A UK perspective on ‘consent or pay’ online advertising models

A UK perspective on ‘consent or pay’ online advertising models

As published in Privacy Laws & Business, Katie Hewson and Eva Lu provide insight as the ICO says that in principle, data protection law does not prohibit business models that involve ‘consent or pay’.

In November 2023, Meta introduced a subscription model for its Facebook and Instagram services in the EEA and Switzer land. Users in these jurisdictions could pay for an ad-free version of the service at €9.99 per month when purchased online, or €12.99 per month when purchased through the Google or Apple app stores. Meta has since reportedly offered to reduce the subscription fee to €5.99.

Unlike the ad-supported free versions of other online platforms, Meta’s free versions of Facebook and Instagram will not provide users with an option to decide whether they want their personal data to be used for personalised advertising. If users don’t pay for the service, they will only get access to it if they consent to their personal data being used for behavioural advertising.

This controversial “consent or pay” subscription model has attracted attention from data protection authorities across Europe. Their focus is on the validity of such consent. The European Data Protection Board (EDPB) formally adopted an opinion1 in April 2024 (Opinion) concluding that “in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.”

There are no reports that Meta’s “consent or pay” model will be rolled out in the UK, but the UK Information Commissioner’s Office (ICO) has given some initial views on whether the model would comply with the consent requirements in the UK General Data Protection Regulation (UK GDPR). This article will look at how we arrived at this model, and the potential impact for a post-Brexit UK. In light of evolving AI technologies and the imminent demise of third-party cookies, we also explore what it signals for the future of online advertising.

Legal backdrop

Over the last few years, Meta has been in a battle with civil society groups and its lead supervisory authority, the Irish Data Protection Com mission (DPC), over its lawful basis for processing personal data in the context of behavioural advertising. Online behavioural advertising allows advertisers and publishers to display targeted ads to users based on preferences and interests inferred from their web browsing activity and related datapoints. When the EU General Data Protection Regulation (GDPR) came into effect in 2018, Meta argued that the nature of its business model was to deliver personalised services to its users, and as such processing per sonal data to personalise ads was central to, and therefore contractually necessary for, its personalised service.

Following disagreement between EU supervisory authorities and after binding decisions from the EDPB,2 on 31 December 2022 the DPC fined Meta €390 million for breaches of the GDPR in relation to Facebook and Instagram, notably finding that Meta could no longer rely on performance of a contract as the lawful basis for processing personal data for behavioural advertising.3 With three months to comply with the decision, Meta announced that it would move to legitimate interests as its lawful basis from April 2023.

In the meantime, a separate challenge between Meta and the German Federal Cartel Office, the Bundeskartellamt, the Court of Justice of the European Union (CJEU) had left the door open for Meta to introduce a fee for consent. In a preliminary ruling on that case on 4 July 2023, the CJEU stated that “users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations”.4 The CJEU did not elaborate when or what is “appropriate” when it comes to imposing a fee, but indicated that con sent may be valid even if the user must pay a fee for the alternative service.

On 1 August 2023, Meta announced it would move to consent as the lawful basis for behavioural advertising. While Meta was in dialogue with the DPC on its consent mechanism, the Norwegian supervisory authority imposed a temporary ban on Meta’s behavioural advertising practices where it relied on the performance of contract or legitimate interests lawful bases from 4 August 2023 to 3 November 2023.5 At the request of the Norwegian supervisory authority, the EDPB adopted an urgent binding decision banning such processing based on legitimate interests or performance of contract across the entire EEA on 27 October 2023,6 which the DPC adopted on 10 November 2023, giving Meta one week to comply.7

It was against this contentious backdrop that Meta announced the rollout of its “consent or pay” sub scription model on 30 October 2023.8 In response, the Dutch, Norwegian and Hamburg supervisory authorities made a request to the EDPB to issue an opinion on the validity of “consent” in the context of the “consent or pay” model.

UK developments

The ICO issued a call for views on the same topic, while providing some of its initial views in relation to how this model could operate in a UK context.9 The ICO’s call for views closed the same day that the EDPB Opinion was published, on 17 April 2024.

Since Brexit, decisions of the CJEU are no longer binding in the UK and EDPB guidance is not applicable. While the ICO had taken an interest in adtech10 and published an Opinion on data protection and privacy expectations for online advertising proposals in November 2021,11 so far this has not resulted in the same level of adtech related enforcement action as in the EU. Notably, the UK has not banned Meta from relying on contract or legitimate interests for its behavioural advertising activities. Meta is still relying on performance of a contract for this same processing in the UK.

Contrasting EDPB Opinion and ICO Views

EDPB Opinion

Scope: The EDPB limits the scope of its Opinion to when “large online platforms” implement “consent or pay” models for the purposes of behavioural advertising. However, it also states that some considerations in the Opinion may be useful for more general application of the "consent or pay” model, based on a case-by-case assessment. The EDPB does not define the term “large online platforms” but lists a few characteristics: they attract a large amount of data subjects as their users, the position of the company in the market, and if it conducts “large scale” processing. The EDPB states that “large online plat forms” may cover but is not limited to “Very Large Online Platforms” under the EU Digital Services Act (DSA) and “gatekeepers” as defined under the EU Digital Markets Act (DMA). The EDPB confirmed in its press release that it will develop guidelines on “con sent or pay” models with a broader scope.12

 Validity of Consent: The key focus of the EDPB Opinion is whether con sent under a “consent or pay” model can be freely given. The EDPB Opinion reiterates some established interpretations of consent from the recitals of the GDPR,13 previous guidance14 and case law15. The EDPB highlights that consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if the data subject does not consent. The EDPB takes each of the main criteria in turn:

  1. Detriment – the success of Face book and Instagram, and the fact these services have been free for the large part of almost two decades, means that users may suffer detriment if they do not give consent. The EDPB’s view is that, where lock-in or network effects are present, not using the platform or choosing another service may be hard or unrealistic.
  2. Imbalance of Power – the EDPB does not make a conclusion on whether there is an imbalance of power between Meta and its users but lists factors for making the assessment. These include the position of the company in the market, the existence of lock-in or network effects, the extent to which the data subject relies on the service, and the target or predominant audience of the service.
  3. Conditionality – the EDPB notes that a particularly important factor is whether a genuinely equivalent alternative is available from the same controller, which does not involve consenting to the processing of personal data for behavioural advertising purposes. This may be a version of the service with a different form of advertising, involving the processing of less (or no) per sonal data, such as contextual advertising, or advertising based on topics the data subject selected from a list of topics or interests.
  4. Granularity – data subjects should be free to choose which purpose of processing they accept and cannot be presented with blanket consents bundling different purposes such as personalisation of content or advertisements, service improvement and audience measurement.

ICO Call for Views

The ICO’s initial views do not differ too significantly from the EDPB. It plans to use the feedback it receives to update its guidance on cookies and similar technologies later in 2024.

In a similar way to the EDPB, the ICO does not rule out “consent or pay” models, and states that they are not in principle prohibited under data protection law.

Scope: The ICO’s initial views apply to ad-funded online businesses, potentially wider than the “large online platforms” mentioned under the EDPB Opinion.

Validity of Consent: On balance of power, the ICO emphasised that con sent for personalised advertising is unlikely to be freely given when people have little or no choice about whether to use a service or not, which could be the case if the service provider has a position of market power. The ICO also notes special consideration needs to be given to existing users who may use the service extensively in their daily lives and may find it hard to switch, therefore also leading to an imbalance of power. Transparency of information and ability to withdraw consent without detriment are also important factors to the ICO.

On equivalence of an alternative service, the ICO does not detail that the alternative also needs to be free, but states that the ad-funded and paid-for services should basically be the same, giving the example that the services would not be equivalent if the paid-for version offered lots of other additional extras, in addition to being ad-free.

The ICO also provides more detailed guidance than the EDPB on the appropriateness of the fee. The ICO states that consent is unlikely to be freely given when the alternative is an “unreasonably high fee” and that the fee should be set so as to provide people with a realistic choice between the options, and the service provider needs to provide objective justification of the appropriateness of the fee.

The ICO doesn’t address the apparent EDPB perception that the average user of large online platforms is unlikely to be able to completely understand the ins-and-outs of online advertising, tends to over-rely on these platforms and could suffer great detriment if they weren’t able to access these services and is unlikely to genuinely want to receive behavioural advertising, even if it means receiving a free service.

Neither does the ICO address the key underlying concept in the EDPB Opinion that “data is not a tradeable commodity”.16 Arguably that’s far from how today’s society and Internet actually operates. However, the Opinion is clear that charging a fee for consent could disproportionately impact vulnerable or economically dis advantaged populations who cannot afford for pay for an ad-free experience that does not make use of their data. Use of this model could shift social expectations that the right to privacy is a luxury “reserved for the wealthy or the well-off”, as the EDPB puts it.

What does this mean for UK data subjects?

Meta is still relying on performance of contract to process UK users’ data for behavioural advertising purposes, rather than consent or legitimate interests. This has several key consequences for UK data subjects:

  • they will not have the right to choose whether to consent (or to withdraw any consent previously given);
  • they cannot object to the application of the legitimate interests basis; and
  • their right not to be subject to a decision based solely on automated processing may be limited, as it does not apply where the decision is necessary for entering into or per forming such a contract.

These battles with regulators underline just how critical the revenue that companies like Meta derive from behavioural advertising is to their business models. They also indicate a divergence between the UK and the EU approaches to regulating behavioural advertising. Despite there being no substantive change in the UK data protection legislative framework since Brexit, and the reforms in the Data Protection and Digital Information Bill having been dropped, Meta has not faced the same level of scrutiny from the ICO on its behavioural advertising practices as it has in the EU. This perhaps comes down to a shift in regulatory and political priorities, driven both by growing user awareness and a changing online advertising landscape.

It’s also interesting to note that both the UK’s Digital Markets, Com petition and Consumer Act and the UK’s Online Safety Act focus less on use of data for online advertising purposes than their EU counterparts, the DMA and DSA.

What does this mean for online advertising?

The requirement for specific consent to processing for behavioural advertising purposes, with or without payment, is likely to lessen the impact, at least in the EU, of the concentration of the online advertising market into the hands of a small number of gatekeepers.

This market shift is being hastened by continued moves away from the use of third-party cookies for targeted advertising. Major browsers like Safari and Firefox have already blocked third-party cookies, and Google plans to phase them out of its Chrome browser as part of its Privacy Sandbox.

Advancements in generative AI technologies could also consolidate these shifts in market concentration. OpenAI and Google have recently introduced new features in ChatGPT (with GPT-4o) and Google Search Generative Experiences (with AI Overview) that provide a more personalised, conversational and interactive user experience. Uptake of these types of tools means users could be more likely to rely on them to “browse” the web and do the searching for them, rather than visit numerous websites themselves. Requiring GDPR-standard consent to be obtained by the organisations that control the information flows for personalised advertising is a key part of the EU’s attempts to regulate this digital landscape. The landscape could look rather different for UK data subjects if the UK doesn’t follow suit.  

If you found this article interesting, you might be interested in our monthly data protection bulletin for which you can register here.

You might also be interested in our previous articles:  

 

 

1 EDPB Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, adopted on 17 April 2024.

2 EDPB Binding Decision 4/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Instagram service (Art. 65 GDPR), adopted on 5 December 2022 and EDPB Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service (Art. 65 GDPR), adopted on 5 December 2022.

3 www.dataprotection.ie/en/news media/data-protection-commission-announces-conclusion-two-inquiries-meta-ireland

4 Judgment of the Court of Justice of the European Union of 4 July 2023, Meta Platforms Inc. v Bundeskartellamt, C 252/21, EU:C:2023:537, paragraph 150.

5 www.datatilsynet.no/en/news/aktuelle nyheter-2023/temporary-ban-of behavioural-advertising-on-facebook and-instagram/

6 EDPB Urgent Binding Decision 01/2023 requested by the Norwegian SA for the ordering of final measures regarding Meta Platforms Ireland Ltd (Art. 66(2) GDPR), adopted on 27 October 2023.

7 www.edpb.europa.eu/news/news/ 2023/edpb-publishes-urgent-binding decision-regarding-meta_en and www.edpb.europa.eu/system/files/2023-12/nationalenforcementnotice202311_ie_metaplatformsireland_en_0. pdf

8 about.fb.com/news/2023/10/facebook and-instagram-to-offer-subscription-for no-ads-in-europe/ 

9 ico.org.uk/about-the-ico/ico-and stakeholder-consultations/call-for views-on-consent-or-pay-business-models

10 ico.org.uk/about-the-ico/what-we do/our-work-on-adtech/

11 ico.org.uk/media/about-the ico/documents/4019050/opinion-on data-protection-and-privacy-expectations-for-online-advertising-proposals.pdf 

12 www.edpb.europa.eu/news/news/2024/edpb-consent-or-pay-models-should-offer-real-choice_en

13 Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), Recitals 32, 42, 43.

14 EDPB Guidelines 05/2020 on consent under Regulation 2016/679, adopted on 4 May 2020 and EDPB Guidelines 8/2020 on the targeting of social media users, Version 2.0, adopted on 13 April 2021.

15 For example, Judgment of the Court of Justice of the European Union of 11 November 2020, Orange Romania. v Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), C-61/19, ECLI:EU:C:2020:901 and Judgment of the Court of Justice of the European Union of 27 October 2022, Proximus NV v Gegevensbeschermingsautoriteit, Case C-129/21, ECLI:EU:C:2022:833.

16 EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, version 2.0, adopted on 8 October 2019, paragraph 54.