Pay or OK: what is an “appropriate fee”? (July update)

The “pay or OK” debate in the EU continues, and it is still unclear what its outcome will be, for Meta and everyone else. Today, the European Commission announced their preliminary finding that Meta’s approach is not compliant with the law. Importantly, the Commission investigates this issue not under data protection law (the GDPR), but under the EU Digital Markets Act (DMA). Meanwhile, data protection authorities continue to investigate from the GDPR perspective.

Over the past weeks, I participated in many conversations on this issue, including a roundtable I organised at a privacy conference in Brussels, which was quite heated. I’ve been hoping to get some clarity regarding one key methodological question: how to assess an “appropriate fee”? As a reminder, the EU’s highest court (the Court of Justice) suggested that businesses may be allowed under the GDPR to offer their users a choice between (1) agreeing to personalised advertising and (2) “if necessary” paying “an appropriate fee” for an alternative service tier. 

Based on my reflection and those conversations, I’ll try to outline a framework for thinking about the issue of an “appropriate fee.” This note is just a rough sketch, but hopefully, you’ll find it interesting. I should add that it is not clear to what extent this analysis applies beyond the GDPR, and especially to the DMA which the European Commission appears to consider independently relevant in Meta’s case.

I’ll begin with two observations.

First, regarding the applicable legal standard of “freely given” consent, the Court’s use of the words “if necessary” does not mean that “pay or OK” is only allowed to the extent necessary to bring revenue without which it would be strictly impossible to provide a service. Otherwise, consent would have been equated with a different GDPR lawful basis — contractual necessity, which is applicable in cases where data processing is needed to make it possible to provide a service requested by the customer (data subject). I hold that there should be a broad scope for businesses and their customers to structure their relationships under contractual necessity, but DPAs prefer to avoid this issue while interpreting contractual necessity as narrowly as they can get away with. In any case, consent — and the current debate about legality of “pay or OK” — become relevant once contractual necessity is no longer applicable. In other words, it becomes relevant at least beyond the minimum threshold of economic viability of a service. 

Second, it seems to me that EU data protection authorities (DPAs) do not want to engage in proactive price regulation for any digital services. Instead, they expect businesses to set prices and to “document their choices and assessment of whether a given fee is appropriate in the specific case” (EDPB Opinion 8/2024). The role of a DPA would then be to assess the reasons given, potentially including the economic/business case for the chosen prices. But what kind of justification do they expect exactly? I understand that there are at least three approaches to this discussed among DPAs.

1. “Cost-plus”

The first of those approaches is to expect businesses to justify their prices by reference to the costs and presumably some profit margin. This should militate against requiring businesses to provide services below cost without compensation (which would likely violate the EU Charter of Fundamental Rights). However, this would effectively impose a public utility-like framework on services that are more complex and dynamic than, e.g., water or electricity supply. Unlike in established public utility regulatory regimes, there would be little ex-ante clarity about how to apply “cost-plus.” Given the diversity of ad-funded digital services, providing a single set of detailed accounting rules for this purpose could be inadvisable.

2. Foregone revenue

As I wrote in “Meta’s paid subscriptions. Are they legal? What will EU authorities do?,” another option is to set as a benchmark the service’s historical average revenue per user (ARPU) from (personalised) advertising. However, this is fraught with issues like the example I gave:

Users are not identical. Wealthier, less price-sensitive users, who may be more likely to pay for a no-ads option, are also worth more to advertisers. Hence, the loss of income from advertising may be higher than just “old ARPU multiplied by the number of users on a no-ads tier,” suggesting a need to charge the paying users more than historical ARPU merely to retain the same level of revenue. Crucially, the situation will likely be dynamic due to subscription “churn” (users canceling their subscriptions) and other market factors. The economic results of the “pay or consent” scheme may continue to change and setting the price level will always involve business judgment, based on predictions and intuition. 

One additional argument being raised against the first two options is that they focus on the perspective of the service provider, which — at least to some — is insufficiently close to the question of assessing what counts as freely given consent. On that view, this issue should be assessed from the perspective of the customers (data subjects), i.e. from the demand rather than from the supply side. 

3. Willingness to pay

One way to take the demand perspective, is to focus on customers’ willingness to pay (WTP). The intuition behind this is that whether consent is “freely given” should be viewed from what customers (data subjects) are willing to do and that WTP could operationalise that. Specifically, what is being discussed is WTP not for the service as a whole (e.g., for using Facebook) but only for the option without personalised advertising. This raises many questions; here, I will only mention several.

Is the expectation that the price should be set at a level where users are at least indifferent among the alternatives or prefer the paid over free-of-charge option? But what if at any price above zero for the alternative option (many? most? virtually all?), users would prefer to pay zero and have personalised advertising? 

If users don’t value avoiding their data being processed for personalised advertising, then this approach may effectively force businesses to “bundle” no-personalised-ads options with other additional features (like not having any ads, even non-personalised). This way, the business may hope to create a service with positive WTP.

But I find strange the implication that you could only provide personalised ads-funded free-of-charge services if some large proportion of your customers value not having their data processed for such personalised ads enough to pay for an alternative service tier. The relationship between this and the actual legal standard of “freely given” consent seems very remote at best.

With that legal standard in mind, how should we consider that a price may be reasonable and easily affordable to a user, yet the user may still decide not to pay it? After all, the existence of freedom of choice between options A and B doesn’t entail that people will, in practice, split evenly between the options. Freedom of choice is compatible with everyone choosing one alternative. This may suggest that WTP is fundamentally inappropriate as a proxy for what privacy law requires. Instead, the right approach may focus on customer capacity to pay - as discussed below.

Finally, focusing on WTP to operationalise “appropriate fee” raises concern about what kind of entitlements the GDPR bestows on data subjects. Using WTP in this context suggests that customers are legally entitled to be provided a service without personalised ads at whatever price they prefer. However, this would be an extremely bold interpretation of a law (the GDPR) that does not explicitly contemplate any price regulation and would raise many Charter-compatibility issues.

All those approaches, cost-plus, foregone revenue, WTP, have significant shortcomings. Most importantly, it is hard to see how any of them fits the legal standard of “freely given” consent. There are, however, other possibilites - including the capacity view which I consider the best option.

4. Capacity to pay

Professor Martin Nettesheim proposed to look at this issue from the perspective of what values the GDPR aims to protect. He noted that when looking at data protection law as “empowerment,” then:

In principle, if the data subject is given the option of choosing between a monetarily priced service that is provided without the processing of personal data for ads and an unpriced service that is associated with the processing of personal data for ads, it benefits from a gain in digital autonomy. (...)

However, empowerment would not occur if the alternative offer was too disadvantageous so that it did not entail any expansion of individual options for action on the basis of a material concept of autonomy. A pay model cannot entail genuine empowerment if the price demanded is so high that it is beyond the  financial capacity of the average user. Anyone who is given the option to make use of a pay model but decides against it due to a lack of willingness to pay or for reasons of preference has been offered a genuine alternative, has then made a self-determined decision, and has thus been empowered.

I agree with Professor Nettesheim that focusing on the capacity to pay fits the GDPR standard better than willingness to pay.

5. Comparison with other services (price benchmarking)

In Netflix, Disney+, and Meta: what’s an “appropriate fee” for a subscription? I discussed an idea that Eric Seufert also explored: a fee is appropriate if it “doesn’t materially exceed those charged by comparable services.” This can be a helpful auxiliary argument for justifying a fee’s “appropriateness.” Price benchmarking may assist in determining whether a price exceeds the financial capacity of the average user. The existence of a market for comparable services at comparable prices suggests that the price level does not exceed customers' financial capacity.