The EDPB invalidates Meta’s use of Pay or Okay. What next?

The European Data Protection Board (EDPB) yesterday adopted an opinion on the valid use of the “Pay or Okay” model by, what it calls, “large online platforms.” The EDPB determines in its opinion that large online platforms, “in most cases,” will not comply with the GDPR in implementing a Pay or Okay model. It should be noted that the opinion isn’t a legal judgment or enforcement action and merely invites further consideration.

The DPAs of the Netherlands, Norway, and Hamburg requested that the EDPB provide such an opinion in January, a few months after Meta instituted the Pay or Okay model. I have covered Meta’s implementation of the Pay or Okay model, as well as its odyssey with the EU’s privacy apparatus throughout 2022 and 2023, extensively; for more background on Meta’s implementation of Pay or Okay, see:

• Meta’s inevitable detour with EU privacy: “Pay or Okay”;
• Meta, subscriptions, and the EU’s Privacy Gordian Knot;
• Europe’s misguided hostility towards Pay or Okay.

In that last piece, I point out that Pay or Okay has been used for years by many legacy media outlets across Europe, following the introduction of the GDPR. The EDPB gets around this inconvenient reality in the opinion by providing elements — loosely and non-exhaustively — to consider when assessing whether some data controller qualifies as a “large online platform,” for which its opinion’s conditions on validity under the GDPR apply:

1. The first consideration is that “large online platforms” are “platforms that attract a large amount of data subjects as their users”;
2. The second is a company’s “position in the market”;
3. The third is whether the company conducts “large scale processing,” which isn’t defined by the GDPR but for which guidance was given in the Article 29 Working Party, which was an independent EU advisory board that essentially preceded the EDPB. The factors that go into this determination include “the number of data subjects concerned, the volume of data and the geographical extent of the processing activity”;
4. The fourth is whether the company is identified as a Very Large Online Platform by the DSA or a Gatekeeper by the DMA.

In limiting the scope of applicability of its opinion to “large online platforms,” the EDPB allows the Pay or Okay model to be considered for Meta independently of, for instance, the newspapers that have employed it and survived scrutiny under the GDPR.

The journey to the EDPB’s (fairly qualified and irresolute) conclusion in the opinion follows this logical path:

1. In order for consent to be valid, it must be freely given;
2. Freely given consent may be impossible in the case when a large online platform only offers two options in a Pay or Okay model: pay a subscription or be subject to behavioral advertising through data processing. The EDPB argues that, among other reasons, a power imbalance exists between large online platforms and consumers that unduly coerces consent; that consumers may believe they will experience a detriment by not consenting; that the processing of data isn’t required in order to fulfill the core function of the service (contract); and whether the consumer can consent to specific, granular purposes for their data being processed. The EDPB argues that a binary “Pay or Okay” model by a large online platform doesn’t satisfy these criteria for “freely given” consent;
3. In order to facilitate “freely given” consent, the EDPB determines that large online platforms must offer a third option in a Pay or Okay model: a “Free Alternative without Behavioural Advertising” that offers the same functionality of the paid version of the service without behavioral advertising being applied. The EDPB proposes that the existence of this free alternative is “a particularly important factor to consider when assessing whether data subjects can exercise a real choice” and consent validly.

The EDPB defines this “Free Alternative without Behavioural Advertising” in the following terms:

This alternative must entail no processing for behavioural advertising purposes and may for example be a version of the service with a different form of advertising involving the processing of less (or no) personal data, e.g. contextual or general advertising or advertising based on topics the data subject selected from a list of topics of interests. This is also linked to the principle of data minimisation as recalled in Section 4.1: controllers should ensure that only personal data that is necessary for the purpose of placing such advertisement would be processed. Controllers should in any event bear in mind the need to comply with Article 6 GDPR and Article 5(3) of the ePrivacy Directive when applicable.

I make my thoughts on the general hostility towards Meta’s use of the Pay or Okay model clear in this piece, and I’ll avoid repeating them. I also don’t feel equipped to weigh in on whether the EDPB’s opinion will withstand a legal challenge. After all, the EDPB’s opinion doesn’t contradict the CJEU’s commentary around the possibility for paid alternatives — priced at “an appropriate fee” — to behavioral advertising being compliant with the GDPR. I know that all scaled social media platforms were looking to the EDPB’s opinion to determine whether they would follow Meta’s lead in implementing the Pay or Okay model. In this article, I’ll outline three possible options for how I think Meta (and, by extension, other social media platforms) will adapt to this change in operating guidance.

Increase ad load in Facebook and Instagram

The most obvious approach that Meta could take in complying with the EDPB’s guidance in the opinion would be to offer a “Free Alternative without Behavioural Advertising” with a much higher ad load than the free version that is monetized through personalized advertising. This version could compensate for lower ad prices with contextually targeted ads by simply exposing more of them. Meta noted in its Q1 2023 earnings call that 10% of its advertising revenue is derived from users in EU countries (note that my understanding is that this number pertains only to the Facebook app and not the company’s overall advertising revenue). Some of this revenue is contributed by brand advertising which is already contextually targeted. Meta could make up for the delta in advertising prices from direct response ads by showing a greater number of contextually targeted ads per session.

Of course, this runs a risk: the EDPB may view the higher ad load in the X as a detriment faced by the consumer in not consenting to their data being processed or paying a subscription. In its opinion, the EDPB states:

In order to avoid detriment within the meaning of Recital 42 GDPR and ensure that data subjects have the possibility to make a genuine choice, the manner in which the service is offered as well as the fee (if any) should not be such to effectively inhibit data subjects from making a free choice, for example by nudging the data subject towards consenting.

The opinion primarily defines detriment within the context of lock-in and network effects. But the EDPB could simply re-position detriment as the reduced ratio of content-to-advertising relative to the version that utilizes behavioral advertising. Meta could ultimately argue that any “Free Alternative without Behavioural Advertising” should be capable of monetizing to the same degree as the variants that utilize a subscription or behavioral advertising. Still, it’s unclear if the EDPB would accept this premise.

Meter Facebook and Instagram usage by engaged ad views

As an alternative to higher ad load, Meta could meter Facebook and Instagram usage by engaged ad views, forcing users to, for instance, watch a non-skippable video ad per some number of minutes of usage or consumption of units of native content. This approach would “front-load” consumption through ad exposures: a non-skippable ad would command higher prices than a static or video ad in the feed that could be scrolled over. Further, the exposure of non-skippable ads would solve for viewability measurement.

Meta could point to Spotify or YouTube as examples of services that employ this same product engagement model: a free tier with non-skippable ads every so often and a paid tier with no ads. Of course, the EDPB’s definition of a “large online platform” is so vague that this new opinion may apply to Spotify and YouTube, as well.

Charge a nominal fee for the ad-supported versions of Facebook and Instagram

Meta could introduce a small fee to use the ad-supported versions of Facebook and Instagram, rendering them as completely paid products in the EU. By eliminating its free tier, Meta should theoretically sidestep the conditions proposed in the EDPB’s opinion, since the elimination of a free tier supported by personalized advertising renders the Pay or Okay restrictions irrelevant.

As frequent MDM Podcast guest Mikołaj Barczentewicz points out in this blog post, both Netflix and Disney+ target ads behaviorally in their paid, ad-supported tiers. Meta could point to these products as examples of this pricing model being invoked: all options are paid, but the cheapest option is subsidized by behaviorally-supported ads. Of course, the EDPB has given itself latitude with its definition of “large online platform” to only litigate specific instances of commercial strategy.

In the executive summary of its opinion, the EDPB notes:

In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.

This appears, to my mind, to apply only when a service offers a paid tier that removes behavioral advertising, but not when all tiers are paid. Netflix’s ad-supported tier, which it introduced in November 2022, generates greater ARPU than its higher-priced Standard tier. If Facebook and Instagram become entirely paid products in the EU — transitioning the model from Pay or Okay to Pay, and Okay to Pay Less — Meta could justify the lower price of the ad-supported tier as being subsidized by advertising.

And while a large proportion of users would surely flee the service in the face of having to pay to access it, the economics might still work out given that 1) the ad-supported tier would allow for more lucrative behavioral advertising and 2) losing behavioral advertising altogether in the EU likely erodes a majority of Meta’s ads ARPU there, assuming that only 30% of its advertising revenue is brand-oriented (absent behavioral targeting, bids from direct response advertisers would plummet).

What won’t happen

I don’t believe that Meta will respond by exiting the EU market altogether — at least not in the near term. Per above: the EU is 10% of (what I understand to be) Facebook’s global advertising revenue, and GDPR fines aren’t as significant as those incurred under the DMA. The maximum fine under the GDPR is 4% of annual worldwide turnover, whereas the maximum fine under the DMA is 20% of annual worldwide turnover. While I do believe the EU regulatory regime’s intransigence will influence a scaled, US-domiciled tech company to exit the EU market in the medium term, my sense is that Meta won’t take that course of action in immediate response to this decision. I believe that Meta has more options for compliance at its disposal than to simply pack its bags and leave. But that also assumes a good faith approach to enforcement on the EDPB’s part.