13 Nov 2024
5 minutes read

Consent or else you'll pay!

Behavioural advertising continues to be an area of scrutiny by data protection authorities in the EU and UK, particularly in relation to the legal basis that controllers rely upon in order to conduct the processing. Unsurprisingly, Meta continues to be the focus of that scrutiny.

An update on the facts

In my previous article, I summarised the binding decision made by the European Data Protection Board (EDPB) on Meta to prevent it relying on either ‘necessary for performance of a contract’ or ‘legitimate interests’ as valid legal bases to process personal data under Article 6 GDPR, see Prohibited: Meta's unlawful behavioural advertising practices - Mills & Reeve (mills-reeve.com).

Left with little choice, Meta has since moved onto relying on the legal basis of consent but has done so through a practice of ‘consent or pay’. This was introduced by Meta in November 2023 to users of Facebook and Instagram in the EU whereby users could pay for an ad-free version of the social medias. The free versions do not provide the users with an option to decide whether they want their personal data to be used for behavioural advertising. The options are:

  •   pay; or
  • you are only granted access if you consent to personal data being used for behavioural advertising

It’s questionable whether these limited options are a valid way to gain consent under Article 6(1) GDPR. 

The EDPB’s view 

The EDPB adopted an opinion on this issue in April 2024. In its view, a consent or pay model does not generally meet the requirements of valid consent under GDPR. The EDPB considered that offering only a paid alternative to services which involve the processing of personal data for behavioural advertising purposes should not be the default way forward for controllers and that there should be an equivalent alternative that does not entail the payment of a fee.
The EDPB went on to say that as regards the need for consent to be freely given, the following criteria should be taken into account: 

  • conditionality 
  • detriment 
  • imbalance of power 
  • granularity

These should all be assessed on a case by case basis to determine:

a)    whether a fee is appropriate at all; and 
b)    if so, what amount is appropriate given the circumstances

Large online platforms should also consider whether the decision not to consent may lead the individual to suffer negative consequences such as exclusion from a prominent service. 
The EDPB is developing guidelines on consent or pay models and is hosting an event towards the end of November 2024 to collect stakeholder views to help shape its guidelines. 

The ICO’s view

The consent or pay model by Meta has only been introduced in the EU, not the UK. The ICO has not banned Meta from relying on performance of a contract, or legitimate interests for its behavioural advertising activities. So Meta is still able to rely on these bases in the UK as lawful grounds for behavioural advertising, therefore not needing to rely on consent.

The ICO’s view on consent or pay models is that organisations considering such models must be careful to ensure that consent to processing of personal information for personalised advertising has been:

  •  freely given;
  •  is fully informed; and
  •  is capable of being withdrawn without detriment 

The ICO has stated that, as a starting point, organisations should be considering:

  •  Power balance – is there an imbalance of power between the service provider and its users?
  •  Equivalence- are the ad-funded service and the paid-for service basically the same?
  • Appropriate fee – is the fee appropriate? Fees should be set so they give people a realistic choice
  • Privacy by design – are people given clear, understandable information about what the options mean for them and what each one involves?

The ICO called for views from the market on consent or pay models and, in a statement on 15 August, confirmed it is considering these models and will set out its position later in 2024.

Key takeaways

  • For businesses that have operations in the EU, caution should be taken to using consent or pay models in relation to personalised/behavioural advertising. Whilst the EPBD has not prohibited their use, its statement provides little reassurance that such models will satisfy the test for valid consent under GDPR.  
  • For businesses in the UK, they can continue to rely on performance of a contract or legitimate interests as lawful bases for carrying out processing of people’s data for personalised/behavioural advertising. If businesses want to introduce the consent or pay model as a stream of revenue, they should do so with caution and consider the factors listed above when taking such a decision.
  • For now, all businesses that rely on consent need to be able to demonstrate it is valid, meaning people were properly informed about what will happen with their personal information. Businesses therefore need to be clear about how they will use personal data as payment for the service the person receives. If people do consent, businesses also need to ensure people are aware they can withdraw the consent at any time and offer easy ways to do that without the person suffering a detriment. 
    If you have any concerns over legal compliance of your behavioural advertising practices, our IT and data protection team here at Mills & Reeve can assist you – please do get in touch!

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Contact

Megan Whitaker

+441603693486

How we can help you

Contact us