Meta’s “Pay or Consent” Model Instills Consumer Protection Issues in European Union

Introduction

The EU Consumer Protection Agency has rallied against Meta’s “Pay or Consent” model, claiming it is entirely too aggressive and coercive, fundamentally undermining the principles of GDPR. Will Meta survive the formal challenge to its last resort of legal basis to process mountains of personal data for behavioral advertising?

Article

On February 29, 2024, the European Consumer Organization (BEUC), filed its own Complaint against Meta’s “Pay or Consent” model, heading its press release in bold lettering, “…Meta’s massive, illegal data processing behind its pay or consent smokescreen.”

Ursula Pachl, Deputy Director General of the BEUC, said, “Meta has tried time and time again to justify the massive commercial surveillance it places its users under. Its unfair ‘pay or consent’ choice is the company’s latest effort to legalize its business model. But Meta’s offer to consumers is smoke and mirrors to cover up what is, at its core, the same old hoovering up of all kinds of sensitive information about people’s lives, which it then monetizes through its invasive advertising model. Surveillance-based business models pose all kinds of problems under the GDPR and it’s time for data protection authorities to stop Meta’s unfair data processing and its infringing of people’s fundamental rights.”

What is Meta’s “Pay or Consent” Model?

Back in November 2023, Meta, formerly Facebook, rolled out its ill-received policy update within the EU. The policy requires users to either consent to their data being utilized for personalized advertising or to opt for a subscription-based, ad-free experience. The subscription costs €9.99 per month for web users and €12.99 per month for mobile users, providing an alternative to the traditional ad-supported model.

This model emerged after Meta faced legal challenges regarding its former legal bases for user data processing for ad targeting, leading to a shift towards this consent or payment approach. European Consumer Protection agencies remain unimpressed, claiming consent in this form is not validly collected, as argued in their white paper.

Forcefully Acquiring Legal Grounds for Data Processing

The GDPR provides a variety of legal bases for personal data processing, such as contract, legitimate interest, business purpose, and more, none of which Meta has successfully argued entitlement. Now, Meta is playing its last card: consent.

The February 2024 complaints highlighted the lack of legitimacy under GDPR, specifically attacking Meta’s grounds for data-processing as follows:

• Meta’s personal data processing for advertising purposes lacks a valid legal basis because it relies on consent, which has not been validly collected for the purposes of the GDPR;
• Some of Meta’s processing for advertising purposes appears to rely invalidly on contract;
• Meta cannot account for the lawfulness of its processing for content personalization since it is not clear – and there is no way to verify – that all of Meta’s profiling for that purpose is (a) necessary for the relevant contract and (b) consistent with the principle of data minimization;
• It is not clear – and there is no way to verify – that all of Meta’s profiling for advertising purposes is necessary for that purpose and therefore consistent with the principle of data minimization;
• Meta’s processing in general is not consistent with the principles of transparency and purpose limitation; and
• Meta’s lack of transparency, unexpected processing, use of its dominant position to force consent, and switching of legal bases in ways that frustrate the exercise of data subject rights, are not consistent with the principle of fairness.

User consent is the last available option for Meta to justify its massive data collection and processing. This false option of privacy in exchange for an ad-free experience is aggressive and forces users to consider a monetary cost instead of considering their individual right to privacy. Therefore, as the BEUC argues, consent obtained through this medium is entirely invalid.

---

The Hall Booth Smith Data Privacy & Cybersecurity team continues to monitor the situation.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.