Last year, in response to a request from the Norwegian Data Protection Authority, the European Data Protection Board (EDPB) issued a decisive ruling, prohibiting Meta from processing personal data for behavioral advertising across the European Economic Area (EEA) based on contractual or legitimate interest grounds.
In reaction, Meta proposed a ‘Consent or Pay’ model. This model can be defined as models where a controller offers data subjects a choice between at least two options in order to gain access to an online service that the controller provides: the data subject can consent to the processing of their personal data for a specified purpose or decide to pay a fee and gain access to the online service without their personal data being processed for such purpose.
Under the first option mentioned above, the data subjects get access to the service only if they consent to being tracked and targeted with behavioral advertising by the controller. In this case, the controller’s business model is usually financed through online advertising based on users’ behaviors. Under the second option, the data subjects pay a fee (which can be, for instance, a weekly, monthly, or annual subscription, as well as a one-off payment) and are allowed to access a version of the service that does not include the processing of the user’s personal data for behavioral advertising purposes. However, one should note that, while this second option may include that the data subjects are not tracked at all, it might also include that data subjects would be still tracked for different purposes, e.g. in order to analyze the use of a website to improve its functionalities.
Following Meta’s announcement of its ‘Consent or Pay’ model, the Dutch, Norwegian, and Hamburg Data Protection Authorities submitted a request under Article 64(2) GDPR to the EDPB. They sought an opinion on whether such models, as employed by large online platforms for behavioral advertising, meet the GDPR’s stringent requirements for valid and freely given consent.
EDPB OPINION
The EDPB has specified that its opinion on ‘consent or pay’ models is applicable primarily to large online platforms which attract large amounts of users operating within the EEA, including but not limited to, entities categorized as “very large online platforms” under the EU Digital Services Act and “gatekeepers” under the EU Digital Markets Act. This clarification addresses the critical issues these models present for data protection, especially concerning the interpretation and enforcement of recipient of valid consent under GDPR.
The opinion reviewed the circumstances and conditions ’consent or pay’ models relating to behavioral advertising can be implemented by large online platforms in a way that constitutes valid and, in particular, freely given consent under the GDPR:
1. Free
The EDPB emphasizes that for consent under the GDPR to be considered ‘free’ it implies that data subjects have real choice and control. Consent is invalid if the data subject feels compelled, faces negative consequences for non-consent, or cannot exercise free will. Validity hinges on the absence of deception, coercion, or undue pressure, considering factors such as potential detriment from non-consent, power imbalances, unnecessary conditionality for accessing services, and the ability to choose among different processing operations.
Offering only a paid version of a service that processes data for behavioral advertising should not be the default option for controllers. Instead, when creating alternatives to such services, controllers should provide a viable option that does not require payment — a “Free Alternative Without Behavioral Advertising”. This approach ensures that data subjects are not unduly pressured into either paying or consenting to data processing.
The EDPB recommends that to ensure data subjects are not forced into a binary decision between paying or consenting to data processing for behavioral advertising, controllers should also provide a no-cost option, termed the ‘Free Alternative Without Behavioral Advertising’. This approach is aimed at preserving genuine choice for users. This alternative should avoid any data processing for behavioral advertising. It might include less intrusive forms of advertising, such as contextual or general ads, or ads selected based on user-chosen topics of interest, thus minimizing or completely eliminating the use of personal data.
Offering a Free Alternative without Behavioral Advertising helps mitigate any negative consequences for users who choose not to consent to data processing. This option is particularly important in situations where there’s a significant power imbalance between the user and the controller. In such cases, genuine consent must be demonstrably free of adverse consequences. Controllers must ensure that users fully understand their choices, including the implications of each option regarding data processing and its consequences. This transparency is critical in validating that the consent is freely given.
2. Detriment
The opinion highlights Recital 42 of the GDPR, stating that for consent to be truly freely given, data subjects must have a genuine choice and the ability to refuse or withdraw their consent without facing any negative consequences. It concludes that large online platforms typically cannot meet the standards for valid consent if they only offer users the binary choice of consenting to personal data processing for behavioral advertising or paying a fee.
If a data subject does not consent to data processing and also chooses not to pay the fee, they would be unable to access the service. This situation could lead to various detriments for the data subject, as they are effectively denied the utility of the service for their refusal or inability to comply with the platform’s terms.
Data subjects may face significant disadvantages if they cannot use a service integral to their daily lives and central in societal functions. This includes platforms essential for accessing unique information, participating in social discussions, or obtaining critical updates during emergencies. Such platforms might also serve as crucial platform for community interaction or accessing services necessary for daily functioning, impacting everything from civil engagement to personal and family logistics.
The centrality of social media in modern social life is profound. For many, these platforms are vital for maintaining relationships with friends and family whom they don’t see regularly. Social media’s role extends beyond personal connections; it also serves as a key medium for participating in broader societal and cultural discussions. The inability to access such platforms can lead to feelings of isolation and disconnection, significantly impacting emotional and psychological well-being. This exclusion from digital social spaces can deprive individuals of both personal interactions and active participation in community dialogues. Data subjects may also experience significant disadvantages if they are unable to access professional or employment-oriented platforms because they choose not to pay a fee or give consent to data processing. This lack of access can hinder their ability to find job opportunities or maintain and grow professional networks, potentially leaving them at a disadvantage compared to peers who have access to these services and can stay updated in their fields.
3. Imbalance of power
The principle of ‘freely given’ consent necessitates that data subjects must be able to exercise autonomy. This requires consideration of the controller’s position relative to the data subject. A clear imbalance of power could coerce the data subject into making a decision they would not freely choose, thus impacting their autonomy and compromising the freedom of their choice.
When assessing power imbalances between large online platforms and data subjects, certain factors should be considered, such as the platform’s market position and the extent to which the data subject relies on the provided service. This helps determine if there is a significant power disparity that could influence the data subject’s ability to make free choices.
4. Withdrawal of consent
In considering “consent or pay” models, it’s crucial to distinguish between the act of withdrawing consent and the desire to continue using the service afterward. Transparent information must be provided on how to exercise the right of withdrawal without implying it leads to a paid subscription. Users should understand they have the choice to either consent to data processing for advertising, pay for the service, or opt for a free version without behavioral advertising, ensuring the freedom to withdraw consent without penalty.
5. Unambiguous indication of wishes
Controllers need to carefully design how they obtain consent, particularly when seeking it for multiple purposes like service enhancement or content personalization. It’s crucial that consent mechanisms allow users to give specific permissions for distinct processing activities. In ‘consent or pay’ models, if a user consents to certain activities to access a service for free, that consent should only apply to those activities. For additional data processing purposes, users must have the option to give separate consents, ensuring each is specific and informed.
In models where users must give consent or pay, it’s crucial to recognize that ambiguous information provided by controllers can mislead users into giving consent unwittingly. This occurs when consent is obtained through phrases like “simply continue” or “continue without,” where the emphasis on nonpayment obscures the fact that choosing the free option implies consent. To guarantee a clear expression of user preferences, questions should be framed accurately and transparently. Consent to process personal data should not be portrayed as merely a means to avoid fees.
6. Transparency requirements
When it comes to conveying information, controllers must adhere to the principle of ‘clear and plain language‘, which necessitate adapting the language to the data subjects. This entails providing information in a manner that is clear and understandable to the intended audience. To meet these transparency standards, controllers should first assess their audience and then determine the most appropriate language and communication style. They should ensure that their audience comprehends the service and its impact on their personal data. The wording used should explicitly outline the consequences of the data subject’s choices regarding the processing of their personal data. For instance, controllers should not only clarify that a choice affects the presence or absence of advertising, but also explain how it influences the processing of personal data for behavioral advertising.
Controllers may utilize various information channels based on the nature of the online platform. For instance, they could employ videos to explain the differences between alternatives or interactive pages to demonstrate how the service will appear under different options.
CONCLUSION
In the realm of ‘consent or pay’ models employed by major online platforms, the EDPB underscores the imperative for controllers to adhere to all GDPR requirements, particularly those concerning valid consent, while taking into account the unique circumstances of each case. It is generally recognized that in most instances, large online platforms cannot fulfill the criteria for valid consent if they present users with only a binary choice between consenting to the processing of personal data for behavioral advertising or paying a fee.
While the EDPB Opinion sheds light on ‘consent or pay’ models, it also raises concerns about how online services will be financed if major service providers cannot leverage and profit from consumer data. Although the EDPB stops short of outright prohibiting the use of “consent or pay” models for behavioral advertising purposes, indicating that such models will typically fail to meet GDPR consent standards, it sets a significant standard.
We will continue to provide you with updates on regulatory developments and any recommendations issued by relevant authorities regarding this matter.
This document is intended to provide only a general background regarding this matter. It should not be regarded as setting out binding legal advice but rather as a practical overview based on our understanding of applicable regulations.
Regards,
Cyber, Technology, Compliance and Regulation team
Shibolet & Co.
