As the UK gathers information about consent or pay schemes, the EC is weighing up using new powers to look at Meta’s paid ad-free subscription for EU users
The ICO considers whether paid privacy models represent free consent
On 6 March 2024, the UK’s Information Commissioner’s Office (ICO) launched a call for views on its regulatory approach to so-called “consent or pay” business models for online platforms. Generally, consent or pay or “pay for privacy” schemes allow consumers to access services for free on the condition that their data may be used for personalised or behavioural advertising. If the consumer refuses to consent to the use of their data, they are then required to pay for access to the service. The ICO’s primary concern with such models is the extent to which consumers are able to freely give and withdraw their consent. Under the UK GDPR, platforms are already prohibited from using “cookie walls”, which deny users access to a service if the user refuses to consent to personalised advertising.
Platforms should consider their market power when setting data practices
When evaluating the extent to which consent can be freely given by consumers faced with pay for privacy schemes, the ICO has identified four factors for consideration:
Power imbalance: The degree to which users are required to access the service, such as in the case of public services or platforms with significant market power;
Equivalence: The extent to which the paid service and the service with personalised ads are otherwise the same;
Appropriate fee: The calculation of a reasonable charge for the paid service which the consumer can realistically pay and the provider can justify; and
Privacy by design: The fair and equal presentation of the options to consumers that provides a full understanding of how their personal data is used.
The ICO also notes that existing users of a service should be given special consideration if a platform is considering implementing a pay or consent model since they are likely to rely on the service in their daily lives.
EC inserts itself into Meta’s pay for privacy policy
The issue of pay for privacy schemes has also risen to prominence in the EU in recent months, specifically after Meta announced the launch of a paid ad-free subscription for Facebook and Instagram in October 2023. Following a ban on the use of two different legal justifications for its personal data use under the GDPR, Meta introduced its pay or consent model as its proposal to continue its personalised advertising practices in the EU through a consent justification. The Irish Data Protection Commission, which enforces the GDPR for firms based in Ireland such as Meta, has been evaluating the pay for privacy scheme but has not yet made a public update on its progress. Meanwhile, on 1 March 2024, the EC issued a request for information to Meta regarding its consent or pay model using its powers under the Digital Services Act (DSA). While the request broadly references Meta’s “advertising practices, recommender systems and risk assessments”, the EC’s jurisdiction under the DSA is more closely limited to Meta’s transparency in these operations of its platforms. Following a series of additional consumer complaints in the EU, which have ratcheted up the pressure surrounding Meta’s scheme, the EC’s scrutiny could represent a second chance at regulatory action should the Irish regulator clear the model under the GDPR. The EC would be required to launch a full investigation of Meta under the DSA before proceeding with any enforcement action, however.
