TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | 'Pay or consent:' Personalized ads, the rules and what's next Related reading: EDPB issues binding decision banning Meta's targeted advertising practices

rss_feed

""

In a widely discussed move, Meta gave Facebook and Instagram users the choice between paying for an ad-free experience or keeping the services free of charge using ads. The legal reality behind that choice is more complex. Users who continue without paying are asked to consent to the processing of their data for personalized advertising. In other words, this is a "pay or consent" framework for the processing of first-party data. 

Even though Meta's "pay or consent" framework is now reportedly a key target for a number of data protection authorities, this model is common in European digital services. Newspapers like Spiegel, Zeit and Bild present their readers with "pay or consent" choices, and such practices have already been subjected to scrutiny by DPAs, who, until now, leaned toward a permissive approach. 

Personalized advertising: Contractual necessity or consent?

Under the EU General Data Protection Regulation, personal data may only be processed if one of the lawful bases from Article 6 applies. They include, in particular, consent, contractual necessity and legitimate interests. When processing is necessary for the performance of a contract, according to Article 6(1)(b), then that is the basis on which the controller should rely. You may think if data processing, e.g., for targeting ads, is necessary to fund a free-of-charge service, that should count as contractual necessity. The authorities do not dispute that in principle, but there is a tendency to interpret contractual necessity very narrowly. Notably, in December 2022, the European Data Protection Board decided in Facebook and Instagram should not have relied on that ground for the personalization of advertising. And earlier this month, the EDPB decided Meta should also not rely on the legitimate interests basis.

The adoption of a narrow interpretation of contractual necessity created an interpretative puzzle. If we set aside the legitimate interests basis under Article 6(1)(f)), in many commercial contexts, we are only left with consent as an option, outlined in Article 6(1)(a). This is especially true where consent is required, not due to the GDPR but under national laws implementing the ePrivacy Directive (Directive 2002/58/EC); that is, for solutions like cookies or browser storage. Note, though, that these are not always needed for personalized advertising. The puzzle is how to deal with consent to processing needed to fund the provision of a service that does not fit the narrow interpretation of contractual necessity.

Consent, as we know from Articles 4(11) and 7(4), must be "freely given." In addition, Recital 42 states: "Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment." The EDPB gave self-contradictory guidance by first saying withdrawing consent should "not lead to any costs for the data subjects," but soon after adding that the GDPR "does not preclude all incentives" for consenting.

Despite some differences, at least DPAs in Austria, Denmark, France and Spain, and the Conference of the Independent DPAs of Germany generally acknowledge that paid alternatives to consent may be lawful. Notably, in a recent Grindr appeal, the Norwegian Privacy Board also explicitly allowed that possibility.

The CJEU and "necessity" to charge "an appropriate fee"

In its July 2023 Meta decision, the Court of Justice of the European Union weighed in, though in the context of third-party-collected data, saying if that kind of data processing by Meta does not fall under contractual necessity, then: 

"(...) those users must be free to refuse individually, in the context of the contractual process, to give their consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely from using the service offered by the online social network operator, which means that those users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations."

Intentionally or not, the court highlighted the interpretative problem stemming from a narrow interpretation of contractual necessity. The court said, even if processing does not fall under contractual necessity, it may still be "necessary" to charge data subjects "an appropriate fee" if they refuse to consent. Disappointing some activists, the court did not endorse the EDPB's first comment that refusal to consent should not come with "any costs". 

Even though the court did not explain this further, we can speculate it was not willing to accept the view that all business models simply have to be adjusted to a maximally prohibitive interpretation of the GDPR. The court may have attempted to save the GDPR from a likely political backlash to an attempt to use it to deny Europeans a choice of free-of-charge services funded by personalized advertising. Perhaps the court also noted that other EU laws, e.g., the Digital Markets Act, rely on the GDPR's definition of consent, which gives an additional reason to be cautious in interpreting this concept in ways that are not in line with current expectations.

Remaining questions

Based on previous statements from DPAs, there are a number of questions that will likely be particularly important for future assessments of "pay or consent" implementations under the GDPR and ePrivacy rules. The following list may not be exhaustive but aims to identify the main issues.

How specific should the choice be? The extent to which service providers batch consent to processing for different purposes, especially if users are not able (in a "second step") to adjust consent in a more granular way, is likely to be questioned. This is a difficult issue because giving users full freedom to adjust their consent could also defeat the purpose of having a paid alternative. 

In a different kind of bundling, service providers may make the paid alternative to consent more attractive by adding incentives like access to additional content or the absence of ads (including nonpersonalized ads). On one hand, this means service providers incentivize users not to consent, making consent less attractive in comparison. This could be seen as reducing the pressure to consent and making the choice more likely to be freely given. On the other hand, a more attractive paid option could be more costly for the service provider and thus require a higher price.

What is an "appropriate" price? The pricing question is a potential landmine for DPAs, which are emphatically ill-suited to deal with it. Just to show one aspect of the complexity: setting as the service's historical average revenue per user from personalized advertising as a benchmark may be misleading. Users are not identical. Wealthier, less price-sensitive users, who may be more likely to pay for an add-free option, are also worth more to advertisers. Hence, the loss of income from advertising may be higher than just "old ARPU multiplied by the number of users on a no-ads tier," suggesting a need to charge the paying users more than historical ARPU merely to retain the same level of revenue. Crucially, the situation will likely be dynamic due to subscription "churn," or users canceling their subscriptions, and other market factors. The economic results of the "pay or consent" scheme may continue to change, and setting the price level will always involve business judgment based on predictions and intuition. 

Some authorities may be tempted to approach the issue from the perspective of users' willingness to pay, but this also raises many issues. First, the idea of price regulation by privacy authorities, capping prices at a level defined by the authorities' idea of what is acceptable to a user, will likely face serious proportionality and competence scrutiny, including under Articles 16 and 52(1) of the Charter of Fundamental Rights. Second, taking users' willingness to pay as a benchmark implicitly assumes a legally protected entitlement to access the service for a price they like. In other words, this assumes users are entitled to specific private services, like social media services. This is not something that can be simply assumed, it would require a robust argument — and, arguably, constitute a legal change that is appropriate only for the political  legislative process. 

Imbalance: Recital 43 of the GDPR explains consent may not be free when there is "a clear imbalance between the data subject and the controller." In the Meta decision, the CJEU admitted the possibility of such an imbalance between a business with a dominant position, as understood in competition law, and its customers. This, too, may be a difficult issue for DPAs to deal with, both for expertise and competence reasons. 

The scale of processing and impact on users: Distinct from market power or dominance, though sometimes conflated with it, are the issues of the scale of processing and its impact on users. An online service provider, e.g., a newspaper publisher, may have relatively little market power but may be using a personalized advertising framework, such as a real-time bidding scheme facilitated by third parties, that is very large in scale and with more potential for a negative impact on users than an advertising system internal to a large online platform. A large online platform may be able to offer personalized advertising to its business customers, while sharing little or no information about who the ads are shown to. Large platforms have economic incentives to keep user data securely within the platform's "walled garden," not sharing it with outsiders. Smaller publishers participate in open advertising schemes, where user data is shared more widely with advertisers and other participants. 

Given the integration of smaller publishers in such open advertising schemes, an attempt by DPAs to set a different standard for consent just for large platforms may fail as based on an arbitrary distinction. In other words, however attractive it may seem for the authorities to target Meta without targeting the more politically powerful legacy media, this may not be an option.

What's next?

We don't yet know the full text of the EDPB's most recent decision related to Meta's personalized advertising, but the available information suggests it did not address the question of a paid alternative to consent. Perhaps Ireland's Data Protection Commission, to whom the EDPB decision is addressed and who will accordingly publish their own Meta decision soon, will include some relevant remarks. However, it is also possible that we will need to await the conclusion of the reportedly ongoing investigations. 

EDPB Chair Anu Talus told Politico DPAs will investigate ad-free paid subscriptions offered as an alternative to consent. She even said the EDPB is looking at "a fundamental change in the structures of digital marketing." If she means a crackdown on free-of-charge services that cannot be funded without personalized advertising, then this may be hard to square with the approach taken by the CJEU in the Meta judgment.

From a longer-term perspective, it is worth noting that the EU Council's 2021 mandate for the ePrivacy legislative process includes an explicit recognition of paid alternatives to consent in Recital 20aaaa. However, that recognition is qualified by an analogous consideration of "imbalance" under the GDPR, so even if the text is adopted, it will not override all the debates that are likely to take place in the near future.


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

5 Comments

If you want to comment on this post, you need to login.

  • comment Jay Libove • Nov 20, 2023
    I continue to be disappointed with news coverage of this issue which fails to see the elephant in the room: That Meta (Facebook), manipulatively, offered "ads-with-tracking" or "expensively, no-ads-at-all". The correct *choice* should have been "ads-with-tracking (without a money contribution by the user)" OR "ads-withOUT-tracking (with a small money contribution to make up for the modest real difference in per-user value in the absence of tracking)".
  • comment Oliver Kindzorra • Nov 22, 2023
    I'm personally disappointed with the EUCJ ruling as it gives any business the opportunity to gain "personal data as a payment" one way or the other. Either you consent and I get your personal data or you pay and I get your personal data. Personal data should never be intended as a payment. The other thing that bugs me about this decision is that it "forces" people into consenting, if they don't have the money to pay. My humble opinion on paywalls is that they either need to be forbidden (like deceptive designs) or that they follow a clearer guidance through regulation what can or can't be done. Cutting off people from information or their respective social networks to increase a companies revenue stream is something that I barely can cope with. It might be legal, but is it ethical? You be the judge! But if you find it unethical there is a strong demand for regulation. And I hope that law makers come to the same conclusion that regulation of that specific topic is really overdue.
  • comment Robert Bell • Dec 1, 2023
    There is nothing new about profiling or targeted advertising as that has gone on probably since there has been advertising, and media has long been supported by advertising revenue as well as supplemental subscription or one-time fees for print-media. Modern data privacy laws are trying to treat it differently than in the past to keep private businesses happy with their newfound powers of creepy electronic stalking, while offering incomplete protection to private persons. Meta (and any other company) should be able to serve ads all day, but not be allowed to track and profile users to serve content or ads even if the user wants to consent. A user can freely choose what they want to see but should not be fed based on a profile built by electronic monitoring/ stalking/ eavesdropping on anyone's correspondence on or offline. This should prevent all the inefficiency and doubt that continues to drag out unnecessarily around online ads and social media profiling and would re-establish Privacy as supreme to arbitrary commercial interests and monitoring of electronic correspondences by private entities.
  • comment Filippo Simondi • Dec 6, 2023
    I must say the approach towards "pay or consent" leaves puzzled and perplexed, as I still fail to see how such consent can qualify as freely given. 
    While I appreciate that businesses have the right to a revenue in exchange for their services (e.g. traditional printed newspaper were not handed out free of charge), the choice between either pay a monetary fee for a no ads experience or consenting to ads with tracking leading to constant monitoring of users' behaviour seems to not be considering the sensible middle ground of offering a service with ads without tracking; after all, while non-personalized advertising not relying on tracking may not be as efficient in terms of RoI, legacy media have historically heavily relied on it for decades. Ultimately, it sounds to me that ruling in favour of this model practically results in less affluent consumers being heavily pushed (if "forced" is too strong of a term) to sell their personal data and subject themselves to constant monitoring in exchange for access to rather basic services such as information or connection to peers. I feel like a no-frill version of such services with non-tracking ads should be available with cookies consent being a free choice with no drawbacks for refusing.
  • comment Oleg Blinov • Dec 30, 2023
    Awesome read, thank you. I believe the biggest problem are going to be situations where the DPAs will have to tackle arguments that a paid alternative is too pricy. Either they will hold themselves competent and thereby open up to challenges and criticism, or they don't, making GDPR fang-less as such paid alternatives schemes will flood the market.