Consent or pay

Last updated September 02, 2024

Consent-or-pay, also called pay-or-okay, is a compliance tactic used by certain companies, most notably Meta, to drive up the rates at which users consent to data processing under the European Union's General Data Protection Regulation (GDPR). It consists of presenting the user with a tracking consent notice, but only allowing a binary choice: either the user consents to the data processing, or they are required to pay to use the service, which is otherwise free to use if data processing is consented to. The tactic has been criticised by privacy advocates and non-governmental organisations such as NOYB and Wikimedia Europe, who claim that it is illegal under the GDPR. On 17 April 2024, the European Data Protection Board released a non-binding opinion stating that in most cases, consent-or-pay models do not constitute valid consent within the meaning of the GDPR.

Background

Under the GDPR, the processing of a natural person's personal data is only allowed under six lawful bases: consent, contractual necessity, legal obligation under EU or member state law, public interest, protection of vital interest of an individual, and the processor's legitimate interest.^[1]

When the GDPR first came into force in 2018, Meta justified its processing of personal data by claiming that its terms of use constitute a contract under which the user consented to the processing of personal data.^[2]^[3] However, this was challenged by Max Schrems, an Austrian privacy activist, who successfully argued that contractual necessity was not a valid basis of data processing when it comes to personalised advertising.^[4] In response to this ruling, Meta changed its lawful basis for personal data processing from contractual necessity to legitimate interest, which was also found not to be a valid basis.^[5]^[6] Meta then changed its lawful basis to consent, but chose to implement it in a way where users who consented to personalised advertising could use the service for free, while those who did not were required to pay a monthly subscription fee to continue using the service.^[6]

Critics of this consent model have called it "pay-or-okay", claiming that the monthly fee is disproportional and that users are not able to withdraw their consent to tracking as easily as it is given, which the GDPR requires to be the case. Massimiliano Gelmi, a data protection lawyer at NOYB, has stated that "The law is clear, withdrawing consent must be as easy as giving it in the first place. It is painfully obvious that paying €251,88 per year to withdraw consent is not as easy as clicking an 'Okay' button to accept the tracking."^[7]^[8]

On 17 April 2024, the European Data Protection Board released a non-binding opinion stating that in most cases, consent-or-pay models do not constitute valid consent within the meaning of the GDPR.^[9]

European Commission investigation

On 1 July 2024, the European Commission announced that it had opened an investigation against Meta under the provisions of the Digital Markets Act (DMA), with the preliminary findings claiming that Meta's approach was not in compliance with the DMA, an assertion that Meta has disputed.^[10]

Other users

Although Meta has faced most of the scrutiny and criticism regarding the use of consent-or-pay, other companies have also utilised the tactic. The Austrian Data Protection Authority (Datenschutzbehörde) has found that Der Standard , a German-language newspaper, has acted unlawfully by using consent-or-pay on its site, while others, including Der Spiegel , Die Zeit , Heise, the Frankfurter Allgemeine Zeitung , the Kronen Zeitung , and T-Online, have been accused of doing the same.^[11]

Related Research Articles

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the privacy of their personally identifiable information (PII), which is often provided to and handled by services or applications. PETs use techniques to minimize an information system's possession of personal data without losing functionality. Generally speaking, PETs can be categorized as either hard or soft privacy technologies.

The Interactive Advertising Bureau (IAB) is an American advertising business organization that develops industry standards, conducts research, and provides legal support for the online advertising industry. The organization represents many of the most prominent media outlets globally, but mostly in the United States, Canada and Europe.

The General Data Protection Regulation, abbreviated GDPR, or French RGPD is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

Maximilian Schrems is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM program. Schrems is the founder of NOYB – European Center for Digital Rights.

A dark pattern is "a user interface that has been carefully crafted to trick users into doing things, such as buying overpriced insurance with their purchase or signing up for recurring bills". User experience designer Harry Brignull coined the neologism on 28 July 2010 with the registration of darkpatterns.org, a "pattern library with the specific goal of naming and shaming deceptive user interfaces". In 2023 he released the book Deceptive Patterns.

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC ." It would repeal the Privacy and Electronic Communications Directive 2002 and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.

NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.

The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

The General Data Protection Regulation (GDPR) is a European Union regulation that specifies standards for data protection and electronic privacy in the European Economic Area, and the rights of European citizens to control the processing and distribution of personally-identifiable information.

Meta Platforms Inc., or Meta for short, has faced a number of privacy concerns. These stem partly from the company's revenue model that involves selling information collected about its users for many things including advertisement targeting. Meta Platforms Inc. has also been a part of many data breaches that have occurred within the company. These issues and others are further described including user data concerns, vulnerabilities in the company's platform, investigations by pressure groups and government agencies, and even issues with students. In addition, employers and other organizations/individuals have been known to use Meta Platforms Inc. for their own purposes. As a result, individuals’ identities and private information have sometimes been compromised without their permission. In response to these growing privacy concerns, some pressure groups and government agencies have increasingly asserted the users’ right to privacy and to be able to control their personal data.

Federated Learning of Cohorts (FLoC) is a type of web tracking. It groups people into "cohorts" based on their browsing history for the purpose of interest-based advertising. FLoC was being developed as a part of Google's Privacy Sandbox initiative, which includes several other advertising-related technologies with bird-themed names. Despite "federated learning" in the name, FLoC does not utilize any federated learning.

Michael Veale is a technology policy academic who focuses on information technology and the law. He is currently associate professor in the Faculty of Laws at University College London (UCL).

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

The Age appropriate design code, also known as the Children's Code, is a British internet safety and privacy code of practice created by the Information Commissioner's Office (ICO). The draft Code was published in April 2019, as instructed by the Data Protection Act 2018 (DPA). The final regulations were published on 27 January 2020 and took effect 2 September 2020, with a one-year grace period before the beginning of enforcement. The Children's Code is written to be consistent with GDPR and the DPA, meaning that compliance with the Code is enforceable under the latter.

References

↑ "Process personal data lawfully | European Data Protection Board". www.edpb.europa.eu. Retrieved 23 May 2024.
↑ Schechner, Sam. "Meta's Targeted Ad Model Faces Restrictions in Europe". WSJ. Archived from the original on 20 October 2023. Retrieved 23 May 2024.
↑ Lomas, Natasha (4 January 2023). "Meta's New Year kicks off with $410M+ in fresh EU privacy fines". TechCrunch. Retrieved 23 May 2024.
↑ Horwitz, Sam Schechner and Jeff. "Meta to Let Users Opt Out of Some Targeted Ads, but Only in Europe". WSJ. Archived from the original on 31 March 2023. Retrieved 23 May 2024.
↑ Lomas, Natasha (30 March 2023). "Meta tries to keep denying EU users a free choice over tracking -- but change is coming". TechCrunch. Retrieved 23 May 2024.
1 2 Lomas, Natasha (30 October 2023). "Meta to offer ad-free subscription in Europe in bid to keep tracking other users". TechCrunch. Retrieved 23 May 2024.
↑ Lomas, Natasha (16 February 2024). "European digital rights groups say the future of online privacy is on a knife edge". TechCrunch. Retrieved 23 May 2024.
↑ Lomas, Natasha (11 January 2024). "Meta faces another EU privacy challenge over 'pay for privacy' consent choice". TechCrunch. Retrieved 23 May 2024.
↑ Meyer, David. "'Meta is out of options': EU privacy regulators reject fee for avoiding tracking". Fortune. Archived from the original on 17 April 2024. Retrieved 23 May 2024.
↑ Dmitracova, Olesya (1 July 2024). "Meta accused of breaking European law with its 'pay or consent' model | CNN Business". CNN. Retrieved 11 July 2024.
↑ Clasen, Alina. "Austria challenges EU newspapers' pay-or-cookie walls". Euractiv. Euractiv. Retrieved 23 May 2024.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[edpb-consent-bases-1] "Process personal data lawfully | European Data Protection Board". www.edpb.europa.eu. Retrieved 23 May 2024.

[wsj-ad-model-restrictions-2] Schechner, Sam. "Meta's Targeted Ad Model Faces Restrictions in Europe". WSJ. Archived from the original on 20 October 2023. Retrieved 23 May 2024.

[tc-meta-privacy-fine-3] Lomas, Natasha (4 January 2023). "Meta's New Year kicks off with $410M+ in fresh EU privacy fines". TechCrunch. Retrieved 23 May 2024.

[wsj-meta-opt-out-4] Horwitz, Sam Schechner and Jeff. "Meta to Let Users Opt Out of Some Targeted Ads, but Only in Europe". WSJ. Archived from the original on 31 March 2023. Retrieved 23 May 2024.

[tc-meta-free-choice-5] Lomas, Natasha (30 March 2023). "Meta tries to keep denying EU users a free choice over tracking -- but change is coming". TechCrunch. Retrieved 23 May 2024.

[tc-meta-ad-free-6] 1 2 Lomas, Natasha (30 October 2023). "Meta to offer ad-free subscription in Europe in bid to keep tracking other users". TechCrunch. Retrieved 23 May 2024.

[tc-no-consent-pay-7] Lomas, Natasha (16 February 2024). "European digital rights groups say the future of online privacy is on a knife edge". TechCrunch. Retrieved 23 May 2024.

[tc-privacy-challenge-8] Lomas, Natasha (11 January 2024). "Meta faces another EU privacy challenge over 'pay for privacy' consent choice". TechCrunch. Retrieved 23 May 2024.

[fortune-meta-out-of-options-9] Meyer, David. "'Meta is out of options': EU privacy regulators reject fee for avoiding tracking". Fortune. Archived from the original on 17 April 2024. Retrieved 23 May 2024.

[10] Dmitracova, Olesya (1 July 2024). "Meta accused of breaking European law with its 'pay or consent' model | CNN Business". CNN. Retrieved 11 July 2024.

[euractiv-pay-or-cookie-wall-11] Clasen, Alina. "Austria challenges EU newspapers' pay-or-cookie walls". Euractiv. Euractiv. Retrieved 23 May 2024.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

v t e Privacy
Principles	Right of access to personal data Expectation of privacy Right to privacy Right to be forgotten Post-mortem privacy
Privacy laws	Australia Brazil Canada China Denmark England European Union Germany Ghana New Zealand Russia Singapore Sri Lanka Switzerland United Kingdom United States California, amended in 2020
Data protection authorities	Australia Denmark European Union France Germany India Indonesia Ireland Isle of Man Netherlands Norway Philippines Poland South Korea Spain Sweden Switzerland Thailand Turkey United Kingdom
Areas	Consumer Digital Education Medical Workplace
Information privacy	Law Financial Internet Facebook Google Twitter Email Personal data Personal identifier Social networking services Privacy-enhancing technologies Privacy engineering Privacy-invasive software Privacy policy Privacy software Secret ballot Virtual assistant privacy
Advocacy organizations	American Civil Liberties Union Center for Democracy and Technology Computer Professionals for Social Responsibility Data Privacy Lab Electronic Frontier Foundation Electronic Privacy Information Center European Digital Rights Future of Privacy Forum Global Network Initiative International Association of Privacy Professionals NOYB Privacy International
See also	Anonymity Cellphone surveillance Data security Eavesdropping Global surveillance Identity theft Mass surveillance Panopticon PRISM Search warrant Wiretapping Human rights Personality rights
Category