EU data protection body says Meta’s ‘pay or OK’ model is not OK

The European Data Protection Board opposed Meta’s controversial “pay or okay” business model in an opinion published on Wednesday (17 April), saying this binary approach was not compliant with the EU’s data privacy rules.

The “pay or okay” or “pay or consent” model, introduced in November 2023 by Meta, gives customers the option of using the services at no cost if they consent to Meta processing their private data, or opt for a paid subscription model, in which case Meta will refrain from processing their data.

Big online platforms will not be compliant with requirements of the EU’s data privacy regulation, the GDPR, for valid consent “if they confront users only with a binary choice” between paying for their personal data not to be processed or having this data processed, said the Board in its opinion.

“The offering of (only) a paid alternative to the service which includes processing for behavioural advertising purposes should not be the default way forward for controllers,” the opinion said.

Euractiv reached out to Meta but did not receive a comment by the time of publication.

Meta’s move stems from earlier regulatory developments: In January 2023, two national data authorities said Meta’s so-called “contract model” was in breach of the EU’s General Data Protection Regulation (GDPR), a comprehensive data privacy and protection law.

The “contract model” means that users enter into a contract with the platform by accepting the Terms of Service. Thus the legal basis for Meta’s data processing was challenged.

The “pay or okay” model sparked instant controversy, with the European Consumer Organisation BEUC and the non-profit digital rights organisation NOYB both filing separate complaints against it.

Piling on the controversy, the Dutch, Norwegian, and German supervisory authorities asked the EDPB, an independent body tasked with ensuring the consistent application of data protection rules in the EU, to issue an opinion.

“Most users consent to the processing in order to use a service, and they do not understand the full implications of their choices,” EDPB Chair Anu Talus said in a press release, echoing consumer rights organisations.

The opinion

In the EDPB’s opinion, adopted during its latest plenary, the Board stressed the importance of adhering to GDPR requirements, as well as accountability.

Online platforms should offer alternatives to paid services involving behavioural advertising focusing on providing genuinely equivalent free alternatives, the Board said.

Moreover, controllers must offer granularity in consent choices, ensure clarity in consent requests, and provide comprehensive information about choices and consequences.

Data controllers should always “avoid transforming the fundamental right to data protection into a feature that individuals have to pay to enjoy. Individuals should be made fully aware of the value and the consequences of their choices,” Talus said.

Max Schrems, activist and chairman of NOYB, said that Meta “can still charge pages for reach, engage in contextual ads and alike – but tracking people for ads need a clear ‘yes’ by users”.

General Data Protection Regulation

Consumer rights organisations have accused Meta of violating GDPR principles, citing difficult consent withdrawal and unfair data processing. They argued that Meta’s data collection is invasive, involving sensitive details like behaviour and political views.

Legal disputes over Meta’s handling of EU user data stem from rulings in 2022 and 2023 which challenged its previous legal basis.

Meta’s reliance on user consent has faced criticism although Meta noted that the “Court of Justice of the European Union endorsed [its] subscriptions model as a way for people to consent to data processing for personalised advertising.”

[Edited by Zoran Radosavljevic]

Read more with Euractiv