Consent-or-pay, also called pay-or-okay, is a compliance tactic used by certain companies, most notably Meta, to drive up the rates at which users consent to data processing under the European Union's General Data Protection Regulation (GDPR). It consists of presenting the user with a tracking consent notice, but only allowing a binary choice: either the user consents to the data processing, or they are required to pay to use the service, which is otherwise free to use if data processing is consented to. The tactic has been criticised by privacy advocates and non-governmental organisations such as NOYB and Wikimedia Europe, who claim that it is illegal under the GDPR. On 17 April 2024, the European Data Protection Board released a non-binding opinion stating that in most cases, consent-or-pay models do not constitute valid consent within the meaning of the GDPR.

Background

edit

Under the GDPR, the processing of a natural person's personal data is only allowed under six lawful bases: consent, contractual necessity, legal obligation under EU or member state law, public interest, protection of vital interest of an individual, and the processor's legitimate interest.[1]

When the GDPR first came into force in 2018, Meta justified its processing of personal data by claiming that its terms of use constitute a contract under which the user consented to the processing of personal data.[2][3] However, this was challenged by Max Schrems, an Austrian privacy activist, who successfully argued that contractual necessity was not a valid basis of data processing when it comes to personalised advertising.[4] In response to this ruling, Meta changed its lawful basis for personal data processing from contractual necessity to legitimate interest, which was also found not to be a valid basis.[5][6] Meta then changed its lawful basis to consent, but chose to implement it in a way where users who consented to personalised advertising could use the service for free, while those who did not were required to pay a monthly subscription fee to continue using the service.[6]

Critics of this consent model have called it "pay-or-okay", claiming that the monthly fee is disproportional and that users are not able to withdraw their consent to tracking as easily as it is given, which the GDPR requires to be the case. Massimiliano Gelmi, a data protection lawyer at NOYB, has stated that "The law is clear, withdrawing consent must be as easy as giving it in the first place. It is painfully obvious that paying €251,88 per year to withdraw consent is not as easy as clicking an 'Okay' button to accept the tracking."[7][8]

On 17 April 2024, the European Data Protection Board released a non-binding opinion stating that in most cases, consent-or-pay models do not constitute valid consent within the meaning of the GDPR.[9]

European Commission investigation

edit

On 1 July 2024, the European Commission announced that it had opened an investigation against Meta under the provisions of the Digital Markets Act (DMA), with the preliminary findings claiming that Meta's approach was not in compliance with the DMA, an assertion that Meta has disputed.[10]

Other users

edit

Although Meta has faced most of the scrutiny and criticism regarding the use of consent-or-pay, other companies have also utilised the tactic. The Austrian Data Protection Authority (Datenschutzbehörde) has found that Der Standard, a German-language newspaper, has acted unlawfully by using consent-or-pay on its site, while others, including Der Spiegel, Die Zeit, Heise, the Frankfurter Allgemeine Zeitung, the Kronen Zeitung, and T-Online, have been accused of doing the same.[11]

References

edit
  1. ^ Schechner, Sam. "Meta's Targeted Ad Model Faces Restrictions in Europe". WSJ. Archived from the original on 20 October 2023. Retrieved 23 May 2024.
  2. ^ Lomas, Natasha (4 January 2023). "Meta's New Year kicks off with $410M+ in fresh EU privacy fines". TechCrunch. Retrieved 23 May 2024.
  3. ^ Horwitz, Sam Schechner and Jeff. "Meta to Let Users Opt Out of Some Targeted Ads, but Only in Europe". WSJ. Archived from the original on 31 March 2023. Retrieved 23 May 2024.
  4. ^ Lomas, Natasha (30 March 2023). "Meta tries to keep denying EU users a free choice over tracking -- but change is coming". TechCrunch. Retrieved 23 May 2024.
  5. ^ a b Lomas, Natasha (30 October 2023). "Meta to offer ad-free subscription in Europe in bid to keep tracking other users". TechCrunch. Retrieved 23 May 2024.
  6. ^ Lomas, Natasha (11 January 2024). "Meta faces another EU privacy challenge over 'pay for privacy' consent choice". TechCrunch. Retrieved 23 May 2024.
  7. ^ Meyer, David. "'Meta is out of options': EU privacy regulators reject fee for avoiding tracking". Fortune. Archived from the original on 17 April 2024. Retrieved 23 May 2024.
  8. ^ Dmitracova, Olesya (1 July 2024). "Meta accused of breaking European law with its 'pay or consent' model | CNN Business". CNN. Retrieved 11 July 2024.