Bytesize Legal Updates | Fieldfisher
Fieldfisher are experts in European digital regulation and guide businesses through the complexities of the EU’s rapidly evolving regulatory environment. Europe is one of the world’s largest internal markets - with our focus on digital regulation for online platforms, social media and emerging technologies (AI, automation, AR/VR etc.) we keep you up-to-date with the EU’s digital agenda, and latest impacting European legislation for the industry.
Bytesize Legal Updates | Fieldfisher
Bytesize Legal Update: Pay or OK Models for Behavioural Advertising
On April 17, 2024, the European Data Protection Board (EDPB) published its guidance on "consent or pay" models implemented by large online platforms for behavioral advertising. The headline is that, in the EDPB's opinion, in most cases it will not be possible for large online platforms using "consent or pay" models to demonstrate that they have obtained valid consent under European data protection law to process an end user's data for the platform's behavioural advertising purposes.
In this episode, Fieldfisher's Felicity Fisher and Megan Ward unpick the EDPB's guidance and discuss what it means for online platforms using "pay or OK" models for targeted advertising.
Bytesize Legal Update - Pay or OK
[00:00:01] Megan: Hello, I'm Megan Ward, and I'm joined by Flick Fisher. In today's Bitesize Legal Update, we're going to discuss the European Data Protection Board's guidance on the validity of a data subject's consent, given in the context of a consent or pay model implemented by large online platforms.
[00:00:24] Megan: The headline is the EDPB said that in most cases it will not be possible for large online platforms to demonstrate that they have obtained valid consent under the GDPR to process an end user's data for behavioral advertising. The EDPB emphasized that consent or pay models should offer users real choice and not just a binary option between consenting to data processing for behavioral advertising or paying a fee for the service.
[00:00:50] Megan: So we'll start off with consent. What is a consent or pay model? A consent or pay model in the behavioral advertising context is where a platform or service offers users a choice between free access to the platform or service if they consent to the use of their data for behavioral advertising purposes and paying a fee for a version of the service without behavioral advertising.
[00:01:11] Megan: The EDPB focuses on the models in which the option relates to the processing of personal data for behavioural advertising purposes. So, "targeted ads". And where the relevant controller is a large online platform. So, Flick, can you give us some background to this guidance?
[00:01:24] Flick: Yeah, sure. So the debate really stems from Meta's move to charge for ad free Facebook and Instagram services in the EU, following a ban that was imposed on them last year on Meta's targeted advertising practices in Europe. Meta had basically been taken through the courts, and last year we had a CJEU decision which basically confirmed that Meta couldn't rely on performance of a contract, which is something it had been trying to rely on for its targeted advertising practices.
[00:01:54] Flick: And off the back of it, it therefore had to pivot and come up with a new business model to kind of justify or attempt to justify and allow its targeted advertising practices in Europe, hence why we got the consent or pay model that they proposed. And off the back of that, in January last year, the European Data Protection Board received a request from the Dutch, Norwegian and German data protection authorities, really seeking to provide clarity on the legality of the consent or pay model.
[00:02:23] Flick: And in particular, the referring regulators questioned whether such models could satisfy the requirements for valid, freely given consent and whether such data subjects are able to exercise real choice. So this guidance is really considering the legality of consent or pay models more broadly, but focuses, as Megan has mentioned, on their implementation by large online platforms.
[00:02:49] Flick: Hint, hint, we mean the social media platforms, including Facebook. What is the EDPB's authority to do this? Well, the EDPB (the European Data Protection Board)'s main role is to ensure that there's a consistent application of the GDPR throughout the European Economic Area. So the GDPR provides a mechanism whereby any supervisory authority can request that a matter which has general application or would produce effects in more than one member state can be examined by the European Data Protection Board and
[00:03:20] Flick: an opinion can be provided. Um, it's important to know that this opinion is not binding, but it's definitely going to be taken into account by the regulators that referred the matter. And also, the Irish DPC, which is the Irish regulator and their continued investigations of large online platforms that use personal data for behavioural advertising.
[00:03:39] Megan: So, what did the EDPB say on, whether the consent would be valid in these circumstances?
[00:03:45] Flick: Well, the opinion, which by the way, I think is 44 pages, uh, so it's a long opinion and it's fair to say that the lawyers who have been reading it and other industry professionals have been quite, uh, confused by some aspects of it, but essentially through an examination of various requirements of the GDPR , and in particular the consent requirements, they have concluded that consent collected by large Online platforms in the context of the pay or okay consent model like that being used by Facebook
[00:04:16] Flick: and, in the context of behavioral advertising, is only going to be valid to the extent that those platforms can demonstrate that all the requirements for valid consent are met. The headline is that they don't really believe that those conditions can be met by large online platforms if they only offer a binary choice of the kind that Meta have been offering.
[00:04:38] Flick: And the opinion refers to another CJEU judgment in, and I'm going to completely butcher the name of this, but it's a German case from July 2023, uh, the Bundeskartellamt. I probably said that wrong (apologies to any German listeners). But one of the dimensions of that case was the issue of whether a dominant position from a competition law perspective affects the freely given nature of consent.
[00:05:02] Flick: And that really played into quite a bit of this opinion, because the European Data Protection Board concludes that because large online platforms are potentially dealing with an imbalance of power issue when collecting consent, in most cases, those platforms will not be able to comply with the requirements of valid consent under the GDPR, again, if they're only providing users with a choice between consenting to the processing of their personal data for behavioural advertising or paying a fee.
[00:05:31] Flick: And they consider various other aspects of the consent requirements, which we're going to dig into in a second. Um, but their opinion really is that personal data shouldn't or shouldn't be considered a tradable commodity and that large online platforms should bear in mind the need to protect the fundamental right to data protection from being turned into a feature that individuals need to pay to enjoy.
[00:05:55] Flick: Kind of woven into their guidance is also reference to the core GDPR principles of data minimization and fairness. Um, and you know, they include some pretty negative summaries of how behavioral advertising works, really kind of reflecting what probably we can, agree is a clearer aversion to profile based advertising.
[00:06:16] Flick: But they talk about the magnitude and intrusiveness of the processing that takes place in connection with behavior advertising. They talk about the excessive tracking and monitoring of a user's entire life online and offline and query whether or not they have, uh, slightly, uh, misrepresented the way that some of that data is being processed
[00:06:35] Flick: is being collected and used by Meta and other social media platforms for behavioural advertising. But essentially their view there is that because of that, you know, intrusive profiling that's taking place, it's really hard to reconcile that processing with the principle of data minimization and that really has gone into impacting the overall fairness of that binary choice being offered.
[00:06:58] Flick: Again, really reflecting their clear aversion to profile based advertising. So we've got quite a loaded opinion here. They do attempt to outline certain alternatives, um, we're going to talk a little bit more about that in a second, but essentially suggesting that large online platforms should consider providing individuals with a free equivalent to their service, that does not include behavioral advertising
[00:07:21] Flick: i. e. a third option, so if you're going to require a paid subscription, there should be the option to have a free account, with ads that are not targeted, as well as the option then to have a free account with targeted ads. So that third option being, it's free, there aren't personalized targeted ads, potentially only just contextual advertising. We'll talk a bit more about that alternative approach that they've considered in a second, but really, critically sort of undermining, the potential for these social media platforms to monetize their platforms, in the way that they have tried to do.
[00:08:01] Flick: So, Megan, why has the European Data Protection Board concluded that in most cases consent will not be valid in the consent or pay model? What was some of the deeper dive on the rationale for that?
[00:08:12] Megan: So they really talked about how the requirements for valid consent are challenged by the consent or pay model in the context of behavioural advertising. And the main criteria they took into account were detriment, imbalance of power, conditionality and granularity, which echoed the EDPB's 2020 guidance on consent and the CJEU's commentary in its judgment, which Flick mentioned, against Meta.
[00:08:35] Megan: Firstly, as we know, consent must be freely given, and large online platforms using pay or consent models should ensure that any fee is not such as to effectively inhibit data subjects from making a free choice. And the EDPB said that detriment may arise where data subjects
[00:08:48] Megan: do not pay a fee to withhold consent and consequently face exclusion from the service if they don't consent, particularly where that service plays a prominent role in the user's social life or access to professional networks. And the guidance indicates that detrimental consequences can be even more important for the users of online platforms, which introduce a consent or pay model when they hadn't previously done so.
[00:09:09] Megan: And one of the examples that it gives is where there is this "lock in effect", which needs to be considered. So that's where the user has established their presence on a platform such that if they decide not to consent to advertising or pay to receive the service, they would lose access to the service and risk not being able to transfer their interactions or their content or their followers to a new platform, which may result in, financial loss or loss of their portfolio that they've built up.
[00:09:34] Megan: The guidance also talks about the need to consider whether there is an imbalance of power, which would depend on the platform's position in the market, the extent the data subject relies on the platform, and the main audience of, the service offered. And where there is an imbalance of power, the guidance says that consent can only be used in exceptional circumstances.
[00:09:52] Megan: So, for a large online platform, particularly social media networks, it's conceivable that there will be some sort of imbalance of power because of the huge role that they play in people's social lives. The guidance also talks about the fact that there must be no conditionality, so large online platforms should consider this equivalent alternative, which Flick mentioned.
[00:10:12] Megan: And this, the EDPB notes, would enhance users' freedom of choice and be a particularly important factor to consider when assessing whether data subjects can in fact exercise a real choice. Consent must be specific and granular; the complexity of processing for behavioral advertising makes this challenging and it may mean separate consents in some cases.
[00:10:32] Megan: The data subject should be free to choose which purposes of processing they accept rather than being confronted with one consent request which bundles together several purposes.
[00:10:42] Megan: The guidance also talks about informed consent and, in order for consent to be valid under the GDPR, as we know, it must be informed. And so, in the context of consent or pay models, the EDPB opinion provides that large online platforms should provide information that is sufficiently granular so that data subjects can understand the service they're consenting to
[00:10:59] Megan: whilst retaining the possibility, not to consent to others. Similarly, the choices presented to data subjects need to align with the information they're provided with. And finally, they also commented on ambiguity. So consent must be an unambiguous indication of wishes and the EDPB notes that in the context of consent or pay models, controllers should ensure that users are not exposed to deceptive design patterns when consenting to the processing of their data.
[00:11:26] Megan: And it gives some examples where consent is collected by wording such as "simply continue" or "continue without payment", where non-payment is sort of emphasized in such a way that it's unclear whether choosing the free option implies consent.
[00:11:39] Megan: It also demonstrates the importance of informed consent, as we've just mentioned. So, the key takeaway here I think is, unsurprisingly, that controllers really need to carefully design, those consent mechanisms.
[00:11:49] Flick: Yeah, and we talked a little bit about what's their vision for an equivalent alternative, Megan. Um, I outlined some of the options, but maybe you could provide us with a bit more insight into what the opinion said about that.
[00:12:00] Megan: Yeah, so the EDPB said that large online platforms should provide individuals with this "equivalent alternative", ideally free of charge. And the opinion provides elements that can help ensure this alternative is genuinely equivalent. So it talks about the fact that the equivalent alternative must be offered by the same controller.
[00:12:18] Megan: It's not enough to say that the user can go elsewhere to access a similar service. It must be functionally equivalent but doesn't need to be identical to the paid for service. The free alternative needs to be without behavioral advertising, which includes the initial tracking, of users for such purposes, but it doesn't need to be free from advertising entirely.
[00:12:37] Megan: One of the things the EDPB suggests is that the form of advertising could involve the processing of less or no personal data, be general, or contextual advertising or involve advertising in which the users actively and consciously determine, their own preferences.
[00:12:51] Flick: So just to summarize there, we're talking about paid subscription, free account with targeted ads, and then free account with only non targeted, so where the advertising is being done without data processing for profiling individuals.
[00:13:08] Megan: Yeah, so a fair few options on the table.
[00:13:10] Flick: Yeah. The other thing I think that's worth reflecting on is this whole opinion is focused on large online platforms. And what do we mean by a large online platform? Well, the opinion borrows from the gatekeeper and VLOP terminology of the DMA (the Digital Markets Act) and the DSA (the Digital Services Act), respectively. But rather confusingly, it sort of leans on that terminology, but then the opinion also defines the concept in quite broad terms, referring to the fact that large online platforms are platforms that attract a large amount of data subjects.
[00:13:46] Flick: It's pretty broad. So really kind of potentially blurring the lines between the application of the recent EU digital regulations and the GDPR. And I think while the opinion has ostensibly been aimed at the large social media platforms, the vague nature of this new concept that they've introduced probably raises more questions than answers.
[00:14:08] Flick: So as I say, there was a reference to the DSAs online platform definition, but the term platform is not used in the GDPR itself. So, we'll have to wait to see whether regulators seek to apply this opinion only in relation to DSA type platforms, or also to other types of platforms, so just large national publishers more generally, given that sort of broad scope of the definition.
[00:14:32] Megan: And what does this mean then for smaller platforms, if anything?
[00:14:36] Flick: We don't think there's any impact for now. The EDPB has said that it would issue further guidance later this year on the pay or consent models used by smaller platforms. So I guess we're in a bit of a wait and see. They're clearly targeting this opinion at Meta and other equivalent social media platforms
[00:14:54] Flick: with the caveat that there is some confusion there introduced by the definition of large online platforms. But I think for smaller platforms, this opinion is really not targeted at them. Although, you know, it explores core principles of the GDPR. There are some lessons there around transparency and how to kind of obtain valid consent that will be meaningful for all platforms who are, you know, trying to conduct behavioural advertising using a consent based model.
[00:15:23] Megan: We mentioned earlier about how it might be difficult for businesses to think about how they monetize their services based on this opinion.
[00:15:31] Megan: But how challenging do we think it would be for online platforms to comply?
[00:15:35] Flick: I think it sets a very high threshold for the adoption of a consent or pay model. I think it's important to say that the EDPB isn't saying that you absolutely can't use a pay or consent model. Again, this is where the opinion is frustratingly vague because it sort of uses language like should consider an equivalent alternative without saying must.
[00:15:56] Flick: So they're really asking for a case by case assessment of the particular scenario. But all very heavily leaning on, it's likely to come to the conclusion that if you're a large online platform, you're not going to be able to implement that binary consent or pay model. But it definitely stops short of saying that consent or pay models are incompatible
[00:16:16] Flick: with the GDPR i.e., completely banned. So yeah, it's introduced some ambiguity there, but I think we're in a world where, it's going to be very difficult if you are a Meta of this world to implement that type of model.
[00:16:32] Megan: So things to think about, but, still some uncertainty.
[00:16:35] Flick: Yep. Thank you EDPB for a long, repetitive and, sometimes confusing, opinion.
[00:16:44] Megan: Okay, thanks for tuning in and we'll catch you next time on our next Bytesize Legal Update.