Nearly two dozen civil society groups and nonprofits have written an open letter to the European Data Protection Board (EDPB), urging it not to endorse a strategy used by Meta that they say is intended to bypass the EU’s privacy protections for commercial gain.
The letter comes ahead of a meeting of the EDPB this week that is expected to produce guidance on a controversial tactic used by Meta that forces Facebook and Instagram users to consent to its tracking.
Many of the signatories, which include the likes of EDRi, Access Now, noyb and Wikimedia Europe, signed a similar open letter to the EDPB in February. But the Board is expected to adopt an opinion on “consent or pay” (i.e., “pay or okay”) as soon as this Wednesday, so this is likely the last chance for rights groups to sway hearts and minds on an issue they warn is “pivotal” for the future of data protection and privacy in Europe.
“As you prepare to shape guidelines on the ‘Consent or Pay’ model, we urge you to refrain from endorsing a strategy that is merely an effort to bypass the EU’s data protection regulations for the sake of commercial advantage, and advocate for robust protections that prioritize data subjects’ agency and control over their information,” the open letter reads. “Emphasising the need for genuine choice and meaningful consent aligns with the foundational principles of data protection legislation, the larger context of all relevant CJEU rulings and serves to uphold the fundamental rights of individuals across the EEA [European Economic Area],” it continued.
Meta spokesman Matthew Pollard said in an emailed statement that the company’s offer, which it calls “Subscription for no ads,” is compliant with EU laws: “‘Subscription for no ads’ addresses the latest regulatory developments, guidance and judgments shared by leading European regulators and the courts over recent years. Specifically, it conforms to direction given by the highest court in Europe: in July, the Court of Justice of the European Union (CJEU) endorsed the subscriptions model as a way for people to consent to data processing for personalised advertising.”
A raft of complaints have been filed against Meta’s implementation of the pay-or-consent tactic since it launched the “no ads” subscription offer last fall. Additionally, in a notable step last month, the European Union opened a formal investigation into Meta’s tactic, seeking to find whether it breaches obligations that apply to Facebook and Instagram under the competition-focused Digital Markets Act (DMA). That probe remains ongoing.
The EU also recently questioned Meta about “consent or pay” using its oversight powers that let it monitor larger platforms’ compliance with the Digital Services Act (DSA), a sister regulation to the DMA, which also applies to Meta’s social networks, Facebook and Instagram.
The Board’s opinion on “consent or pay” is expected to provide guidance on how the EU’s General Data Protection Regulation (GDPR) should be applied in this area. However, it looks relevant to the DMA, too, as the newer market contestability law builds on the bloc’s data protection framework — referring to concepts set out in the GDPR, such as consent.
This means guidance from the EDPB, a GDPR-focused steering body, on how — or, indeed, whether — “consent or pay” models can comply with EU data protection rules is likely to have wider significance for whether the mechanism is ultimately deemed compliant by the Commission in its assessment of Meta’s approach to the DMA.
It’s worth noting the Board’s opinion will look at “consent or pay” generally, rather than specifically investigating Meta’s deployment. Nor is Meta the only service provider pushing “consent or pay” on users. The tactic was actually pioneered by a handful of European news publishers.
Nonetheless, it is likely to have major implications for the social networking giant. It could either make it harder for Meta to claim its subscription tactic is compliant with the GDPR, or, if the EDPB ends up endorsing a controversial model where users have to pay to obtain their rights, champagne corks will surely be popping at 1 Hacker Way as Meta prevails over Europeans’ privacy.
The rights groups behind the open letter say penning two letters on this topic a few weeks apart reflects “widespread apprehension about the consequences” of “consent or pay” being rubberstamped by privacy regulators.
Privacy rights group, noyb, and others have warned that a green light for the tactic will open the floodgates to apps of every stripe to leverage economic coercion to force users to be tracked — gutting key planks of the EU’s flagship data protection regime.
The letter points to concerns expressed by the Commission following its opening of a DMA investigation into Meta’s deployment of “consent or pay,” in which the EU cited misgivings that “the binary choice imposed by Meta’s ‘pay or consent’ model may not provide a real alternative in case users do not consent,” and could, therefore, lead to a continuing accumulation of personal data and loss of privacy for users.
The letter argues that the payment relied upon in the “consent or pay” model “could be deemed a degradation of service conditions,” which it suggests breaches Article 13(6) of the DMA. That section “corresponds to the fairness principle under Article 5(1)(a) GDPR.”
“Given that both acts refer to Article 4(11) GDPR, this underscores pressing need to protect freely given consent consistently in the context of the DMA as well as under the GDPR,” the letter reads.
The letter further notes the Commission has previously expressed doubts that consent or pay is “a credible alternative to tracking,” in relation to efforts to encourage businesses to simplify cookie consent flows (aka the “Cookie Pledge”) because of the “extremely limited” number of consumers who agree to pay in light of how many different apps and websites they may use each day.
It also points out the EDPB’s response to the Commission’s Cookie Pledge proposal contained what they couch as a clarification “that this ‘less intrusive’ option should be offered free of charge.”
“This insistence on genuine user choice underscores the fundamental principle that consent must be freely given,” it goes on. “However, the current ‘Consent or Pay’ model sets in stone a coercive dynamic, leaving users without an actual choice. The continued acceptance of this model undermines the fundamental principles of consent and perpetuates a system that prioritises commercial interests over individual rights.”
A spokeswoman for the Board confirmed it had received “several letters” from civil society organizations on this topic. She also told us the opinion on “consent or pay” “concerns a matter of general application, and does not look into specific companies,” further emphasizing: “The EDPB will only look into this matter from a data protection perspective.”
“The opinion will address the use of consent or pay models by large online platforms for purposes of behavioural advertising. More general guidance on consent or pay models will be adopted at a later stage,” she added, saying if an opinion is adopted Wednesday, there would still be some administrative work to do before it could be made public — declining to confirm a publication date ahead of time.
This report was updated after the EDPB responded to our request for comment and clarifications.
European digital rights groups say the future of online privacy is on a knife edge
Comment