The European Data Protection Board issued a highly anticipated opinion Wednesday that large online platforms implementing pay-or-consent models will, "in most cases," not comply with EU General Data Protection Regulation requirements for obtaining valid consent for processing personal data.

In its press release on the opinion, the EDPB stated that, "In most cases, it will not be possible for (large online platforms) to comply with the requirements for valid consent, if they confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee." While the opinion only applies to large online platforms, the EDPB said it would issue further guidance later this year on pay or consent to smaller platforms, outside the scope of what the body designates as "large platforms" in the opinion.  

The decision is nonbinding and either Ireland's Data Protection Commission will apply the opinion or the three data protection authorities that referred the matter to the EDPB — the Dutch, Norwegian and Hamburg data protection authorities — will issue their final decision on pay-or-consent models' legality in the context of the GDPR as they further investigate Meta, which had first sought to implement such a model. 

"Online platforms should give users a real choice when employing 'consent or pay' models," EDPB Chair Anu Talus said in a statement. "The models we have today usually require individuals to either give away all their data or to pay. As a result most users consent to the processing in order to use a service, and they do not understand the full implications of their choices."

In comments to The Privacy Advisor, Tobias Judin, head of the Norwegian DPA's international department, one of the three countries that referred the case to the board, said the EDPB opinion offers clarity to EU privacy professionals on how different elements of the GDPR requirement that users provide their freely given consent to allow for the processing of their personal data interact with one another.

Industry reacts

The EDPB opinion applies to companies designated as very large online platforms under the Digital Services Act.

However, Criteo Vice President for Government Affairs and Public Policy Nathalie Laneret, CIPP/E, CIPM, said the opinion barring large platforms from implementing a pay-or-consent model is to be "considered on a case-by-case basis" by EU DPAs, while also referencing platforms designated as gatekeepers under the Digital Markets Act could also be subject to the opinion. 

"Is the EDPB in fact creating a new category of 'GDPR VLOPs' in addition to the existing definitions of VLOPS under the DSA, gatekeepers under the DMA and dominant position under traditional competition law concepts?" Laneret said in comments provided to The Privacy Advisor.

"In the end, are the guidelines really bringing more consistency in the EU digital regulatory framework as they pretend they are? The guidelines appear to have a far-reaching impact way beyond the original scope of the GDPR as they may result in outlawing the monetization of some online services in practice," she said. 

Federation of European Data and Marketing Head of Policy Enrico Girotto said the opinion could open the possibility of a "tailored application of the GDPR exclusively for Very Large Online Platforms."

"(The opinion sets) a very high threshold for the adoption of the 'consent or pay model.'" Girotto said in an email. "While this interpretation raises questions on how the EDPB has weighted the freedom to conduct a business when drafting its opinion, it also makes one wonder how a lower threshold can realistically be applied for smaller economic players."

Judin, of the Norwegian DPA, said the EDPB sent a "clear signal" to the advertising technology industry.

"If your advertising practices are so intrusive that you have to rely on consent, you need to make sure that users are given a free choice," Judin said. "This could entail a big change compared to how the industry has operated to date."

Background

The DPAs of the Netherlands, Norway, and the German state of Hamburg originally referred the pay-or-consent question to the EDPB in January. They asked for EDPB clarity on the matter after Meta first sought to implement the model for its Facebook and Instagram platforms after the body issued a binding ruling in November 2023 banning Meta's targeted advertising practices across the European Economic Area, which was preceded by a 390 million euro fine issued to Meta by Ireland's DPC over its targeted advertising practices earlier last year.

Judin said the EDPB decision reconciles pay or consent in the context of the July 2023 Court of Justice of the European Union Meta v. Bundeskartellamt case, in which the CJEU ruled that member state competition regulators can legally play a role in GDPR enforcement and placed certain limits on social media companies utilizing users' personal data for targeted advertising.

"The EDPB today debunked the myth that 'consent or pay' is automatically okay," Judin said. "The opinion confirms that providing consent must entail a genuine free choice. When users are faced with 'consent or pay' models on large online platforms and they are not in a position to pay, they may face detriment as they could be excluded from services, connections or information that they rely on."

Others contend the EDPB opinion adds a new layer of uncertainty for obtaining valid consent. 

University of Surrey associate professor of Law Mikołaj Barczentewicz said that had the EDPB issued a stronger opinion against pay-or-consent models, it would have "contradicted what the CJEU said last July" in the Meta v. Bundeskartellamt case.

"The most important take-away is that the EDPB — however grudgingly — confirmed that 'pay-or-consent' models are, in principle, compatible with the GDPR," Barczentewicz told The Privacy Advisor.

In the opinion, Barczentewicz said, "the EDPB does not provide much clarity, speaking only of what they think is or isn't allowed for large online platforms in 'most cases.' This opinion will certainly be considered by national data protection authorities in their investigations of Meta, but the opinion doesn't prejudge what will be the final decisions that, for example, the Irish DPC will take." 

Privacy rights group NOYB overall applauded the EDPB opinion and said it presents an opportunity for companies to pursue a "third option" beyond a binary choice of users paying to have their personal data protected or consent to behavioral advertising, such as contextual advertising. NOYB Chairman Max Schrems said, while the decision starts a "more nuanced conversation discussion" on pay or consent, further exploration by regulators should render such models "unlawful across the board."

"Overall, Meta is out of options in the EU," Schrems said in a statement. "It must now give users a genuine yes/no option for personalised advertising. It can still charge sites for reach, engage in contextual advertising and the like — but tracking people for ads needs a clear 'yes' from users."