Consent or pay

Last updated

Consent or pay or Pay or okay is a compliance tactic used by certain companies, most notably Meta, to drive up the rates at which users consent to data processing under the European Union's General Data Protection Regulation (GDPR). It consists of presenting the user with the tracking consent notice, but only allowing a binary choice; either the user consents to the data processing or they are required to pay to use the service, which is otherwise free to use if data processing is consented to. The tactic has been criticised by privacy advocates and non-governmental organisations such as NOYB and Wikimedia Europe, who claim that it is illegal under GDPR. On 17 April 2024, European Data Protection Board released a non-binding opinion stating that in most cases, Consent or pay models do not constitute a valid consent within the meaning of GDPR.

Contents

Background

Under the GDPR, the processing of a natural person's personal data is only allowed under six lawful bases: consent, contractual necessity, legal obligation under EU or member state law, public interest, protection of vital interest of an individual, and the processor's legitimate interest. [1]

When the GDPR first came into force in 2018, Meta justified its processing of personal data by claiming that its terms of use constitute a contract under which the user consented to the processing of personal data. [2] [3] However, this was challenged by an Austrian privacy activist Max Schrems who successfully argued that contractual necessity was not a valid basis of data processing when it comes to personalised advertising. [4] In response to this ruling, Meta changed its lawful basis for personal data processing from contractual necessity to legitimate interest, which was also in turn found not to be a valid basis when it comes to the processing of personal data for targeted advertising. [5] [6] Meta then changed its lawful basis to consent, but chose to implement the consent in a way where the users who consent to personalised advertising may use the service for free, but the users who do not are required to pay a monthly subscription to continue using the service. [6]

The critics of this consent model have named it 'Pay or okay', claiming that the monthly fee is disproportional and that the users are not able to withdraw their consent to tracking as easily as it is given, which the GDPR requires to be the case. Massimiliano Gelmi, a data protection lawyer at NOYB, has stated that: "The law is clear, withdrawing consent must be as easy as giving it in the first place. It is painfully obvious that paying €251,88 per year to withdraw consent is not as easy as clicking an 'Okay' button to accept the tracking." [7] [8]

On 17 April 2024, the European Data Protection Board released a non-binding opinion stating that in most cases, Consent or pay models do not constitute a valid consent within the meaning of GDPR. [9]

Other users

Although Meta has faced most of the scrutiny and criticism regarding the use of 'Pay or okay', other companies have also been utilising the tactic. The Austrian Data Protection Authority has found that derStandard.at, a German-language newspaper, has acted unlawfully by using 'Pay or okay' while other sites were also accused of doing the same, including spiegel.de, zeit.de, heise.de, faz.net, krone.at, and t-online.de. [10]

Related Research Articles

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing.

ePrivacy Directive

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

The Interactive Advertising Bureau (IAB) is an American advertising business organization that develops industry standards, conducts research, and provides legal support for the online advertising industry. The organization represents many of the most prominent media outlets globally, but mostly in the United States, Canada and Europe.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

<span class="mw-page-title-main">Max Schrems</span> Austrian author and privacy activist

Maximilian Schrems is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM program. Schrems is the founder of NOYB – European Center for Digital Rights.

A dark pattern is "a user interface that has been carefully crafted to trick users into doing things, such as buying overpriced insurance with their purchase or signing up for recurring bills". User experience designer Harry Brignull coined the neologism on 28 July 2010 with the registration of darkpatterns.org, a "pattern library with the specific goal of naming and shaming deceptive user interfaces". In 2023 he released the book Deceptive Patterns.

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC ." It would repeal the Privacy and Electronic Communications Directive 2002 and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.

<span class="mw-page-title-main">NOYB</span> European data protection advocacy group

NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.

The General Data Protection Regulation (GDPR) is a European Union regulation that specifies standards for data protection and electronic privacy in the European Economic Area, and the rights of European citizens to control the processing and distribution of personally-identifiable information.

Meta Platforms Inc., or Meta for short, has faced a number of privacy concerns. These stem partly from the company's revenue model that involves selling information collected about its users for many things including advertisement targeting. Meta Platforms Inc. has also been a part of many data breaches that have occurred within the company. These issues and others are further described including user data concerns, vulnerabilities in the company's platform, investigations by pressure groups and government agencies, and even issues with students. In addition, employers and other organizations/individuals have been known to use Meta Platforms Inc. for their own purposes. As a result, individuals’ identities and private information have sometimes been compromised without their permission. In response to these growing privacy concerns, some pressure groups and government agencies have increasingly asserted the users’ right to privacy and to be able to control their personal data.

Federated Learning of Cohorts (FLoC) is a type of web tracking. It groups people into "cohorts" based on their browsing history for the purpose of interest-based advertising. FLoC was being developed as a part of Google's Privacy Sandbox initiative, which includes several other advertising-related technologies with bird-themed names. Despite "federated learning" in the name, FLoC does not utilize any federated learning.

Michael Veale is a technology policy academic who focuses on information technology and the law. He is currently associate professor in the Faculty of Laws at University College London (UCL).

<span class="mw-page-title-main">Personal Information Protection Law of the People's Republic of China</span> Chinese personal information rights law

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

The Age appropriate design code, also known as the Children's Code, is a British internet safety and privacy code of practice created by the Information Commissioner's Office (ICO). The draft Code was published in April 2019, as instructed by the Data Protection Act 2018 (DPA). The final regulations were published on 27 January 2020 and took effect 2 September 2020, with a one-year grace period before the beginning of enforcement. The Children's Code is written to be consistent with GDPR and the DPA, meaning that compliance with the Code is enforceable under the latter.

References

  1. Schechner, Sam. "Meta's Targeted Ad Model Faces Restrictions in Europe". WSJ. Archived from the original on 20 October 2023. Retrieved 23 May 2024.
  2. Lomas, Natasha (4 January 2023). "Meta's New Year kicks off with $410M+ in fresh EU privacy fines". TechCrunch. Retrieved 23 May 2024.
  3. Horwitz, Sam Schechner and Jeff. "Meta to Let Users Opt Out of Some Targeted Ads, but Only in Europe". WSJ. Archived from the original on 31 March 2023. Retrieved 23 May 2024.
  4. Lomas, Natasha (30 March 2023). "Meta tries to keep denying EU users a free choice over tracking -- but change is coming". TechCrunch. Retrieved 23 May 2024.
  5. 1 2 Lomas, Natasha (30 October 2023). "Meta to offer ad-free subscription in Europe in bid to keep tracking other users". TechCrunch. Retrieved 23 May 2024.
  6. Lomas, Natasha (11 January 2024). "Meta faces another EU privacy challenge over 'pay for privacy' consent choice". TechCrunch. Retrieved 23 May 2024.
  7. Meyer, David. "'Meta is out of options': EU privacy regulators reject fee for avoiding tracking". Fortune. Archived from the original on 17 April 2024. Retrieved 23 May 2024.