The EDPB concluded that "in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee."

The requirements for valid consent as referenced in the EDPB opinion create a high threshold for those large online platforms looking to use 'pay or ok'. Consumer activist groups such as noyb have cautiously welcomed the opinion but noted the limited scope of the decision to large online platforms.

This opinion does not resolve questions around platforms such as media publishing, where some organisations have operated 'pay or ok' online editions for several years. Therefore, it should be welcomed that the EDPB confirmed it will also develop guidelines on ‘consent or pay’ models with a broader scope and will engage with stakeholders on these upcoming guidelines.

Scope of the opinion

The scope of the EDPB opinion is limited to ‘large online platforms’. What constitutes a 'large online platform' will be considered on a case-by-case basis and is not defined. While not exhaustive or cumulative, the EDPB suggests that the following elements may be present:

• Controllers of ‘very large online platforms’, as defined under the Digital Services Act or ‘gatekeepers’, as defined under the Digital Markets Act.
• Platforms attracting a large amount of data subjects as users.
• The position of the company in their marketplace.
• An assessment of whether the platform conducts 'large scale processing', with guidance provided by Recital 91 of the GDPR and the Article 29 Working Party on what this constitutes. This includes the number of subjects concerned, the volume of data and the geographical extent of the processing activity.

Summary of the opinion

The EDPB opinion followed the introduction of subscription models for Instagram and Facebook in the EEA. Those users who did not choose the subscription model would effectively agree to the processing of their personal data for behavioural advertising. In response, consumer activist groups and national data protection authorities queried the validity of this mechanism. Data protection authorities in Norway, the Netherlands and the German state of Hamburg requested an opinion from the (EDPB) Article 64(2) GDPR. The activist groups such as noyb, issued open correspondence encouraging the rejection of these models, arguing that a two-tier privacy system would be created.

Within the opinion, the EDPB emphasises that personal data is not a tradeable commodity and the transformation of the fundamental right to data protection should be prevented. The EDPB is critical of the binary choice offered in 'pay or ok' mechanisms, stating this should not be the default method for data controllers.

An 'equivalent alternative' should be made available, effectively a third way between a paid account and a free account with targeted behavioural advertising. This third option would provide a free account "with a form of advertising involving the processing of less (or no) personal data" and the opinion recommends that this is given significant consideration by large online platforms.

However, in response to the supervisory authorities request for clarification on the validity of those existing 'pay or ok' models relating to behavioural advertising, the EDPB confirmed that any such model "may only be considered as valid to the extent that such platforms can demonstrate, in line with the principle of accountability, that all the requirements for valid consent are met."

The EDPB set out its views in relations to those requirements as follows:

• The consent must be freely given. This requirement has several elements:
  • Detriment: A user suffering detriment could result in consent not being given freely. For example, the imposition of a fee can effectively act to inhibit data subjects from making a free choice. Detriment can also arise where exclusion from a service is a possibility, particularly for prominent services decisive for participation in social or professional life.
  • Imbalance of power: The controller needs to consider the dynamics between the parties on a case-by-case basis including an assessment of the position of the platform, reliance by the data subject on the service, the main audience of the service and any lock-in or network effects.
  • Equivalent alternative: If the alternative version is different only to the extent necessary as a consequence of the controller not being able to process personal data for behavioural advertising purposes, it can be in principle regarded as equivalent.
  • Fee: As noted above, a fee can act as a nudge preventing genuine free choice. Where the equivalent alternative is subject to a fee, the controller should assess, "on a case-by-case basis, both whether a fee is appropriate at all and what amount is appropriate in the given circumstances, bearing in mind the need of preventing the fundamental right to data protection from being transformed into a premium feature reserved for the wealthy."
• The consent must be informed. Data subjects should be provided with clear and intelligible information including the scope and consequences of the processing activities linked to each of the options offered to them.
• The consent is an unambiguous indication of wishes, meaning that the large online platform should design the consent process in a way which does not involve deceptive design patterns, which would involve the user giving consent for other processing activities without their knowledge.
• The consent is specific. The large online platforms should precisely define and delimit the purposes of the processing activities for which consent is needed.

Furthermore, obtaining consent in the manner established above does not absolve large online platforms from other rules and principles under the GDPR. The EDPB highlighted that the principles of purpose limitation and data minimisation, fairness, data protection by design, data protection by default and accountability must all be considered.

Commission proceedings against Meta under Digital Markets Act

The opinion of the EDPB followed the decision of the European Commission to open proceedings against Meta examining "whether the Consent or Pay advertising model implemented by Meta in the EEA complies with the obligations laid down in Article 5(2)" of the Digital Markets Act which covers the obligations of designated gatekeepers under the Act.

In addition, the proceedings will examine whether the 'Consent or Pay' advertising model undermines Meta's capacity to comply with their obligations as a designated gatekeepers per Articles 13(4) and 13(6) of the Digital Markets Act.

United Kingdom

The ICO Call for Evidence on 'pay or ok' mechanisms in the UK concluded on 17 April 2024. Following the EDPB opinion, we await the views of the ICO with great interest.