EDPB Opinion on Meta "Pay or Okay" and What It Means for Your Operations in the EU
Dive into the European Data Protection Board's (EDPB) opinion on Meta's 'Pay or Okay' model and its ramifications for businesses in the EU. Understand the requirements, alternatives, and potential impacts on large online platforms and media publishing businesses.
The European Data Protection Board has issued an opinion on valid consent in relation to Pay or Okay business models implemented by large online platforms. It requires large online platforms to give users a real choice about whether to pay with money, pay with personal data, or pay nothing at all.
This is how we arrived at the "Pay or OK" subscription model at Meta.
The initial business model of Meta, previously known only as Facebook, was to create a vast social network, inspire users to give them as much personal data as possible, and then match them with advertisers.
- To align this practice with the EU GDPR, Meta updated their Terms and Conditions in a way that enabled them to collect users' personal data based on their contractual terms. Simply put, if you use a Facebook or Instagram profile, you enter into a contract with Meta to process your data and match your profile with advertisers. After all, they are the only ones paying for the services and keeping the lights on in Meta.
- In February 2019, the Bundeskartellamt, the German Competition Authority, brought a decision against Meta (then Facebook), claiming it was against the law to process German users' data based on general terms and without consent.
- Facebook challenged that decision in front of the European Union Court of Justice (CJEU). In 2023, the CJEU's decision confirmed everything the Bundeskartellamt had already said.
- Meta had no choice but to make changes to its business model. They introduced the Pay or Okay model, where the EU users had the choice between paying a subscription and using the service without ads or using it for free but consenting to the processing of their data for behavioral advertising as always.
- The data protection authorities of the Netherlands, Norway, and Hamburg requested the EDPB for an opinion on the legality of the Pay or Okay model in terms of the EU General Data Protection Regulation. In April 2024, the EDPB issued an opinion.
What does the European Data Protection Board's opinion say?
On page 3 of the opinion, the EDPB summarizes the most important aspects of the whole document:
"The only paid alternative to the service, which includes processing for behavioral advertising purposes, should not be the default way forward for controllers." When developing the alternative to the version of the service with behavioral advertising, large online platforms should consider providing data subjects with an ‘equivalent alternative’ that does not entail the payment of a fee. If controllers choose to charge a fee for access to the ‘equivalent alternative’, controllers should also consider offering a further alternative, free of charge, without behavioral advertising, e.g., with a form of advertising involving the processing of less (or no) personal data. This is a particularly important factor in the assessment of certain criteria for valid consent under the GDPR. In most cases, whether a further alternative without behavioral advertising is offered by the controller, free of charge, will have a substantial impact on the assessment of the validity of consent, in particular with regard to the detriment aspect."
In simple words, Meta or any other large online platform would comply by offering EU residents the following options:
- Paid subscription
- A free account with targeted advertising
- Free account without targeted advertising, where advertising without data processing for profiling is allowed.
Basically, Meta should offer one more option to EU users: Whatsapp, Facebook, and Instagram—a free account with ads that are not targeted. Much like TV ads or website banners from the old days.
According to the EDPB, social media "is decisive for participation in social life or access to professional networks, even more so in the presence of lock-in or network effects." As a result, detriment is likely to occur when large online platforms use a ‘consent or pay’ model to obtain consent to the processing.
EDPB basically says that large online platforms are too big not to have an account with them. Therefore, if the only option is to pay with money, the choice to pay with data does not constitute freely given consent. There must be one more alternative where the user can get it all for free—without paying money or providing any data.
What Does the EDPB's Opinion on "Pay or Okay" Mean for Your Business?
Assuming that you don't operate a large online platform and don't operate on a pay or okay model, this opinion means nothing to you.
If you run a media publishing business, you are in the gray zone.
From a legal perspective, this opinion does not settle the issue and doesn't bring legal certainty. The Dutch, Norwegian, and German DPAs have requested the EDPB opinion, which, despite not being legally binding, plays a significant role in GDPR enforcement.
It focuses solely on large online platforms and doesn't mention anything about media publishers. The online editions of newspapers around the EU came up with the "pay or okay" business model much earlier than Meta. However, we remain uncertain about the treatment they might have received.
It will inform future decisions of the Meta Board but won't affect your business.
Are you required to keep your media publishing business ad-free?
Not for now. But no one knows what the future holds.
The GDPR evolves all the time. There are a fair number of data protection issues for which there are too many differing opinions and not enough case law.
Final Thoughts
Unfortunately, the GDPR creates legal uncertainty to some extent. It would have been better to hear EDPB's opinion on whether media publishing websites, like The Guardian or Der Spiegel, can rely on the "pay or okay" model or whether they should provide news and information free of charge or not.
Until then, all you can do is do your best to comply with what seems to be a requirement.
Get Started For Free with the
#1 Cookie Consent Platform.
No credit card required
Data Privacy and Responsible AI: A Guide for DPOs
Learn how to implement responsible AI while ensuring data privacy compliance. Discover practical strategies for Privacy by Design in AI systems, data minimization, and navigating privacy regulations. Essential reading for Data Protection Officers.
- Legal & News
Vietnam's Personal Data Protection Decree: Key Insights on Data Law
Explore Vietnam's new data privacy law, Decree 13/2023, which introduces strict regulations on personal data handling and cross-border transfers.
- Data Protection
Navigating Israel’s Data Protection Landscape: Key Compliance Insights for Businesses
Learn how Israel's Privacy Protection Law affects your business, including compliance requirements, data transfer rules, and key obligations.