“Pay or Okay” is a consent model that acts as a legal basis for data collection. Users choose between a paid option that keeps their data private or a free option that allows Meta to collect extensive data. Following their decision to switch to this model in November 2023, several European data protection authorities asked about the legality of the model to the European Data Protection Board (EDPB) and a concrete response was highly expected. The EDPB published its anticipated opinion on April 17, 2024.
It is important to highlight the damage caused by the “Pay or Okay” model to the privacy rights of META users so far in the past six months.
What happened?
In July 2023, the Court of Justice of the European Union (CJEU) decided on a case that brought META against the German data protection authority (BfDI). The data protection authority had published a decision that primarily dealt with the legality of Meta’s use of personal data in the EU between 2018 and 2023 and found it illegal.
Since 2018, and before the decision of the German data protection authority, Meta has been trying to bypass user consent as a legal basis for its data collection. Consent is among the six legal bases in the GDPR that a company can use to collect data. Meta tried to bypass the consent requirement for tracking and online advertisement by arguing that ads are a part of the “service” and, as such, used the legal basis of “contractual necessity.” This means that Meta’s data processing is necessary for the performance of a contract, namely the contract between Meta and its users.
However, Meta held on to a small obiter dictum, a typically non-binding additional consideration in the judgment, to switch to a new legal basis to continue its data collection activities. The Court of Justice, in their judgment, stated that Meta “should introduce an alternative to ads “if necessary, for an appropriate fee.” This six-word sentence opened the door for Meta to launch its new paid version.
A heavy cost for privacy
The initial cost of this new approach was 9.99 euros per month, per Facebook or Instagram account. Later, META decided to lower this cost to 5.99 euros with a slightly reduced fee per additional account. The data protection and privacy rights non-profit Noyb has calculated the average cost of protection if most online platforms start charging their users for privacy.
Noyb states that “30% of the top 100 websites in Germany already use ‘Pay or Okay’ to drive up consent rates. Using these websites without tracking for personalized ads would already cost more than 1,500 euros per year. In Spain, users would face costs of about 1,460 euros, while in France, the price for privacy already exceeds 1,100 euros.”
It is a heavy price for privacy, one that most users cannot afford. They are forced to give up their privacy to most of the platforms they use.
Pay to delete personal data?
In light of Meta’s significant market dominance and its prominent role as a social media giant, abrupt policy changes that force users to choose between paying or protecting their data from being used for behavioral ads directly contradict the spirit of the GDPR.
However, Meta went beyond this initial violation and forced users to switch to paid subscriptions if they wanted to exercise one of their fundamental rights under the GDPR: the right to the erasure of data by the withdrawal of consent.
The GDPR clearly states that the consent can be “withdrawn as easily as it is given” by users. That is not the case with the consent given to Meta. According to the digital rights organization Noyb, the only option to “withdraw” consent is to buy a paid subscription from the company. This is a clear violation of the GDPR.
“Consent or Pay” is illegal
In a statement published on April 17, the European Data Protection Board (EDPB) declared the “consent or pay” approach to be illegal. The EDPB limited its opinion to large online platforms, and by doing so, it sent a clear message that its statement is in fact in response to Meta, while other platforms such as online media outlets, are seemingly not affected.
“The offering of (only) a paid alternative to the service which includes processing for behavioral advertising purposes should not be the default way forward for controllers. When developing the alternative to the version of the service with behavioral advertising, large online platforms should consider providing data subjects with an ‘equivalent alternative’ that does not entail the payment of a fee,” EDPB said in the statement.
The Board also reminded that, even when consent is obtained, the collected data should still be processed according to the GDPR principles, especially those under Article 5, i.e., data should be processed in line with the principles of necessity and proportionality, purpose limitation, data minimization, and fairness.
The final decision is up to the Data Protection Authorities
Although EDPB’s opinion is not binding, it gives data protection authorities a clear path forward. As the subsidiary company representing Meta in Europe is established in Ireland, the Irish Data Protection Authority can impose sanctions or take action against Meta. However, the Irish DPA is not alone in its capacity to take action. The DPAs of the Netherlands, Norway, and the German state of Hamburg had directed questions to the EDPB about Meta’s pay-or-consent model. As such, following EDPB’s published opinion, they may also choose to take action against the company.
