"Pay or Okay" not here to stay
Europe is likely to say "non" to the idea of "Pay or Okay". As regulators set the bar for consent higher when the social cost of opting out is also high, are the ideas of privacy and consent merging?
If you live in Europe and use Facebook or Instagram, you might have received a popup in the past few months offering you the chance to pay about a tenner a month to use the platform, or to continue to use it for free. This was Meta's last hope at proving to EU regulators that its business model was legal under data protection rules. Their argument was that by clicking that you didn't want to pay (which I know you did, and which they knew you would do too), you had freely consented to the company using all of the data it could gather on and offline about you to serve you ads.
Yesterday we got an indication that Europe is likely to say "non". This is a problem for Meta, as Europe has already said no to its two previous attempts at fitting its square peg business model into the round circle of yellow stars that is GDPR. It may be running out of road. And this time regulators brought in the issue of market dominance; are we entering an era of "privopoly"?
Meta's 3 GDPR bowling pins
GDPR says that you cannot gather, hold and use personal data on people in Europe, unless they comply with one of 6 legal bases. For Meta, 3 are ruled out immediately ("legal obligation", "vital interest" or "pubic task") leaving 3 others: "contract", "legitimate interests" or "consent".
Strike one: contract
Meta initially relied on the grounds that users had entered a "contract" allowing them to collect and store personal data, and build its advertising business, a business that generates about $130 billion dollars a year. This was challenged the day GDPR came into force in 2018, with complaints lodged with the regulator, who for most tech companies is the Irish Data Protection Commission. It took 5 years, and the intervention (and frankly, slap on the wrist) of Brussels for the Commissioner to finally rule in early 2023 that Meta was not entitled to use the “contract” legal basis. It also issued €390 million in fines and gave them 3 months to figure out a way to become compliant.
Strike two: legitimate interest
Meta changed tack, selecting from its two remaining options "legitimate interests" as the legal basis of its business model. Any hopes that it may have had of another half decade of grace from our State were soon dashed. That July, the Court of Justice of the EU ruled against Meta using this as a basis for data gathering, which just left:
Strike three?: consent
In August 2023 Meta announced it would change legal basis again to "consent", its last remaining option. This should mean that Meta would have to ask and receive explicit consent to collect, store and use people (in Europe)'s data before allowing advertisers to use that data to target them with ads.
This is where "pay or Okay" comes in, with the company arguing that their users were now consenting, as they had "chosen" to not pay, an option that they claim would have given a service without behavioural ads.
This is, you will not be surprised to learn, being strenuously challenged, and Data Protection Authorities are weighing in (even the Norwegians got involved, their DPA publicly saying it “strongly doubts that Meta's proposed ‘consent’ mechanism, often dubbed ‘pay or okay’, complies with the GDPR”.
And then yesterday the the European Data Protection Board (the above mentioned wrist slappers) issued an opinion on the idea of "pay or Okay", specifically for very large platforms saying:
In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.
This opinion is just that - an opinion, not a ruling. The last pin remains standing, if quite wobbly. It remains to be seen the impact this will have on the challenges being brought against Meta, but it does not bode well.
Privopoly?: a merging of privacy and monopoly
One last thing: this part of the opinion caught my eye:
detriment may arise where non-consenting data subjects do not pay a fee and thus face exclusion from the service, especially in cases where the service has a prominent role, or is decisive for participation in social life or access to professional networks, even more so in the presence of lock-in or network effects. As a result, detriment is likely to occur when large online platforms use a ‘consent or pay’ model to obtain consent for the processing.
It is a very wordy way of saying that when it comes to consent, size - and market dominance - matter. The bar for consent is higher when the social cost of opting out is also high.
This seems to be part of a trend of a merging of privacy and monopoly concepts, something we are likely to see more of as the Digital Markets Act kicks in. See also: The German Federal Cartel Office's interpretation last summer of antitrust law to determine that Meta’s data gathering across apps was a violation of BOTH competition law and GDPR. It said “when large internet companies use the very personal data of consumers, this usage can also be deemed abusive under competition law”.