‘Pay or ok’ – is it legal?

How did it come about? We give you some background with some relevant dates and facts and, in addition, at the end we make an update after knowing the Opinion that the European Data Protection Committee (ECDC) has published (April 2024).

In January 2023, the European Data Protection Committee fines Meta 390 million euros for not having an adequate legal basis for personalised advertising to its users and orders it to obtain users’ consent.

Following this sanction, Meta begins to use the legal basis of legitimate interest to serve this personalised advertising.

Months later, in July 2023, the Court of Justice of the European Union (CJEU) ruled that Meta’s processing of users’ personal data for personalised advertising was unlawful.

It is in November 2023 that the European Data Protection Board (EDPC) prohibits Meta from processing personal data in the EEA for behavioural advertising on the basis of the contract with users and legitimate interest. (We already discussed this decision in a thread on X).

After all this, what is the summary of the situation?

Meta has been basing the processing of its users’ personal data for personalised advertising on the service provision contract (1) and on its legitimate interest (2) and the data protection authorities have concluded that this is illegal.

And what happened after these decisions?

Meta (on Instagram and Facebook) has obtained the consent of its users by giving them the option to ‘pay or accept’, i.e.: ‘I, Meta, agree not to use your (user) data to provide you with personalised advertising in exchange for you paying me a subscription or accepting advertising cookies’. The company has relied on words that the CJEU included in its July 2023 ruling (quoted above) which said that users must have an alternative to consent ‘where appropriate in return for adequate remuneration’ (paragraph 150).

Faced with this action by Meta, NOYB, a non-profit privacy organisation, has announced in November 2023 that it will file a complaint against Meta with the Austrian data protection authority urging it to initiate urgent proceedings to stop the data processing it considers unlawful, and suggesting that the authority impose a deterrent fine on Meta in order to ensure that no other company starts copying Meta’s approach.

Clearly, it is too late, and a large number of internet services have copied Meta’s ‘pay or ok’ approach and have started to ask for subscriptions or consent from their users to access their content.

What is the situation in Spain?

In Spain, these internet services have taken refuge in the Cookies Guide of the Spanish Data Protection Agency (AEPD) which establishes, in section 3.2.10, that ‘There may be certain cases in which not accepting the use of cookies prevents access to the website or the total or partial use of the service, provided that the user is adequately informed and an alternative, not necessarily free, access to the service is offered without the need to accept the use of cookies’.

In view of this situation, some Spanish privacy lawyers (with Jorge García Herrero as signatory) have filed a complaint against Meta before the AEPD regarding the implementation of ‘pay or ok ’ (invalid consent). This complaint is based on the fact that the ECDC in its binding decision of November 2023 (paragraph 221) urges the supervisory authorities of the member states to react to breaches of the GDPR on the basis of art. 58 of the GDPR.

Against this backdrop, we find two conflicting points of view:

1) The point of view of the user, who, in order to access certain content, which until now he could see for free, on the internet has to pay a price that, in the long run, may turn out to be high. Let’s imagine that he has to pay a monthly subscription to use the social networks Instagram and Facebook: 12.99 x 2, that’s 311 euros per year and if he wants to be informed and see different newspapers, let’s consider that one newspaper costs 0.50 cents per day (182 euros per year) and another one 11 euros per month (132 euros). The total is an average of 625 euros per year.

In this context, let’s imagine that the user subscribes, how easy is it to withdraw consent? Recall that the GDPR in its art. 7 states that it should be as easy to withdraw consent as it is to give it. NOYB has already filed an additional complaint against Meta regarding this difficulty.

2) Viewpoint of the business sector:

• • The behavioural advertising business only works and is only possible if user data can be collected, and without this advertising, many websites cannot survive and continue to provide content free of charge.
  • The media have to charge for their work and content, just as a newspaper or magazine used to be bought in paper form.

A number of questions arise

• Don’t media outlets and companies such as Meta make far more money from advertising and the data they collect from each user than they do from subscriptions?
• Does the service provider really stop collecting data on the user when the subscription expires?
• Can the user reclaim all the money that the media, Meta and other websites have been charging by collecting data with cookies?

One thing is clear: currently, we can consider ‘pay or ok’ to be legal and we will have to wait for the supervisory authorities to finally decide whether the collection of consent through the ‘pay or ok’ mechanism is fully valid and compliant with the GDPR.

In the meantime, it is estimated that more than 95% of users prefer to consent rather than pay, so service providers will still be able to ‘legally’ collect a large amount of personal data.

Update

We wanted to make an update following the Opinion that the European Data Protection Supervisor (EDPS) has published (April 2024) in response to a request in relation to Article 64.2 of the GDPR from the Dutch, Norwegian and Hamburg data protection authorities.

Here is a brief summary of the opinion, as well as some points that seem important and at the same time unclear to us.

With regard to the legislation that the ECDC claims to take into account when drawing up its conclusions, it refers not only to the Data Protection Regulation (GDPR) but also to other related legislation, such as the Directive on privacy and electronic communications and the recent rules on services (DSA) and digital markets (DMA).

In relation to the scope of the Opinion, the ECDC seems to give one side of the coin (to use a popular saying):

• on the one hand, it seems to say that this Opinion will only be applicable to large platforms when it states that it ‘focuses on the specific issues that arise in relation to the validity of consent sought by large online platforms since these platforms may be in a unique situation with regard to the criteria for the validity of this consent, for example with regard to the imbalance of power’;
• but, on the other hand, it leaves the door open to the possibility of applying some of its conclusions to other actors when it states that ‘the factors highlighted in this opinion will normally apply to large online platforms, but not exclusively…’. Some of the considerations expressed in this opinion may be useful more generally’.

In examining whether ‘pay or ok’ is valid the ECDC dwells on two questions:

1. Is treatment necessary?
2. It states that the answer to this question should be based on the principles of data protection: necessity, proportionality, data minimisation, lawfulness, fairness, transparency, data protection by design and by default, among others.
3. Are the requirements to be considered valid consent met? For which it takes into account:

• • Detrimental to the data subject for not giving consent. There is a greater detriment in those platforms that were initially free, those based on user-generated content or interaction with others, those that cause user lock-in (because there are no other equivalent free platforms) or those related to job search.
  • Imbalance of power between the user and the platform (data controller). Take into account the position of the company in the market that leads data subjects to experience that there are no realistic alternative means at their disposal, the dependency of the service or the target or predominant audience of the platform (more imbalance if targeting children or vulnerable people).
  • Conditionality (required to access goods or services) and appropriate fee.
  • Granularity. ‘Consent is presumed not to have been freely given if the consent request does not allow data subjects to give their consent separately for different processing purposes.’
  • Information to the data subject. The controller should ensure that users understand what data processing will take place when they start using the service, including background activities. Avoid phrases such as ‘for a more personalised experience’ or ‘continue without paying’.

In short, the ECDC tries, throughout its paper, to convince the big players that offering (only) a paid alternative to the service that includes processing for behavioural advertising purposes (‘pay or ok’) should not be the way forward.

It does so, explaining with multiple examples how, although large online platforms are not obliged to always offer free services, making this additional alternative available to data subjects increases their freedom of choice, which in turn makes it easier for data controllers to demonstrate that consent has been freely obtained.

Furthermore, it states that companies are free to impose a fee, but reminds them of the principle of proactive accountability (Art. 5.2 GDPR) and warns: ‘if supervisory authorities find that consent is not freely given or that the principle of accountability has not been complied with, they may intervene and impose corrective measures’.

Notwithstanding the above, the Opinion does not set out a clear decision and concludes:

• that it will have to be reviewed on a case-by-case basis and
• that it is up to the supervisory authorities of each member state to assess the validity of consent, albeit within the framework and principles set out in this opinion.

For additional information, we also wanted to provide a compilation of issues to consider in relation to the user’s withdrawal of consent:

1) The user should be clear on how to revoke consent.

2) If the user revokes his consent, he should again have the possibility to decide between the possible options, i.e. to accept the processing for behavioural advertising purposes or to subscribe to the paid option (or to opt for the free alternative without behavioural advertising, if applicable).

(3) A user’s decision to subscribe to the paid version of the service when he had initially consented to processing for behavioural advertising purposes constitutes a withdrawal of his consent.

(4) The withdrawal of consent to processing for behavioural advertising purposes should entail the termination of all processing activities permitted by the data subject’s consent. This concerns not only the storage of and/or access to data on the terminal equipment for behavioural advertising purposes, but also the further processing of data collected for such purposes (e.g. where these data are subsequently shared with third parties). This is particularly relevant in circumstances where the controller uses a large advertising network to target and track individuals across multiple websites.

Article written by

Adriana Ranchal

Attorney –  Privacy & IP

adriana.ranchal@metricson.com

About Metricson

With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.

If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!