Meta’s paid subscriptions. Are they legal? What will EU authorities do?

Meta gave European users of Facebook and Instagram a choice between paying for a no-ads experience or keeping the services free of charge and with ads. As I discussed previously (Facebook, Instagram, “pay or consent” and necessity to fund a service and EDPB: Meta violates GDPR by personalised advertising. A “ban" or not a “ban"?), the legal reality behind that choice is more complex. Users who continue without paying are asked to consent for their data to be processed for personalized advertising. In other words, this is a “pay or consent” framework for processing first-party data.

I was asked by IAPP, “the largest privacy association in the world and a leader in the privacy industry,” to discuss this. I also thought that the text I wrote for them could use some additional explanations for this substack’s audience. What follows is an expanded version of the text published by IAPP. (If this text is too long, I suggest reading just the next section).

What will EU authorities do?

Let’s start with the question that everyone is asking: what will EU authorities do about Meta’s paid subscriptions? I don’t think anyone knows the answer to this question. 

Looking at this in reverse order, the highest authority and the one likely to decide the last is the EU’s highest court, the Court of Justice. In July, the Court explicitly raised the possibility of giving users a choice between paying and consenting to some kinds of data processing (I wrote about this on my blog: The CJEU’s Decision in Meta’s Competition Case: Consequences for Personalized Advertising Under the GDPR (Part 1)). But, as I discuss below, there are conditions, and I can’t say how the Court would approach the specific facts of Meta’s new choice model.

Before the Court rules (if at all), we will likely hear from the European Data Protection Board (EDPB). The EDPB is a sort of parliament for national data protection authorities in the EU, acting by majority vote, and has the power to overrule the conclusions of investigations conducted by national authorities. I show below that the EDPB’s guidelines on the issue of “pay or consent” are self-contradictory. What’s more, some of the same EDPB members who until now likely voted for the maximalist approach in enforcement actions against Meta (as recently as the end of October) may find it challenging to do the same now. This is because, as I argue below, rejecting the “pay or consent” model would harm politically powerful legacy media (e.g., prominent German newspapers). Newspapers like Spiegel, Zeit, and Bild present their readers with “pay or consent” choices, and such practices have already been scrutinized by data protection authorities, who until now leaned towards a permissive approach.[1] Distinguishing between “bad big tech” and “good small newspapers” may not be an option because smaller publishers tend to participate in the open advertising ecosystem involving very large-scale processing of personal data. Also, some otherwise hawkish national privacy authorities already green-lighted “pay or consent” in principle. 

Finally, Meta’s primary GDPR regulator—the Irish Data Protection Commission (this is because, for the EU, Meta is established in Ireland). The Irish authority was forced by the EDPB’s October decision to reject the legal grounds that Meta used for personalised advertising until the switch to consent. Given that the Irish authority was open to the idea that personalised advertising may even be necessary for the contractual relationship between Meta and their users (which, I think, is the right approach), I would guess that they will also be open to upholding “pay or consent,” at least in principle (perhaps with some conditions). Of course, the Irish authority may then be overridden by the EDPB.

Personalised advertising: contractual necessity or consent?

Under the GDPR, personal data may only be processed if one of the lawful bases from Article 6 applies. They include, in particular, consent, contractual necessity, and legitimate interests (I covered this in an earlier substack). When processing is necessary for the performance of a contract (Article 6(1)(b)), then that is the basis on which the controller should rely. You may think that if data processing (e.g., for targeting ads) is necessary to fund a free-of-charge service, that should count as contractual necessity. The authorities do not dispute that in principle, but there is a tendency to narrowly interpret contractual necessity (I recommend Professor Nettesheim’s valuable article for a deeper discussion). Notably, the EDPB decided in December 2022 that Facebook (and Instagram) shouldn’t have relied on that ground for personalisation of advertising. And earlier this month, the EDPB decided that Meta should also not rely on the legitimate interests basis.

The adoption of a narrow interpretation of contractual necessity created an interpretative puzzle. If we set aside the legitimate interests basis under Article 6(1)(f)), in many commercial contexts, we are only left with consent as an option (Article 6(1)(a)). This is especially true where consent is required not due to the GDPR but under national laws implementing the ePrivacy Directive (Directive 2002/58/EC); that is, for solutions like cookies or browser storage (note, though, that these are not always needed for personalised advertising). The puzzle is how to deal with consent to processing needed to fund the provision of a service that does not fit the narrow interpretation of contractual necessity.

Consent, as we know from Articles 4(11) and 7(4), must be “freely given.” In addition, Recital 42 states that: “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” The EDPB gave self-contradictory guidance by first saying that withdrawing consent should “not lead to any costs for the data subjects,” but soon after adding that the GDPR “does not preclude all incentives” for consenting.

Despite some differences, at least the Austrian, Danish, French, German (DSK), and Spanish data protection authorities generally acknowledge that paid alternatives to consent may be lawful.[2] Notably, the Norwegian Privacy Board—in a recent Gridnr appeal—also explicitly allowed that possibility. I discuss below the conditions those authorities focus on in their assessment of “pay or consent” implementations.

The Court of Justice and “necessity” to charge “an appropriate fee”

In its Meta decision from July 2023, the Court of Justice weighed in, though in the context of third-party-collected data, by saying that if that kind of data processing by Meta does not fall under contractual necessity, then: 

(...) those users must be free to refuse individually, in the context of the contractual process, to give their consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely from using the service offered by the online social network operator, which means that those users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations.

Intentionally or not, the Court highlighted the interpretative problem stemming from a narrow interpretation of contractual necessity. The Court said that even if processing does not fall under contractual necessity, it may still be “necessary” to charge data subjects “an appropriate fee” if they refuse to consent. Disappointing some activists, the Court did not endorse the EDPB’s first comment I cited (that refusal to consent should not come with “any costs”). 

Even though the Court did not explain this further, we can speculate that the Court was not willing to accept the view that all business models simply have to be adjusted to a maximally prohibitive interpretation of the GDPR. The Court may have attempted to save the GDPR from a likely political backlash to an attempt to use the GDPR to deny Europeans a choice of free-of-charge services funded by personalised advertising. Perhaps, the Court also noted that other EU laws rely on the GDPR’s definition of consent (e.g., the Digital Markets Act) and that this gives an additional reason to be very cautious in interpreting this concept in ways that are not in line with current expectations.

Remaining questions

There are several questions that, based on previous statements from DPAs, are likely to be particularly important for future assessments of “pay or consent” implementations under the GDPR and ePrivacy rules. The following list may not be exhaustive but aims to identify the main issues.

How specific should the choice be? The extent to which service providers batch consent to processing for different purposes, especially if users cannot (in a “second step”) to adjust consent more granularly, is likely to be questioned. This is problematic because giving users complete freedom to adjust their consent could also defeat the purpose of having a paid alternative. 

In a different kind of bundling, service providers may make the paid alternative to consent more attractive by adding incentives like access to additional content or the absence of ads (including non-personalised ads). On the one hand, this means that service providers incentivise users not to consent, making consent less attractive. This could be seen as reducing the pressure to consent and making the choice more likely to be freely given. On the other hand, a more attractive paid option could be more costly for the service provider and thus require a higher price.

What is an “appropriate” price? The pricing question is a potential landmine for data protection authorities, who are decidedly ill-suited to deal with it. Just to show one aspect of the complexity: setting as a benchmark the service’s historical average revenue per user (ARPU) from (personalised) advertising may be misleading. Users are not identical. Wealthier, less price-sensitive users, who may be more likely to pay for a no-ads option, are also worth more to advertisers. Hence, the loss of income from advertising may be higher than just “old ARPU multiplied by the number of users on a no-ads tier,” suggesting a need to charge the paying users more than historical ARPU merely to retain the same level of revenue. Crucially, the situation will likely be dynamic due to subscription “churn” (users canceling their subscriptions) and other market factors. The economic results of the “pay or consent” scheme may continue to change and setting the price level will always involve business judgment, based on predictions and intuition. 

Some authorities may be tempted to approach the issue from the perspective of users’ willingness to pay, but this also raises many issues. First, the idea of price regulation by privacy authorities, capping prices at a level defined by the authorities’ view of what is acceptable to a user, will likely face serious proportionality and competence scrutiny, including under Articles 16 and 52(1) of the Charter of Fundamental Rights. Second, taking users’ willingness to pay as a benchmark implicitly assumes a legally protected entitlement to access the service for a price they like. In other words, to assume that users are entitled to specific private services, like social media services.[3] This is not something that can be simply assumed; it would require a robust argument—and arguably constitute a legal change that is appropriate only for the political, legislative process. 

Imbalance: Recital 43 GDPR explains that consent may not be free when there is “a clear imbalance between the data subject and the controller.” In the Meta decision, the Court of Justice admitted the possibility of such an imbalance between a business with a dominant position, as understood in competition law, and their customers.[4] This, too, maybe a difficult issue for data protection authorities to deal with, both for expertise and competence reasons. 

The scale of processing and impact on users: Distinct from market power (dominance), though sometimes conflated with it, are the issues of the scale of processing and its impact on users. An online service provider, e.g., a newspaper publisher, may have relatively little market power but may be using a personalised advertising framework (e.g., an RTB scheme facilitated by third parties) that is very large in scale and with more potential for a negative impact on users than an advertising system internal to a large online platform. A large online platform can offer personalised advertising to its business customers (advertisers) while sharing little or no information about who the ads are being shown to. Large platforms have economic incentives to keep user data securely within the platform’s “walled garden,” not sharing it with outsiders. Smaller publishers participate in open advertising schemes (RTB), where user data is shared more widely with advertisers and other participants. 

Given the integration of smaller publishers in such open advertising schemes, an attempt by DPAs to set a different standard for consent just for large platforms may fail as based on an arbitrary distinction. In other words, however attractive it may seem for the authorities to target Meta without targeting the more politically powerful legacy media, this may not be an option.

What’s next?

We don’t yet know the full text of the EDPB’s most recent decision related to Meta’s personalised advertising. Still, the available information suggests that the Board did not address the question of a paid alternative to consent. Perhaps the Irish DPC, to whom the EDPB decision is addressed and who will accordingly soon publish their own Meta decision, will include some relevant remarks. However, it is also possible that we will need to await the conclusion of the reportedly ongoing investigations. 

Earlier this week, the EDPB chair, Anu Talus, told Politico that DPAs will investigate ad-free paid subscriptions offered as an alternative to consent. She even said that “[w]hat we’re actually looking at within the EDPB is a fundamental change in the structures of digital marketing.” If she means a crackdown on free-of-charge services that cannot be funded without personalised advertising, then this may be hard to square with the approach taken by the Court of Justice in the Meta judgment. 

In a longer-term perspective, it is worth noting that the EU Council’s 2021 mandate for the ePrivacy legislative process includes an explicit recognition of paid alternatives to consent.[5] However, that recognition is qualified by an analogous consideration of “imbalance” under the GDPR, so even if that text is adopted, it will not override all the debates that are likely to occur soon.

===

[1] For an overview of “pay or consent” (or “PUR”) practices by legacy media publishers in Europe, I recommend the “PUR models: Status quo on the European market“ report which David Pfau prepared for BVDW (October 2023).

[2] See Ibid. for a helpful recent overview. For the view of the Spanish authority, see ​​https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/aepd-actualiza-guia-cookies-para-adaptarla-a-nuevas-directrices-cepd 

[3] See also Peter Caddock, ‘Op-ed: "Pay or data" has its reasons - even if you disagree’, https://www.linkedin.com/pulse/op-ed-pay-data-has-its-reasons-even-you-disagree-peter-craddock 

[4] See para [149]. This is also referenced in the Joint EDPB-EDPS contribution to the public consultation on the draft template relating to the description of consumer profiling techniques (Art.15 DMA) (September 2023), page 14.

[5] See Recital 20aaaa on page 25 of the Council mandate.