On 17 April, the European Data Protection Board adopted its opinion on pay-or-consent models, which found large online platforms' behavioral advertising practices fell short of satisfying the principles of data protection found in the EU General Data Protection Regulation.
This opinion will only add to the reverberations from the growing trend of offering EU users of an online service a monthly paid subscription in lieu of being subject to personalized targeted advertising that have already been felt throughout the broader advertising technology ecosystem.
The pay-or-consent subscription models are the latest manifestation of the years-long dance between EU regulators and businesses built on the online behavioral advertising business model. As a highly visible purveyor of behavioral advertising, Meta has been front and center in this discourse, and as a result of regulatory scrutiny, has become a de facto proxy for the greater adtech industry.
Of course, Meta did not invent pay or consent from whole cloth — other digital services have lawfully used similar models — but this is far from a story about Meta or subscription models alone. In fact, the EDPB's opinion only gives passing reference to Meta in a footnote explaining the context in which its input was solicited. The opinion is ultimately about the ground shifting underneath adtech and about the collision of data protection, competition law and the freedom to conduct a business in the EU.
How we got here
This conflict originates from argued incongruities between behavioral advertising business models and some of the EU's data protection principles, dating back decades to early frameworks for consent in a digital world.
This particular dispute came to the fore in February 2019, when the German competition authority found Meta — still going by Facebook at the time — to have abused its dominant position by imposing exploitative terms on the consumer through its processing of users' personal data. Facebook appealed, with the case heard by the Court of Justice of the European Union, which held in July 2023 that the tech conglomerate's dominant position did not invalidate consent on its own.
In a partially pyrrhic victory for Meta and similarly situated entities, the CJEU held that a social network operator's dominance must be accounted for in determining whether a user validly and freely gave consent but does not necessarily render consent invalid. Further complicating matters, without explanation the CJEU stated if a user refuses consent to processing for behavioral advertising, they must be offered an equivalent alternative not accompanied by such data processing operations if necessary for an appropriate fee.
Months later, Ireland's Data Protection Commission, pursuant to a binding EDPB decision, banned Meta from relying on contract and legitimate interest as legal bases for processing personal data for behavioral advertising, leaving the company with consent as its sole remaining option.
The CJEU decision loomed large, and the parameters it imposed on consent led Meta to offer the pay-or-consent model: a dichotomous decision for users to either consent to processing for behavioral advertising or pay 9.99 euros per month to not be subject to ads.
Separately, in March 2024, the European Commission opened proceedings against Meta to investigate whether the pay-or-consent model complies with the Digital Markets Act's requirement for designated "gatekeepers" to obtain consent from users when combining or using their personal data across different core platform services.
The Commission also sent Meta a request for information on the platform's compliance measures under the Digital Services Act related to Facebook's and Instagram's advertising practices, recommender systems and risk assessments related to the introduction of the subscription model.
Deeply interested stakeholders across the board have made their voices heard, with the efficacy and economics of behavioral advertising on one side and the purported harm to privacy and data protection on the other side.
Thirty-six members of European Parliament publicly wrote to Meta, coming out against the business model. On the eve of the EDPB plenary, 23 digital and consumer rights organizations released an open letter urging the board not to endorse Meta's "effort to bypass the EU's data protection regulations for the sake of commercial advantage." Industry groups and scholars have continued to debate and vouch for the practical considerations of subscription models and behavioral advertising generally.
At its 89th plenary meeting in January, The EDPB first suggested it would issue an opinion on the models "in the context of large online platforms" at the request of supervisory authorities in the Netherlands, Norway and the German state of HamburgIA. This set the stage for a modern-day Goldilocks tale — in search of an option that is "just right."
The EDPB opined: "In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioral advertising purposes and paying a fee. The offering of (only) a paid alternative to the service which includes processing for behavioral advertising purposes should not be the default way forward for controllers."
The EDPB's opinion provides insight into the rationale of an influential stakeholder and decision-maker that will define the practices of online advertising for years to come.
The brunt of the opinion examines behavioral advertising — a business model that the EDPB considers "a particularly intrusive form of advertising" — through the parameters of the EU GDPR valid consent requirement. It makes several significant observations and recommendations, but moreover shows the data protection currents running throughout the adtech ecosystem.
Meet the large online providers
Given the prevalence of pay-or-consent models in the adtech ecosystem, from digital content providers to news publishers — particularly in Germany — many controllers not directly involved in the kind of large-scale processing at issue had particular interest in how far the EDPB's opinion would reach.
In response to the requesting supervisory authorities, the EDPB's opinion ultimately only related to what it considers to be "large online platforms." In doing so, the opinion, for now, eased concern that its determination would gut the pay-or-consent model across all industries, instead targeting a handful of tech giants.
Qualifying as a large online platform — a designation that cuts against an entity's ability to obtain freely given consent and thus offer the traditional pay-or-consent model — requires nonexhaustive analysis of the amount of data subjects attracted, the position of the company in the market and whether it conducts "large scale processing" based on the number of data subjects concerned, volume of data and geographical extent of processing.
The opinion further indicates that, while not dispositive, a designation as a very large online platform under the DSA or a gatekeeper under the DMA may weigh toward finding an entity is a large online provider.
The EDPB pieces together the concept of large online providers from the EU's suite of digital policy legislation. The definition of "online platforms" analogizes to the DSA's "very large online platforms" and the DMA's "gatekeepers," categories that the large online provider definition may cover, but is not limited to.
Analysis of which entities may be considered large online providers appears best suited as an interdisciplinary undertaking that includes consultation between national supervisory data protection authorities and experts in fields of antitrust and consumer protection. In their analyses, national DPAs may further employ other aspects that may invalidate consent, such as the presence of deceptive patterns or nudging, concepts potentially implicated by the presence of too large a fee.
Competition and data protection
The CJEU decision in Meta Platforms and Others v. Bundeskartellamt, originating from claims raised by the German competition authority, contained findings related to navigating the intersection of competition and data protection concerning valid consent.
Valid consent must be freely given, and an imbalance of power between controller and data subject can preclude satisfaction of that element. In its opinion the EDPB, determined that, while classification as a large online provider will in most cases imply an imbalance of power, making that conclusion requires further analysis.
The EDPB worked to establish a framework to discern the extent to which a controller's market position suggests such a power disparity, setting out four factors: the position of the large online platform on the market, the existence of lock-in or network effects, the extent to which the data subject relies on the service and the service's main audience.
The opinion provides greater detail on each factor but essentially indicates an imbalance of power when the user does not feel free to use another service without detriment, such as when they have significantly invested in the platform; the platform is essential to their daily lives, job or access to information; or they are children or vulnerable persons. In these cases, consent cannot be valid without an offering of a third option beyond pay or consent.
Few platforms will fit these conditions, but the framework will have reach beyond its applicability to Meta. The EDPB includes "video/image-sharing platforms and platforms for communication, such as social media sites, dating platforms, discussion forums, or booking platforms with a large amount of users" as possible categories of qualifying entities.
An introduction to the 'free alternative without business advertising'
The opinion boils down to a recommendation from the EDPB for large online providers relying on behavioral advertising to offer three options to users: A paid version without behavioral advertising, a free version with consent to behavioral advertising and a free alternative without behavioral advertising.
Without the third option, obtaining freely given consent in the first option would, in most cases, be thwarted by a lack of genuine choice.
The EDPB offers the free alternative without behavioral advertising as a solution and compromise to solve the incongruity between the EU GDPR and personal data-hungry behavioral advertising business models.
As the EDPB writes, the free alternative without behavioral advertising "must entail no processing for behavioral advertising purposes and may for example be a version of the service with a different form of advertising involving the processing of less (or no) personal data, e.g., contextual or general advertising or advertising based on topics the data subject selected."
Whether a business model featuring a free alternative without behavioral advertising can remain competitive and profitable is a question raised by the opinion's critics and moreover a dialogue that requires rigorous balancing of the harms of behavioral advertising alleged by regulators against the profit margins of the companies that rely upon it.
The EDPB has defined the free alternative without behavioral advertising around what it is not. Precluding a business from charging users for a service or targeting ads based on personal data leaves it with one foreseeable option for revenue: contextual advertising, or ads based on the content viewed in that moment.
Despite regulators' desire for adtech practices that do not require privacy incursions, possibly via privacy-enhancing technologies, the free alternative without behavioral advertising appears synonymous with contextual advertising for now.
What's an 'appropriate fee'?
In its July 2023 decision, the CJEU indicated users who refuse to consent may be "offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations." This ruling spurred the models discussed herein, but provided no further context and left lawyers, economists and theorists to sort out the court's meaning.
The EDPB opinion may not provide a complete answer, but it does provide a bit more context for those hoping to find out.
The EDPB places further conditions on the appropriate fee option and cautions against allowing data protection to become "a premium feature for the wealthy," a concern voiced by privacy advocacy groups. The opinion imposes an upper fee limit commensurate with that which presents a genuine choice for data subjects without unlawfully nudging them towards consent.
It tasks national DPAs with case-by-case assessments of the validity of consent, again in consultation with other relevant authorities in areas like consumer protection and competition. This lays the foundation for further legal challenges with possible split decisions across the European Economic Area.
Given the opinion that the availability of a free alternative without behavioral advertising and not necessarily an "appropriate fee" on a paid version is what enables freely given consent, a large online platform could ostensibly offer a fee considerably higher than those seen currently, while still satisfying all consent requirements, as long as it offers a free alternative without behavioral advertising.
Lacking further regulatory guidance on determining fee appropriateness, the path has been paved for unintended outcomes with the potential for contentious legal challenge.
By tying analysis for estimating an appropriate fee to a data subject's autonomy, the EDPB eschews onlookers' efforts to quantify subscription model pricing through industry comparison or market benchmarks.
The EDPB's words and actions are constrained by the freedom to conduct a business enshrined in the EU Charter of Fundamental Rights and Recital 4 of the GDPR, which limits its ability to make directives on business practices like pricing, but inevitably regulators or courts will need to provide greater detail on fee appropriateness and monitoring.
This is not solely about consent
For as much as the opinion centers on the requirements for freely given consent — the "main character" of the opinion according to EDPB Litigation and International Affairs Legal Officer Diletta De Cicco — the EDPB makes clear that consent does not exist in a vacuum, and lawfully implementing a pay-or-consent subscription model goes beyond compliance with Article 6(1)(a) of the GDPR.
Within the confines of the GDPR, the opinion points out that processing must pay particular attention to principles of necessity, proportionality, purpose limitation, data minimization, data protection by design and by default, and accountability. The EDPB suggests many large online providers' behavioral advertising practices, as currently constituted, raise concerns in these areas and others.
The opinion's 42 pages urge controllers to consider requirements imposed by the e-Privacy Directive, the DMA and the DSA, which at times mirror those found in the GDPR but often go well beyond data protection and into competition, content moderation and disinformation.
What's next?
The EDPB intends to issue guidelines following its opinion, which is expected to reach beyond the scope of large online providers.
For Meta, ongoing EU investigations presage further regulatory instability around pay-or-consent models and behavioral advertising. The 22 March deadline has passed for Meta's response to the Commission's DSA requests for information regarding subscription models, with no requisite deadline for the Commission's response.
The Commission's noncompliance proceedings opened 25 March against Meta — substantially replicating the EDPB's concerns over consent — and are expected to conclude within 12 months, with preliminary findings possibly coming sooner.
Meta is the canary in the adtech coal mine, and these legal challenges will continue to impact the greater adtech ecosystem.
Elsewhere, regulators have been examining the legality of pay or consent in their jurisdictions. They are wary of what the future holds as regulatory scrutiny around behavioral advertising and consent intensifies worldwide.
The DPAs in the Netherlands, Norway, and the German state of Hamburg that requested the EDPB's opinion may issue their own decisions, which would have effect limited to their jurisdictions. The U.K. Information Commissioner's Office recently closed its call for views on the subscription models, while in the U.S., the California Privacy Protection Agency believes its regulations account for pay-or-consent models.
Several unanswered questions remain on subscription models — for example, on fee appropriateness, competence and scope — which will likely end up in national courts and the CJEU. In whatever form, these business practices will continue to serve as a key arena for the interplay between industry, regulation and fundamental rights.