Legality of Pay or Consent Models

1. Introduction

On January 17, 2024, the Data Protection Authorities of Norway, Germany, and the Netherlands requested the European Data Protection Board (“EDPB”) to provide an opinion on “pay or consent” models pursuant to Article 64/2 GDPR.

The request concerns the conditions under which pay or consent models can be applied when data is processed for behavioural advertising purposes by large online platforms that attract a large number of users in the European Economic Area, so as to satisfy the requirement of valid and in particular, freely given consent.

The requesting Data Protection Authorities emphasized that it is important to assess whether data subjects faced with pay or consent models can “exercise a genuine choice”, taking into account “the risk of deception, intimidation, coercion or significant adverse consequences” or “whether there is any element of coercion, duress or inability to exercise free will”.

In line with this request, the EDPB issued an opinion on the legality of pay or consent models on April 17, 2024. This article will analyse the EDPB’s opinion.

2. What is Pay or Consent?

The pay or consent model, also known as “Pay or Okay”, is a business model that has gained popularity on online platforms, particularly in the context of personalized advertising. In this model, users who visit a website are given two options:

1. either pay a fee to continue using the services offered by the website without their personal data being collected for targeted advertising,
2. or consent to data collection and use for targeted advertising in exchange for free access to the website’s services.

Although, this first option does not mean that data subjects are not tracked at all; data subjects may continue to be tracked for different purposes, such as analysing the use of a website to improve its functionality.

3. EDPB Opinion on Pay or Consent Models

In accordance with the EDPB’s underlying legal approach, even if the processing is based on consent, it does not justify the collection of personal data beyond what is necessary for the identified purpose or in a manner that is unfair to the data subject.

It should be assured that the processing complements and complies with the principles of necessity and proportionality, without considering that explicit consent will be enough on its own. Compliance with the principles of purpose limitation and data minimization is also of crucial importance. Under the purpose limitation principle, personal data should be collected for specific, explicit and legitimate purposes and, in connection with the data minimization principle, no data should be collected beyond what is necessary for those purposes. In this context, controllers have the responsibility to clearly define the purposes of processing, including processing for the purposes of behavioural advertising.

Within this context, controllers must first determine whether they need to process personal data for their relevant purposes and verify whether the relevant purposes can be achieved by less intrusive tools or by processing less personal data or by having less detailed or aggregated personal data.

Under these legal bases, the EDPB is indicating in its opinion that personal data cannot be treated as a tradeable asset and that the large online platforms cannot transform the fundamental right to data protection into a feature that data subjects have to pay to benefit from.

The EDPB states that providing only paid alternative to the service that includes processing for the purposes of behavioural advertising should not be the default path for controllers, instead, when developing an alternative to the version of the service that includes behavioural advertising, major online platforms should consider offering data subjects an ‘equivalent alternative’ that does not require payment of a fee. (including, for example, a different form of advertising that is not behavioural advertising).

If they decide to offer data subjects an “equivalent alternative” that involves payment of a fee, in order to ensure a ‘real’ choice and to avoid offering users a binary choice between paying a fee and consenting to processing for the purposes of behavioural advertising, controllers should also consider offering another alternative free of charge with a form of advertising that does not involve behavioural advertising, e.g. a less (or no) processing of personal data. This is a particularly important factor in assessing the specific criteria for valid consent under the GDPR.

The EDPB concludes that consent collected in the context of pay-or-consent models for behavioural advertising can only be considered valid to the extent that such platforms can demonstrate that the following requirements for valid consent are met in line with the principle of accountability:

• The consent is freely-given.
• The consent is informed.
• The consent is a clear indication of intentions.
• The consent is specific.

As obtaining consent does not exempt platforms from complying with the other rules and principles in the GDPR, the following principles should be complied with for platforms implementing ‘pay or consent’ models, not only when assessing whether consent is valid:

• Purpose Limitation and Data Minimisation: Clearly defining the purpose of the processing activities and ensuring that only personal data that is necessary to achieve this purpose is processed.
• Fairness: Considering the impact of the processing activities on the individuals’ rights and freedoms.
• Data Protection by Design: Implementing appropriate technical and organizational measures and integrating the necessary safeguards into the processing activities in order to meet the requirements of the GDPR and protect the rights and freedoms of data subjects.
• Data Protection by Default: Implementing of default processing settings and options (e.g. cookie management) in such a way that only processing that is necessary to achieve the defined lawful purpose is carried out by default.
• Accountability: Complying with the obligations set out in the GDPR, including the principles listed above, and being able to prove compliance with these obligations.

4. Is Pay or Consent Model Legal?

The pay or consent model first emerged through Meta, the owner of globally popular platforms like Facebook, Instagram, and WhatsApp, which have millions of users. Meta’s significant market dominance and its role as a social media giant have led to sudden policy changes that force users to choose between paying or allowing their data to be used for behavioural advertising. These changes are in direct conflict with the nature of GDPR regulations and the general understanding of data protection.

Meta offers the following options for users who do not prefer the subscription model:

1. Regardless of whether a person chooses to subscribe or not, everyone using Facebook and Instagram can continue to use the Privacy Centre to access a comprehensive range of tools that allow them to control how their information and data are processed. Those who choose to see personalized ads will also have full control over whether or not the information from third-party websites and apps is used to personalize the ads shown to them.

1. Those who choose to continue seeing personalized ads can also access features that allow them to further manage how their data is used to inform their ads, including the “Why am I seeing this ad?” feature and Meta’s long-standing ad preferences tools.

Although Meta claims that these options ensure a positive ad experience for those who prefer to use its free services, requiring data subjects to pay for control over their platform habits and other personal data would be contrary to their fundamental rights, which are explicitly guaranteed by various legal regulations.

Since this control is provided to data subjects free of charge as a right through various legal regulations and precedent decisions, companies charging for this right due to their marketing strategies and financial concerns should not be considered lawful, as noted by the EDPB’s opinion.

5. Conclusion

The pay or consent model announced by Meta in October 2023, after years of data privacy battles with data protection authorities in various countries, has not only failed to resolve these conflicts but has also sparked new debates. To address these discussions, the EDPB has published an opinion which we mentioned above, in which it finds this model to be contrary to the fundamental principles of GDPR.

The companies are expected to be more transparent in their data processing activities as part of their marketing strategies and to comply with legal obligations. It is crucial that any proposed solutions developed within this framework respect the rights of data subjects; otherwise, ineffective solutions like the “pay or consent” model will remain an issue.

6. Bibliography

1. Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms
2. Facebook and Instagram to Offer Subscription for No Ads in Europe

• EU: Understanding valid consent in ‘consent or pay’ models used by large online platforms

1. EDPB Opinion: Meta cannot rely on “Pay or Okay”

Writers: Att. Didem Kalaycıoğlu Birol, Att. İrem Naz Yıldız, Legal Counsel –DKB Legal Consultancy & Compliance

Note: The opinions and comments in the articles belong to the author or authors and do not reflect the opinions of the Ethics and Reputation Association on the subject.