Since the inception of the General Data Protection Regulation (GDPR) in 2018, there has been anticipation from civil society and apprehension from industry that its enforcement could signal the end of surveillance-based advertising and its associated tracking. A recent development occurred on April 17 when the European Data Protection Board (EDPB) issued a nonbinding opinion following Meta's introduction of a subscription option. This was in response to a ruling by the Court of Justice of the European Union, allowing users in the EU, EEA, and Switzerland to access an ad-free version of Facebook and Instagram for a monthly fee.
This initiative sparked criticism from civil society organizations and representatives from the European Parliament who argue that this binary choice equates privacy with luxury. Noyb, a strategic-litigation group led by Max Schrems, filed a complaint alleging that this "Pay or Okay" model does not provide users with a legitimate consent option under GDPR.
On April 17, the EDPB responded stating that it would generally be impossible for data controllers to meet valid consent requirements under GDPR if they only offer users a choice between consenting to personal data processing for behavioural advertising purposes or paying a fee. They argued that "pay or okay" models should offer users real choices.
The EDPB's opinion was issued following a joint request by European data protection authorities (DPAs). It is not legally binding but is intended to guide consistent GDPR enforcement across Europe. The scope of this opinion is limited to "pay or okay" models offered by large online platforms in relation to behavioural advertising.
The opinion suggests that a binary choice between free access supported by behavioural advertising or fee-paying service without such ads is unlikely to be GDPR-compliant – except in unspecified limited circumstances.
Interpretations of this opinion have varied widely. Some industry insiders view it as imposing an almost mandatory requirement for offering free privacy-preserving alternatives for obtaining valid consent. Civil society organizations have hailed the EDPB opinion as a step towards outlawing the binary choice between pay or okay, and in some cases, an indication that "pay or okay" models are illegal.
However, by using the qualifier "in most cases," the EDPB seems to acknowledge that it could be possible for large online platforms to lawfully charge for access to privacy-preserving models. In such instances, the EDPB advises data controllers to consider acceptable fee amounts on a case-by-case basis, warning that excessive fees could inhibit valid consent.
The EDPB's assertion that binary choices will likely violate EU privacy legislation contrasts with its implied concession that offering privacy-preserving options for a fee may be acceptable. This raises the question: under what circumstances would it be acceptable for a large online platform to charge a fee?
Whether consent to a behavioural advertising model is genuine depends on several factors. The GDPR stipulates key factors to consider when assessing consent validity: degree of detriment, imbalance of power, conditionality, and availability of an equivalent alternative version.
The European legal landscape is evolving. Since February this year, the Digital Services Act (DSA) has been fully applicable. Among other provisions, it bans ads presentation to children based on profiling and ads presentation to anyone based on profiling reliant on sensitive data.
The DSA applies to "very large online platforms" (VLOPs) – defined as platforms with more than 45 million users per month in the EU – which currently include Facebook, Instagram, Linkedin, Snapchat, and TikTok. These VLOPs will need to make changes free of charge that will significantly limit behavioural advertising.
How online platforms apply this nuanced opinion will largely depend on their risk tolerance. The opinion lays down groundwork enabling DPAs to find invalid consent when presented with a "pay or okay" model. It can thus be interpreted as a call-to-action for DPAs and a signal to large online platforms that they may have limited time before facing national-level scrutiny.
This is the first EDPB opinion on "pay or okay" models, but it will not be its last. The EDPB plans to produce guidelines on these models with a broader scope. The timeline for this is unknown. However, the next "pay or okay" battle may occur at the national level as it remains to be seen whether DPAs will proactively scrutinize large online platforms in the absence of free-of-charge, privacy-preserving alternatives. Companies should proactively offer GDPR-compliant options to users instead of waiting for likely regulatory action.
