Meta, the parent company of Facebook, has been advised by the European Data Protection Board (EDPB) against enforcing a "consent or pay" system on its users for data protection.
The EDPB, chaired by Anu Talus, emphasized the importance of providing users with genuine choices regarding their data privacy when implementing such models.
"Online platforms should give users a real choice when employing 'consent or pay' models. The models we have today usually require individuals to either give away all their data or to pay. As a result most users consent to the processing in order to use a service, and they do not understand the full implications of their choices," Talus said in an official statement.
Meta's "Consent or Pay" Framework
This advice comes amid Meta's introduction of a "consent or pay" framework in November, offering users the option to opt out of targeted advertising in exchange for a subscription fee.
This move by Meta has faced scrutiny from privacy advocates and consumer rights groups, as it represents a departure from its traditional revenue model of monetizing user data for targeted advertising. The company's reliance on data-driven advertising has previously led to clashes with EU regulators over data privacy concerns.
The recent statement from the EDPB follows requests for clarification from the data protection authorities of The Netherlands, Norway, and the German state of Hamburg regarding Meta's model.
In response to these inquiries, the EDPB issued an Opinion addressing the validity of consent in the context of behavioral advertising within such models deployed by major online platforms.
The Opinion asserts that in most cases, it may not be feasible for large online platforms to obtain valid consent if they present users with only two options: consenting to personal data processing for behavioral advertising or paying a fee.
EDPB Urges for Alternatives
The EDPB emphasizes the need for controllers to offer users alternatives that do not require payment for data protection. These alternatives should provide users with equivalent services without the need for targeted advertising based on personal data.
Furthermore, the EDPB underscores that obtaining consent does not exempt controllers from adhering to data protection principles outlined in the GDPR, including purpose limitation, data minimization, and fairness.
The Opinion outlines criteria for evaluating the validity of consent, including considerations of conditionality, detriment, imbalance of power, and granularity. Controllers must assess whether fees for services may unduly pressure users into consenting to data processing.
Additionally, controllers must evaluate whether there is an imbalance of power between users and the platform, considering factors such as market position, user reliance on the service, and the service's primary audience.
The EDPB also provides guidance on ensuring informed, specific, and unambiguous consent within "consent or pay" models, emphasizing the importance of transparency and user understanding.
In addition to the Opinion, the EDPB plans to develop comprehensive guidelines on "consent or pay" models, engaging with stakeholders to address broader issues related to data protection and user consent.