Meta’s attempt to follow and profile Facebook and Instagram users in Europe against the bloc’s data protection regulations is facing a second lawsuit from Noyb. It supports a recent complaint filed with the Austrian data protection authority that argues the firm violates EU legislation by making it harder for consumers to withdraw permission for its tracking advertising than to accept it.
After years of privacy activist concerns, Meta lost two important privacy rulings last year (January and July) that invalidated its legal underpinnings for processing Europeans’ data for ad targeting.
Meta said last autumn that it would transition to consent-based tracking. Users who don’t want to be followed and profiled must pay monthly for ad-free versions of its goods. To continue using Facebook and Instagram for free, users must “consent” to their monitoring, which Meta believes is lawful under the GDPR. Naturally, Noyb and its complainants disagree.
This second complaint addresses how easy (or not easy) Meta makes it for users to withdraw their consent to tracking, compared to Noyb’s earlier complaint filed with the Austrian DPA last November, which focused on Meta’s initial cost of €9.99/month on web or €12.99/month on mobile per linked account, which it claims is “way out of proportion” to the value the company derives per user.
Meta’s consent withdrawal scenario needs a monthly membership. Users may easily consent to its tracking by clicking ‘okay’. Legal issue: The GDPR requires permission to be as simple to withdraw as to obtain. Noyb’s follow-up complaint addresses Meta’s difficulties in charging consumers for privacy.
“Once users have consented to being tracked, there’s no easy way to withdraw it later,” it says in a news statement. This is unlawful. Despite Article 7 of the GDPR saying that ‘it should be as simple to withdraw as to provide permission’, the only way to ‘withdraw’ one-click consent is to pay a €251.88 membership. Also, the complainant had to go through multiple windows and ads to locate the consent revocation website.
Noyb data protection lawyer Massimiliano Gelmi said: “The law is clear; withdrawing consent must be as easy as giving it. It is painfully evident that paying €251,88 per year to withdraw permission is not as straightforward as clicking ‘Okay’ to authorize tracking.”
Meta, which earned $116.61 billion in 2022 by tracking and profiling its billions of users to sell targeted ads, is more likely to worry that EU regulators could force it to offer users a truly free choice to deny its tracking, which could cripple its regional tracking-ads business. GDPR penalties can reach 4% of global annual turnover. The business estimated that 10% of its worldwide ad income originated from EU consumers last year.
The Austrian DPA’s cookie and data protection FAQ from last month addresses the thorny subject of “pay or okay,” or charging for permission. The DPA writes [in German; English translations here are generated with AI] that paying for website access “can represent an alternative to consent”—emphasis added—if the GDPR is fully complied with, including consent being specific (i.e., non-bundled), the company not having a monopoly or “quasi-monopoly” position on the market, and the price for the payment alternative being “appropriate and fair” and not offered in “pro form.”
The DPA states that the FAQ reflects its “current view” since the European Union’s highest court has not yet ruled on “pay or okay.” Many privacy experts anticipate that the CJEU will resolve the matter.
Under the regulation’s one-stop-shop (OSS) structure, Meta’s principal data supervisor, the Irish Data Protection Commission (DPC), often handles GDPR complaints from EU DPAs. Thus, Noyb’s concerns about Meta’s ‘pay or okay’ strategy will likely reach a Dublin desk. The Irish regulator has said it is studying Meta’s strategy since it proposed it last summer.
The DPC’s formal inquiry review of Meta’s consent strategy could take years before a final regulatory decision, as was the case with another Noyb complaint against Meta’s legal basis for ads, filed in May 2018 but not decided until January 2023 (a decision Meta is now appealing in Ireland).
The European Data Protection Board (EDPB), which is responsible for resolving disputes between EU regulators, gave the DPC instructions to issue that ruling from Ireland. A quick privacy crackdown on Meta’s consent gaming appears unlikely, unless other DPAs take action.
They can accomplish this on paper. Despite the GDPR’s OSS mechanism, which can appoint a lead authority to handle cross-border processing complaints, emergency powers allow other DPAs to mitigate data risks in their markets to protect local users. As Norway’s DPA did last year over Meta’s legal basis for advertisements, they may ask the EDPB to make any interim measures they impose locally permanent and EU-wide. Meta had already switched to consent, so it could avoid regulatory interference. This proves that enforcement delayed is not enforcement denied.
“The [Austrian] authority should order Meta to bring its processing operations in compliance with European data protection law and to provide users with an easy way to withdraw their consent—without a fee,” writes Noyb, urging a fine “to prevent further violations of the GDPR.”.
Noyb also petitions the Austrian DPA to initiate an urgency procedure, citing recent CJEU case law that limits DPAs’ discretion to do so by “their duty to provide effective protection of data protection rights.” “Thus, in specific situations (like ours), the data subject has a right to an urgency procedure,” a Noyb representative said.
They stated that the Austrian government has rejected emergency measures. The Austrian DPA informed us that they received the complaint, that an emergency process is not allowed, and that another DPA may be the primary supervisory body. I believe the complaint has not yet been sent to the DPC, Noyb’s spokeswoman said.
Facebook and Instagram users in Europe are at Mark Zuckerberg’s mercy unless they stop using his dominant social networks, because the adtech giant has been able to keep cashing in on Europeans’ personal data for ad targeting despite its legal issues.
However, publishers in Spain filed a $600 million competition damages claim against Meta last year, arguing that its lack of legal basis for microtargeting users amounts to unfair competition they should be compensated for. The adtech giant may face rising costs over legacy data protection violations and future sanctions.
The GDPR only allows six legal bases for processing personal data. Some are ineffective for adtech giant Meta, while the CJEU and regulators have prohibited others. Consent is its only option for monitoring and profiling users for ads. Where the privacy action is now is how Meta presents this decision.
Meta replies
In response to Noyb’s latest complaint, Meta spokesman Matthew Pollard declined to comment, but he pointed to a blog post the tech giant published in October announcing the “subscription for no ads” for Facebook and Instagram users in Europe, stating that Meta’s offer “addresses the latest regulatory developments, guidance, and judgments shared by leading European regulators and the court.”
Pollard also noted that the prior blog post’s option for users—continued free access while being monitored or pay Meta for ad-free access—“conforms to the direction given by the highest court in Europe.”.
“In July, the Court of Justice of the European Union (CJEU) endorsed the subscription model for consenting to data processing for personalized advertising. Many European data protection authorities, including France, Denmark, and Germany, have recognized the legitimacy of a subscription service as a model to get valid permission before that ruling.
However, France’s CNIL, which Meta’s blog post directly references, advises “case-by-case” analysis of “cookie paywalls” and warns that “the making the provision of a service or access to a website conditional on acceptance of the deposit of certain trackers is likely to harm, in certain cases, freedom of consent” [French text translated into English using AI].
The French regulator also advises publishers to provide “a real and fair alternative allowing access to the site and which does not imply having to consent to the use of their data” if users want to stop tracking.
For exclusive services like “dominant or essential service providers,” the CNIL advises that “the Internet user’s choice in such a case would, by definition, be constrained since the service in question is only available on the site provided.”.
“In [this] case, the publisher of the site requiring tracker consent must be particularly vigilant to the existence of a possible imbalance between him and the Internet user, which would deprive the latter of a real choice,” it says. He must make this option easy for users to obtain.
Since network effects keep Facebook and Instagram in control of social media, they are clearly dominating service providers. The CNIL’s paywall policy would likely need Meta to demonstrate that its non-tracking offering is easy to obtain.
Noyb claims that asking customers to pay a credit card and continuing costs is not “ease of access.” As mentioned above, the Austrian DPA advises against paywalls for companies with “a monopoly or quasi-monopoly position on the market,” like Meta’s social networks.
Publishers must charge “reasonable” fees for access to their material, and the CNIL urges them to provide an examination of their explanation to provide “greater transparency” for Internet consumers. Our request to Meta is to explain how it calculates the payments to prevent tracking advertisements. Update: Pollard answered, “Our pricing is firmly in line with similar subscriptions offered by other technology companies, e.g., YouTube Premium. It’s also important to note that our pricing includes the fees that Apple and Google charge through their respective purchasing policies.”
Meta has justified its “no ads” subscription price by comparing it to Netflix, Spotify, and YouTube. As we’ve noted, Meta gets its user-generated material for free, whereas streaming providers spend a lot to license professionally created music, TV shows, films, etc.
Meta’s previous assertion that its membership is comparable to Reddit’s ad-free premium package, which costs less than Facebook and Instagram’s, seems doubtful. Meta double dips by charging customers for each account they have on its services, so those with many social media accounts will pay extra.
The CNIL advises publishers not to unfairly bundle consent, saying “targeted advertising and personalization of editorial content are two different purposes that must be distinguished when determining the purposes governing access to the service.”.
Users only have two options with Meta: consenting to its monitoring or paying for “ad-free” material. Facebook and Instagram monitor users to organize content streams; thus, paying to avoid tracking advertising may not prevent their personal data from being used for other content customization. As the regulator examines this complaint, the CNIL may identify more issues.
According to the Danish guidance cited in Meta’s blog post, consent must be voluntary in cookie paywall scenarios. The regulator asks if an approach where visitors can pay for access to content or services meets this voluntary requirement and what requirements it must meet.
A “general lack of clarity” exists about the legality of ‘pay or okay’. Four criteria will be used to evaluate the issue, including setting a “reasonable price” for the payment alternative. The regulator warns that “the pricing of this alternative must not be so high that the visitors’ freedom of choice is rendered illusory in practice.”.
Meta’s blog post also references a March 2018 Conference of Independent Data Protection Supervisory Authorities of the Federal and State Governments decision that emphasizes the need for consent to be “freely given” to meet GDPR requirements. However, regulators state that ‘pay or okay’ is feasible “in principle”.
Their opinion also cautions against ‘accept all’ consent for diverse processing objectives.
The German authorities state, “If there are several processing purposes that differ significantly from one another, the requirements for voluntariness must be met in such a way that consent can be granted on a granular basis.” This implies that users must be able to actively choose the objectives for which permission is needed. Bundling purposes are only possible if they are closely connected. This cannot be consented to for all purposes.”