Meta faces another EU privacy challenge over ‘pay for privacy’ consent choice

Adtech giant Meta’s bid to keep tracking and profiling users of Facebook and Instagram in Europe in spite of the bloc’s comprehensive data protection laws is facing a second challenge from privacy rights advocacy group noyb. It’s supporting a new complaint, which is being filed with the Austrian data protection authority, that alleges the company is breaching EU law by framing a choice that makes it far harder for users to withdraw consent to its tracking ads than to agree.

Wind your mind back to last year and you’ll recall a couple of major privacy decisions against Meta (in January; and July) invalidated the legal bases it had previously claimed for processing Europeans’ data for ad targeting — after literally years of privacy campaigner complaints.

What then followed, last fall, was a claim from Meta that it would be switching to a consent basis for tracking. However the choice it framed requires users who don’t want to be tracked and profiled to pay it for monthly subscriptions to access ad-free versions of its products. Facebook and Instagram users who wish to continue to get free access to the services have to “consent” to its tracking — which Meta claims is valid consent under the bloc’s General Data Protection Regulation (GDPR). But of course noyb, and the complainants its supporting, disagrees.

Where noyb’s earlier complaint against Meta’s version of consent, filed with the Austrian DPA last November, focused on how much Meta is charging users not to be tracked — an initial cost of €9.99/month on web or €12.99/month on mobile per linked account — which it argues is “way out of proportion” to how much value the company derives per user, this second complaint addresses how easy (or rather not easy) Meta makes it is for users to withdraw their consent to tracking under the arrangement.

Withdrawing consent in the scenario Meta has devised requires users to sign up for a monthly subscription. Whereas agreeing to its tracking is a breeze: Users just need click ‘okay’. The legal issue here is that the GDPR requires consent to be as easy to withdraw as it is to grant. So noyb’s follow-up complaint targets the inherent friction in Meta charging users money to protect their privacy.

“Once users have consented to being tracked, there’s no easy way to withdraw it at a later date,” it writes in a press release. “This is illegal. Despite Article 7 of the GDPR clearly stating that ‘it shall be as easy to withdraw as to give consent’, the only option to ‘withdraw’ the (one-click) consent, is to buy a €251.88 subscription. In addition, the complainant had to navigate through several windows and banners to find the page where he could actually revoke consent.”

Commenting in a statement, Massimiliano Gelmi, a data protection lawyer at noyb, added: “The law is clear, withdrawing consent must be as easy as giving it in the first place. It is painfully obvious that paying €251,88 per year to withdraw consent is not as easy as clicking an ‘Okay’ button to accept the tracking.”

Penalties for confirmed breaches of the GDPR can scale up to 4% of global annual turnover — but Meta, which raked in $116.61BN in 2022 by tracking and profiling its billions of users to sell targeted ads, is more likely to be concerned EU regulators could end up forcing it to actually offer users a genuinely free choice to deny its tracking, which could kneecap its regional tracking-ads business. Last year the company suggested around 10% of its global ad revenue comes from users in the EU.

An FAQ published last month by the Austrian DPA, on the topic of cookies and data protection, discusses the contentious issue of “pay or okay”, as charging for consent is sometimes called. In it the DPA writes [in German; English translations here are generated with AI] that paying for access to a website “can represent an alternative to consent” — emphasis its — however it says this is provided the GDPR is fully complied with, including consent being specific (i.e. non-bundled); that the company does not have a monopoly or “quasi-monopoly” position on the market; and the price for the payment alternative is “appropriate and fair” and not offered “pro forma at a completely unrealistically high price“, as it puts it.

However the DPA also notes there is no case law from the European Union’s top court on “pay or okay” yet — hence it caveats the FAQ as representing its “current view”. And many privacy experts expect that the issue will, finally, have to be settled via a referral to the CJEU.

In the meanwhile, GDPR complaints filed against Meta with EU DPAs are typically referred back to the Irish Data Protection Commission (DPC), which is the company’s lead data supervisor under the regulation’s one-stop-shop (OSS) mechanism. That means noyb’s complaints against Meta’s ‘pay or okay’ tactic will probably end up on a desk in Dublin sooner or later. Indeed, the Irish regulator has claimed to be reviewing Meta’s approach since the company floated the idea last summer.

If the DPC shifts its review of Meta’s approach to consent onto a formal inquiry footing it could still take years, plural, of investigation before a final regulatory decision on the tactic — as was the case with another noyb complaint against Meta’s legal basis for ads; filed all the way back in May 2018 but not decided until January 2023 (a decision that’s now under legal appeal by Meta in Ireland).

In that case, the decision which finally emerged out of Ireland was actually the DPC acting on instruction from the European Data Protection Board (EDPB), which had to step in to settle disagreements between EU regulators. So a speedy privacy clamp down on Meta’s gaming of consent seems unlikely — unless other DPAs decide to take matters into their own hands.

On paper, they can do this. Despite the existence in the GDPR of the OSS mechanism, which can lead to a lead authority being appointed to deal with complaints involving cross-border processing, the regulation includes emergency powers that allow other DPAs to take action to mitigate data risks in their own markets to protect local users. They can also follow up any interim measures they impose locally by asking the EDPB to make their temporary action permanent and EU-wide — as happened last year when Norway’s DPA petitioned the EDPB over Meta’s legal basis for ads. However, by then, Meta had already shifted its claimed basis to consent, meaning it could just sidestep the regulatory intervention. (Which just goes to show that enforcement delayed is enforcement denied.)

“The [Austrian] authority should order Meta to bring its processing operations in compliance with European data protection law and to provide users with an easy way to withdraw their consent — without having to pay a fee,” writes noyb, urging the imposition of a fine “to prevent further violations of the GDPR”.

noyb is also petitioning the Austrian DPA to instigate an urgency procedure — citing recent CJEU case law which it argues indicates that the discretion of DPAs to decide whether or not to instigate an urgency procedure is limited by “their duty to provide effective protection of data protection rights”. “Thus, in specific situations (like ours) the data subject has a right to an urgency procedure,” a noyb spokesperson suggested.

However, so far, they said the Austrian authority has resisted the call to take emergency measures. “The Austrian DPA has just told us that they received the complaint, that there is no right to an urgency procedure and that another DPA might be the leading supervisory authority. But the complaint wasn’t yet officially referred to the DPC as far as I know,” noyb’s spokesperson added.

While all these tortuous regulatory twists and turns have played out, the upshot for Facebook and Instagram users in Europe is that their privacy remains at Mark Zuckerberg’s mercy — unless or until they abandon using his dominant social networks entirely — since, in parallel with all these years of privacy scrutiny and sanction, the adtech giant has been able to keep cashing in on Europeans’ personal data the whole time; processing it for ad targeting despite its legal bases being under challenge or even, for several months-long stretches, invalidated (as happened in the months between its claim of (first) contractual necessity (and then legitimate interests) being ruled out and Meta switching to alternatives (earlier last year legitimate interests; now consent)).

That said, we are seeing more moves to litigate against Meta on privacy — such as the $600M competition damages claim being brought by publishers in Spain last year who argue its lack of legal basis for microtargeting users sums to unfair competition they should be compensated for — so the adtech giant could face a reckoning in the form of rising costs coming down the pipe over legacy data protection violations, as well as the prospect of future sanctions flowing from fresh privacy complaints if they lead to breach findings.

It’s worth noting the GDPR only has a limited number of legal bases (six) for processing personal data. Several are simply irrelevant for an adtech giant like Meta, while others have been ruled out by regulators and the CJEU. So its options for tracking and profiling users for ads have narrowed — to a single possibility: Consent. How Meta frames this choice is where the privacy action is now.