EDPB Rejects META'S Pay or Consent Model
Over the last few years, Meta (previously Facebook) has received fine after fine for its noncompliance with the EU’s data privacy law, the GDPR.
In 2023 alone, Meta received the largest GDPR fine ever, €1.2 Billion, for continued transfer of data from European users to the U.S. Another fine of €390 Million was also issued in 2023 for non-compliance with general data processing principles.
After a first wave of legal problems, Meta switched from cookie consent to legitimate interests as a legal basis under the GDPR for personal information collection. However, last year the Norwegian Data Protection Authority challenged Meta’s legitimate interest basis as well.
Meta responded to these privacy issues by formulating a Pay or Consent model, which would be offered to users within the EU. Users of Meta products had a choice: pay a monthly fee and continue using Meta’s platforms that do not collect or process users’ data or accept the Cookie Consent and allow Meta to use personal information for advertisement or other purposes.
The Pay or Consent model, also called the Pay or OK model, offers users just two options: either users give their consent to advertising and tracking, or they pay a fee for using the service without being tracked.
Meta is one of six nominated gatekeepers, i.e. large online platforms, identified by the Digital Markets Act (DMA). These gatekeepers had to comply with new broader privacy obligations, set by the DMA, until March 6, 2024. Big Tech companies also need to comply with the Digital Services Act (DSA).
The EDPB Decision
The Dutch, Norwegian, and German supervisory authorities requested the European Data Protection Board (EDPB) to issue an opinion on the question of under which circumstances and conditions Consent or Pay models can be implemented by large online platforms.
Less than half a year after the introduction of the Pay or Consent model passed and the model was rejected.
On 17 April 2024, the European Data Protection Board issued a binding decision rejecting Meta’s Pay or Consent model and targeted advertising practices across the European Economic Area (EEA).
According to the EDPB opinion, to comply with the GDPR, large online platforms must get a valid user consent for the collection and processing of user data. The offering of only a paid alternative to the service which includes processing for behavioral advertising purposes is not valid consent. Large online platforms should provide data subjects with an equivalent alternative that does not include the payment of a fee.
Concerning the requirements of the GDPR, consent needs to be freely given. Any fee imposed cannot be such as to inhibit data subjects from making a free choice.
The EDPB opinion applies not only to Meta Pay or Consent model, but to all large online platforms, nominated as gatekeepers, which include Meta, Alphabet, Microsoft, Amazon, Apple, and ByteDance. The EDPB also said it would issue further guidance later this year on Pay or Consent models to smaller platforms as well, not only to the designated large platforms in the opinion.
Moreover, gatekeepers must offer granular Cookie Consent choices, provide a clear Cookie Consent request and comprehensive information about choices and consequences.
According to the opinion, Meta can still charge for reaching some pages or use contextual ads and alike, but tracking people for ads needs clear, explicit user consent.
However, in 2023, the Court of Justice of the European Union ruled that the subscription model is a legally valid way for companies to get user consent for personalized advertising. The latest EDPB opinion did not alter that judgment.
What Does the EDPB Decision Mean?
This EDPB opinion may have a huge impact on the most popular internet platforms and services like YouTube, Google search engine, Facebook, Instagram, LinkedIn, TikTok, and others.
However, the opinion is nonbinding. This means that the national data protection authorities will consider the Pay or Consent model on a case-by-case basis, evaluating the power between the individual and the data controller. The factors to be assessed include the position of the gatekeeper in the market, the extent to which the individual relies on the service, and the main audience of the service.
In the end, the national data protection authorities will make a final decision themselves. This opinion will certainly be considered by the authorities.
So, will it really bring changes to the Pay or Consent model across Europe?
The final decision of the national data protection authorities across Europe could be different. For example, the Norwegian authority could take this decision into consideration, while the Italian authority could still allow the Pay or Consent model.
Most probably, this decision is going to change the ads business model of Meta in Europe. Meta must now give users a clear and free option to accept or reject cookies for personalized advertising.
This change could also significantly impact other large online platforms and their clients, especially advertisers. If the number of personalized ads on Big Tech platforms decreases, these platforms will need to use other methods to get personalized data.
On the other hand, if fewer users are viewing ads on Big Tech platforms, advertisers may need to rethink their strategies like choosing other (smaller) platforms for marketing.
Conclusion
So, should we prepare for even more new developments in Ads privacy?
Most probably, yes. The landscape of privacy is changing rapidly.
Up to now, Google is taken the most active steps regarding new regulation for Big Tech companies by the DMA. It introduced Google Consent Mode version 2, which includes Behavioral modeling and Conversion modeling to compensate for the data loss. Users can choose from the Basic or Advanced consent mode.
Other gatekeepers are also expected to introduce new privacy technologies or approaches.
How to keep up with new, emerging privacy technologies?
Use the Consent Management Platform (CMP) to create your cookie banner and get valid cookie consent.
CookieScript CMP is a reliable, Google-certified CMP that offers one of the most configurable cookie banners to comply with privacy laws. CookieScript CMP includes the following functionalities:
- Google-certified CMP. CookieScript is a Google-certified CMP partner and comes with a full IAB TCF v2.2 integration.
- Supports Google Consent Mode v2. If you want to use Google services (GA4, Google Ads, gtag, and Google Tag Manager) in the EU or EEA, you need to use a Google-certified CMP.
- Local Storagge and Session Storage scanning and blocking. GDPR and other privacy laws require blocking of cookies, Local Storagge and Session Storage until user consent is given. However, majority of CMPs do not offer this functionality. CookieScript blocks both Local Storagge and Session Storage.
- Multiple integrations. CookieScript CMP integrates easily with Google services automatically via Google Tag Manager, so you could use Google advertisement products easily. The CookieScript CMP is also integrated with other platforms, including content management systems such as Drupal, Magento, Shopify, WordPress, PrestaShop, etc., and analytics platforms, including Google Analytics 4.
- Fully customizable. CookieScript CMP allows Cookie Banner behavior adjustments, and design customization, and has a self-hosted code option.
- Language and jurisdiction support. CookieScript Cookie Banner and cookie declaration report is translated into 30+ languages and has geo-targeting.
- Easy to set up. CookieScript CMP could be easily implemented in just a few steps in a privacy laws-compliant way using banner settings hints for different jurisdictions.
- Full compliance solution. CookieScript CMP comes with the Cookie Scanner, Privacy Policy Generator, script manager, and user consent manager. It blocks cookies, Third-Party Cookies, Local Storage and Session Storage, so you can be sure your website is compliant with the GDPR and other privacy regulations 100%!
Frequently Asked Questions
What is the Pay or Consent model?
The Pay or Consent model offers users just two options: either users give their consent to advertising and tracking, or they pay a fee for using the service without being tracked. In 2023, META implemented a Pay or Consent Model. On 17 April 2024, the EDPB rejected the validity of the model since such consent is not freely given, and thus it does not comply with the GDPR. Use CookieScript CMP to comply with the GDPR and other privacy laws.
What is the Pay or OK model?
The Pay or OK consent model offers users just two options: either users agree with cookie consent to collect their data for advertising and tracking, or they pay a fee for using the service without being tracked. In 2023, META implemented a Pay or OK consent model. On 17 April 2024, the EDPB rejected the validity of the model since such consent is not freely given, and thus it does not comply with the GDPR. Use CookieScript CMP to comply with the GDPR and other privacy laws.
What is the EDPB’s opinion about the Pay or Consent model?
On October 2023, META implemented a Pay or Consent Model. On 17 April 2024, the European Data Protection Board (EDPB) rejected the model since user consent obtained by such a way is not freely given, and thus it does not comply with the GDPR. Use CookieScript CMP to comply with the GDPR and other privacy laws.
Can I use the Pay or OK consent model to get consent?
On 17 April 2024, the European Data Protection Board (EDPB) rejected the Pay or OK model, implemented by META, since consent obtained by such a way is not freely given, and thus it does not comply with the GDPR. However, the opinion is nonbinding. This means that the national data protection authorities will consider the Pay or Consent model on a case-by-case basis. CookieScript CMP allows you to create a privacy-laws compliant cookie pop-up and get valid cookie consent.