Netflix, Disney+, and Meta: what’s an “appropriate fee” for a subscription?
“What is an appropriate fee?” is among the key questions in the current conversation around Meta’s move to introduce paid subscription options with no ads on Facebook and Instagram. As I discussed previously, the EU’s highest court suggested that businesses may be allowed under the GDPR to offer their users a choice between (1) agreeing to personalised advertising and (2) “if necessary” paying “an appropriate fee” for an alternative service tier. In that text, I also raised some of the legal and economic difficulties in determining an appropriate fee. Eric Seufert followed with a thoughtful analysis. (By the way, don’t miss the next episode of Eric’s podcast in which we’ll discuss this and related issues.) Eric proposed two alternative “conditions for calculating whether a ‘pay-or-okay’ price point represents an ‘appropriate fee’”:
The price achieves, at most, overall ARPU parity between the pre-subscription and post-subscription periods, and;
The fee doesn’t materially exceed those charged by comparable services.
Both Eric and I discussed the nuances raised by (1) elsewhere. Here, I’d like to focus on the second condition mentioned by Eric and compare Meta’s new model with Netflix and Disney+. For simplicity, I will only discuss their offers in Germany.
Both services offer three tiers:
Netflix
“Standard with ads” - €4.99/month
“Standard” (no ads[1]) - €12.99/month
“Premium” (no ads, higher video quality) - €17.99/month
Disney+
“Standard with ads” - €5.99/month
“Standard” (no ads[1]) - €8.99/month
“Premium” (no ads, higher video quality) - €11.99/month
The no-ads tiers are priced similarly to Meta’s, which is €9.99/month on the web (plus €6/month for additional accounts from March 2024).
Are they comparable from the GDPR perspective?
But is their situation comparable with Facebook and Instagram under the GDPR?
Like Facebook and Instagram, Netflix and Disney+ offer a “pay (more) or agree to ads” model. In that general sense, the services are comparable.
However, the more specific GDPR question is whether Meta’s pricing is appropriate as an alternative to personalised advertising.
Both Netflix and Disney+ serve personalised (or “behavioural”) advertising. However, their definitions of what counts as such seem to differ from the broad understanding adopted by at least some EU privacy authorities (notably, in recent enforcement decisions related to Facebook and Instagram). [2, 3]
This is important because both Netflix and Disney+ claim that their users can opt out of “behavioural” (Netflix) or “targeted” (Disney+) ads. However, unless I’m misreading their public materials (do let me know if I am!), neither service enables users to reject all behavioural advertising (as understood by EU authorities). [2, 3] If that’s the case, then to avoid personalised advertising, users need to pay for a “no ads” subscription tier, like on Facebook and Instagram.
Also, to the extent Netflix and Disney+ lowest tier subscribers can opt out from personalised advertising without additional cost, this is an opt-out mechanism (in Disney’s case: multiple mechanisms)—not specific choice users are explicitly asked to make upfront like on Facebook and Instagram. It is thus possible that a sufficiently low proportion of users are sufficiently motivated to opt out that offering this possibility doesn’t affect the services’ bottom lines. This suggests that the possibility of a “free” opt-out does not necessarily mean those services are not comparable to Facebook and Instagram.
To be clear, I’m not suggesting that Netflix or Disney are doing something wrong. My point is only that these are, indeed, comparable situations to Meta’s new model. This indicates that Meta’s pricing “doesn’t materially exceed those charged by comparable services” (Eric’s second condition).
By the way, GDPR “lawful basis” enthusiasts may be interested to hear that Netflix uses “contractual necessity” for at least some personalised advertising.[2] This may surprise some readers, given that Meta was found to violate the GDPR this way by the EDPB and then the Irish DPC. However, I think contractual necessity should be interpreted more broadly, and hence, I have a lot of sympathy with Netflix’s position.
[1] “No ads” doesn’t mean no promotional content. Disney+ is perhaps more explicit about this, even on their main landing page, with the following footnote: “All plans may include theatrical trailers, promotion of Disney products and services, sponsorship and alike.”
[2] Netflix claims that their users can opt out from what Netflix defines as “behavioral advertising” (“use and/or interactions with various unaffiliated third-party apps or websites across the Internet”). However, their definition is limited to third-party data, which suggests that Netflix only allows an opt-out for third-party data. (Meta doesn’t opt-in users by default to ad personalisation with third-party data — users are asked for prior consent).
What about ad personalisation with first-party data? First, “to deliver advertising,” Netflix relies on the “contractual necessity” lawful basis under the GDPR. Combined with how Netflix defines “behavioral advertising” for which they allow opt-outs, this suggests that users cannot opt out of first-party data being processed for advertising. But is there personalisation?
In one place, Netflix says that they target ads by relying on users’ “interactions with Netflix (such as the genre of content being viewed)” and on “general location information based on your IP address.”
Location information constitutes “behavioural advertising” on the broad definition adopted in the Norwegian Meta decision (which I criticised):
Behavioural Advertising includes targeting ads on the basis of inferences drawn from observed behaviour as well as on the basis of data subjects’ movements, estimated location and how data subjects interact with ads and user-generated content.
Similarly, in the newly published decision from October 2023, the European Data Protection Board found that Meta “failed to demonstrate that its processing of location data does not constitute processing for the purpose of behavioural advertising” (paragraph 97). According to the Board, “it is unclear (...) on which basis the location is estimated, if not the data subject’s behaviour” (ibid.).
But users’ “interactions with Netflix” could fall even under a narrower definition of behavioural advertising from the Article 29 Data Protection Working Party’s “Opinion 2/2010 on online behavioural advertising”:
Behavioural advertising is advertising that is based on the observation of the behaviour of individuals over time.
I’m not sure if Netflix only uses information about a user’s “interaction with Netflix” that is concurrent with displaying the ad (which could make it non-personalised advertising) or also based on the user’s previous interactions (hence “the observation of the behaviour of individuals over time”).
On a different page, Netflix says they use “service activity” “to deliver advertising.” They define “service activity” thus:
Search queries; titles viewed and related playback events; choices made when engaging with interactive titles; games played; watch list; ratings; self-selected viewing preferences and interests; other user interface activity while using the Netflix service; account and profile settings. In countries in which an ad supported subscription plan is offered and you subscribe to this type of plan, data elements will also include ads viewed.
This suggests the “observation of behaviour over time” possibility (and thus, behavioural advertising).
[3] Disney’s offer is generally similar to Netflix. Still, its privacy policy doesn’t make it as easy to determine whether users can fully avoid personalised advertising (on the broad understanding of personalisation used by EU authorities as discussed in the previous footnote). However, there are reasons to think that not even the higher subscription tiers can.
Disney+ mentions the possibility of “opting out of interest-based ads,” but I couldn’t determine whether those ads are the only way they personalise advertising (not on Disney’s definition, but on the broader understanding I discussed earlier). Notably, this opt-out does not seem to depend on the subscription tier.
For instance, if Disney+ relies on user location information to target advertising, EU authorities may consider that personalised (behavioral) advertising. And it may be that Disney+ users cannot opt out from some such targeting. Disney’s website references, among others, the youradchoices.com page, which explains what kind of information is not covered by the “interest-based ads” opt-out:
For example, even after opting out of interest-based advertising from a participating company, a user may still receive other types of advertising from that company, including ads selected on the basis of the content of the web page ("contextual" ads), or other types of information (for example, demographic or general computer browser location information).
Note the mention of “general computer browser location information.” (I think seeing all location information as “behavioural” is too broad, but it looks like influential EU authorities are pushing in this direction.)