’ data for ad targeting — after literally years of privacy campaigner complaints.
What then followed, last fall, was a claim from Meta that it would be switching to a consent basis for tracking. However the choice it framed requires users who don’t want to be tracked and profiled to pay it for monthly subscriptions to access ad-free versions of its products. Facebook and Instagram users who wish to continue to get free access to the services have to “consent” to its tracking — which Meta claims is valid consent under the bloc’s General Data Protection Regulation (GDPR). But of course noyb, and the complainants its supporting, disagrees.
Where noyb’s earlier complaint against Meta’s version of consent, filed with the Austrian DPA last November, focused on how much Meta is charging users not to be tracked — an initial cost of €9.99/month on web or €12.99/month on mobile per linked account — which it argues is “way out of proportion” to how much value the company derives per user, this second complaint addresses how easy (or rather not easy) Meta makes it is for users to withdraw their consent to tracking under the arrangement.
Withdrawing consent in the scenario Meta has devised requires users to sign up for a monthly subscription. Whereas agreeing to its tracking is a breeze: Users just need click ‘okay’. The legal issue here is that the GDPR requires consent to be as easy to withdraw as it is to grant. So noyb’s follow-up complaint targets the inherent friction in Meta charging users money to protect their privacy.
“Once users have consented to being tracked, there’s no easy way to withdraw it at a later date,” it writes in a press release. “This is illegal. Despite Article 7 of the GDPR clearly stating that ‘it shall be as easy to withdraw as to give consent’, the only option to ‘withdraw’ the (one-click) consent, is to buy a €251.88 subscription. In addition, the complainant had to navigate through several windows and banners to find the page where he could actually revoke consent.”
Commenting in a statement, Massimiliano Gelmi, a data protection lawyer at noyb, added: “The law is clear, withdrawing consent must be as easy as giving it in the first place. It is painfully obvious that paying €251,88 per year to withdraw consent is not as easy as clicking an ‘Okay’ button to accept the tracking.”
Penalties for confirmed breaches of the GDPR can scale up to 4% of global annual turnover — but Meta, which raked in $116.61 billion in 2022 by tracking and profiling its billions of users to sell targeted ads, is more likely to be concerned EU regulators could end up forcing it to actually offer users a genuinely free choice to deny its tracking, which could kneecap its regional tracking-ads business. Last year the company suggested around 10% of its global ad revenue comes from users in the EU.
An FAQ published last month by the Austrian DPA, on the topic of cookies and data protection, discusses the contentious issue of “pay or okay”, as charging for consent is sometimes called. In it the DPA writes [in German; English translations here are generated with AI] that paying for access to a website “can represent an alternative to consent” — emphasis its — however it says this is provided the GDPR is fully complied with, including consent being specific (i.e. non-bundled); that the company does not have a monopoly or “quasi-monopoly” position on the market; and the price for the payment alternative is “appropriate and fair” and not offered “pro forma at a completely unrealistically high price“, as it puts it.
However the DPA also notes there is no case law from the European Union’s top court on “pay or okay” yet — hence it caveats the FAQ as representing its “current view”. And many privacy experts expect that the issue will, finally, have to be settled via a referral to the CJEU.
In the meanwhile, GDPR complaints filed against Meta with EU DPAs are typically referred back to the Irish Data Protection Commission (DPC), which is the company’s lead data supervisor under the regulation’s one-stop-shop (OSS) mechanism. That means noyb’s complaints against Meta’s ‘pay or okay’ tactic will probably end up on a desk in Dublin sooner or later. Indeed, the Irish regulator has claimed to be reviewing Meta’s approach since the company floated the idea last summer.
If the DPC shifts its review of Meta’s approach to consent onto a formal inquiry footing it could still take years, plural, of investigation before a final regulatory decision on the tactic — as was the case with another noyb complaint against Meta’s legal basis for ads; filed all the way back in May 2018 but not decided until January 2023 (a decision that’s now under legal appeal by Meta in Ireland).
In that case, the decision which finally emerged out of Ireland was actually the DPC acting on instruction from the European Data Protection Board (EDPB), which had to step in to settle disagreements between EU regulators. So a speedy privacy clamp down on Meta’s gaming of consent seems unlikely — unless other DPAs decide to take matters into their own hands.
On paper, they can do this. Despite the existence in the GDPR of the OSS mechanism, which can lead to a lead authority being appointed to deal with complaints involving cross-border processing, the regulation includes emergency powers that allow other DPAs to take action to mitigate data risks in their own markets to protect local users. They can also follow up any interim measures they impose locally by asking the EDPB to make their temporary action permanent and EU-wide — as happened last year when Norway’s DPA petitioned the EDPB over Meta’s legal basis for ads. However, by then, Meta had already shifted its claimed basis to consent, meaning it could just sidestep the regulatory intervention. (Which just goes to show that enforcement delayed is enforcement denied.)
“The [Austrian] authority should order Meta to bring its processing operations in compliance with European data protection law and to provide users with an easy way to withdraw their consent — without having to pay a fee,” writes noyb, urging the imposition of a fine “to prevent further violations of the GDPR”.
noyb is also petitioning the Austrian DPA to instigate an urgency procedure — citing recent CJEU case law which it argues indicates that the discretion of DPAs to decide whether or not to instigate an urgency procedure is limited by “their duty to provide effective protection of data protection rights”. “Thus, in specific situations (like ours) the data subject has a right to an urgency procedure,” a noyb spokesperson suggested.
However, so far, they said the Austrian authority has resisted the call to take emergency measures. “The Austrian DPA has just told us that they received the complaint, that there is no right to an urgency procedure and that another DPA might be the leading supervisory authority. But the complaint wasn’t yet officially referred to the DPC as far as I know,” noyb’s spokesperson added.
While all these tortuous regulatory twists and turns have played out, the upshot for Facebook and Instagram users in Europe is that their privacy remains at Mark Zuckerberg’s mercy — unless or until they abandon using his dominant social networks entirely — since, in parallel with all these years of privacy scrutiny and sanction, the adtech giant has been able to keep cashing in on Europeans’ personal data the whole time; processing it for ad targeting despite its legal bases being under challenge or even, for several months-long stretches, invalidated (as happened in the months between its claim of (first) contractual necessity (and then legitimate interests) being ruled out and Meta switching to alternatives (earlier last year legitimate interests; now consent)).
That said, we are seeing more moves to litigate against Meta on privacy — such as the $600 million competition damages claim being brought by publishers in Spain last year who argue its lack of legal basis for microtargeting users sums to unfair competition they should be compensated for — so the adtech giant could face a reckoning in the form of rising costs coming down the pipe over legacy data protection violations, as well as the prospect of future sanctions flowing from fresh privacy complaints if they lead to breach findings.
It’s worth noting the GDPR only has a limited number of legal bases (six) for processing personal data. Several are simply irrelevant for an adtech giant like Meta, while others have been ruled out by regulators and the CJEU. So its options for tracking and profiling users for ads have narrowed — to a single possibility: Consent. How Meta frames this choice is where the privacy action is now.
Meta spokesman, Matthew Pollard, declined to send a statement in response to noyb’s latest complaint — but he pointed back to a blog post the tech giant initially published in October, when it announced what it described as the “subscription for no ads” for Facebook and Instagram users in Europe, flagging an earlier claim in the post that Meta’s offer “addresses the latest regulatory developments, guidance and judgments shared by leading European regulators and the courts over recent years”.
Pollard was also keen to flag a section of the earlier blog post where it claims the choice it’s concocted for users, i.e. continued free access while being tracked or paying Meta for ad-free access, “conforms to direction given by the highest court in Europe”, as it puts it.
The highlighted section goes on: “[I]n July, the Court of Justice of the European Union (CJEU) endorsed the subscriptions model as a way for people to consent to data processing for personalised advertising. And even before that decision, the validity of a subscription service as part of a model to obtain valid consent had been acknowledged by numerous European data protection authorities, including in France, Denmark and Germany
However the guidance from France’s CNIL, which Meta’s blog post directly references, emphasizes the need for “case-by-case” analysis of so-called “cookie paywalls”, with the data protection regulator warning that “the making the provision of a service or access to a website conditional on acceptance of the deposit of certain trackers is likely to harm, in certain cases, to freedom of consent” [the CNIL’s text is in French; here we’ve translated it into English using AI].
The French regulator also recommends that if users wish to refuse all tracking, publishers should offer what it calls “a real and fair alternative allowing access to the site and which does not does not imply having to consent to the use of their data” [emphasis its].
In the case of an exclusive service — such as “dominant or essential service providers” — the CNIL’s guidance goes on to suggest “the Internet user’s choice in such a case would, by definition, be constrained since the service in question is only available on the site provided”.
“In [this] case, the publisher of the site requiring consent to trackers to access it must be particularly vigilant to the existence of a possible imbalance between him and the Internet user, which would be likely to deprive the latter of a real choice,” it continues. “He must therefore ensure ease of access for the user to this alternative.”
Facebook and Instagram would obviously both qualify as dominant service providers (arguably even essential services, given the hold they continue to exert on the social networking space thanks to network effects). So the CNIL’s approach to paywalls would, presumably, require Meta to prove it’s ensuring ease of access to the non-tracking version of its product.
But, as noyb’s complaint contends, requiring users to fork out a credit card and pay an ongoing fee is hard to frame as “ease of access”. (Plus, as already noted above, the Austrian DPA’s guidance suggests paywalls are not appropriate in scenarios where a company has “a monopoly or quasi-monopoly position on the market” as Meta’s social networks do.)
The CNIL’s blog post also discusses the need for any charge levied by publishers for access to their content to be “reasonable” — and encourages them to publish an analysis of their justification for the fee charged to ensure “greater transparency” for Internet users. We’ve asked Meta to send us its breakdown of how it arrived at the fees it’s charging users to avoid its tracking ads. (Update: “Our pricing is firmly in line with similar subscriptions offering by other technology companies — e.g. YouTube Premium. It’s also important to note that our pricing includes the fees that Apple and Google charge through respective purchasing policies,” Pollard responded on this.)
Meta has previously sought to justify the pricing for its “no ads” sub by suggesting it’s charging a similar monthly fee to streaming services such as Netflix, Spotify and YouTube. But, as we’ve pointed out before, the comparison is a very poor one, given Meta obtains the user generated content that populates its services for free, whereas streaming services pay large amounts of money to license professionally produced music, TV series, films etc.
Another prior claim by Meta, suggesting its subscription is similarly priced to Reddit’s ad-free premium offer, looked dubious too as the latter appears to cost considerably less than the Facebook and Instagram subscriptions. Meta is also double dipping as it requires users to have subscriptions for each account they have on its services, so users with more than one account on its social networks will see the fees stack up further.
Returning to the CNIL’s guidance, it additionally warns publishers against seeking to unfairly bundle consent — with its advice stipulating “targeted advertising and personalization of editorial content are two different purposes that must be distinguished when determining the purposes governing access to the service”.
In Meta’s case users are only being offered a choice between agreeing to its tracking or paying to get “ad free” access to content. For users who do pay to avoid the tracking ads it’s not clear they will avoid their personal data being processed to drive other types of content personalization on Facebook and Instagram, which also engages in tracking of users to determine how to arrange content feeds. So the CNIL might well find other faults here, were it the regulator in charge of investigating this complaint.
Turning to the Danish guidance that’s also cited in Meta’s blog post, the regulator also emphasizes that in a cookie paywall scenario “consent must be voluntary”, writing [in Danish; this is a machine translation]: “The question is therefore whether an approach where visitors — as an alternative to consent — can, for example, pay for access to content or a service, meets this voluntary requirement, and which requirements this approach must meet in that case.”
It goes on to state that there is a “general lack of clarity” over the legality of ‘pay or okay’. But cites four criteria it says it will use for assessing the issue — which includes the setting of a “reasonable price” for the payment alternative, with the regulator warning that “the pricing of this alternative must not be so high that the visitors’ freedom of choice is rendered illusory in practice”.
The German advice Meta’s blog post additionally points to, which is a reference to a decision by the Conference of Independent Data Protection Supervisory Authorities of the Federal and State Governments from March last year, also emphasizes the need for consent to meet all GDPR requirements, including being “freely given”. Although the regulators also write that ‘pay or okay’ is possible — “in principle”.
But their decision also warns against a blanket ‘accept all’ consent for different processing purposes.
“If there are several processing purposes that differ significantly from one another the requirements for voluntariness must be met in such a way that consent can be granted on a granular basis,” the German authorities write [in German; this is a macine translation]. “Among other things, this means that users must have the option of selecting the individual purposes for which consent is to be obtained; [these] can be actively selected by users themselves (opt-in). Only if purposes are very closely related can a bundling of purposes can be considered. A blanket overall consent for different purposes in this respect cannot be effectively granted.”
This report was updated with Meta’s response and our additional analysis of it