Meta’s inevitable detour with EU privacy: “Pay or Okay”

The New York Times reported last Friday that Meta is considering introducing ad-free, subscription-monetized versions of its Facebook and Instagram apps in the European Union. From the piece:

Those who pay for Facebook and Instagram subscriptions would not see ads in the apps, said the people, who spoke on the condition of anonymity because the plans are confidential. That may help Meta fend off privacy concerns and other scrutiny from E.U. regulators by giving users an alternative to the company’s ad-based services, which rely on analyzing people’s data, the people said.

The reporting is light on details. It’s unclear if Meta would force users to either consent to personalized advertising in the ad-supported variants of its apps or subscribe to the ad-free variants of its apps. This concept is known in privacy advocacy circles as “Pay or Okay”: the idea is that a product operator forces the choice of either paying for access (via a subscription or otherwise) or consenting to having their data processed for some purpose (by clicking “okay” on a consent prompt).

Last month, in The EU’s Post-Advertising Internet, I chronicled Meta’s journey through various EU-level data privacy decisions this year. This chronology of back-and-forth actions by various EU privacy regulators and reactions from Meta has guided the company’s use of legal, GDPR-provided bases for data processing from contractual necessity to legitimate interest to, now, consent.

In that piece, I also outlined the seemingly likeliest path forward for Meta in the EU as I saw it at the time: relying on subscriptions as a means of offsetting any loss of advertising revenue in the EU bloc. In my piece, using rough assumptions, I estimated that Meta could retain 40% of its advertising revenue in the EU through gating product access either through consent or a subscription. This would represent 4% of Meta’s global advertising revenue, given that Meta’s CFO, Susan Li, revealed in the company’s Q1 earnings call that the EU is responsible for 10% of Meta’s global advertising revenue.

But the Pay or Okay strategy is unproven. While both the Austrian and German data protection authorities (DPAs) have deemed the Pay or Okay approach to be theoretically permitted under the GDPR, they have both also sanctioned specific invocations of it as illegal: in Austria, with the derStandard newspaper, and in Germany, with the tech news website. In both of these cases, while the use of Pay or Okay was not considered to be conceptually at odds with the GDPR, the particular implementations were, given that users were not afforded the opportunity to consent to the specific purposes for which their data would be collected. That is to say: users were not given the choice to opt out of data processing for personalized advertising on its own, independent of the data processing for core product use cases.

This is aligned with the conceptual thread on which the CJEU, the EU’s highest court, issued commentary on July 4th. That commentary — unpacked in impressive detail by Mikołaj Barczentewicz — presents two important points that are likely to dictate whether Meta’s Pay or Okay policy, if it does ultimately enforce one, withstands scrutiny:

  1. That personalized advertising cannot be considered part and parcel of a social media service. The CJEU’s commentary, which builds upon decisions from eg. the Irish DPA, stemming from influence from the EDPB, questioned whether legitimate interest can be used as a legal basis for data processing related to personalized advertising in social media, given that a social media service can exist without it. This is a broad characterization of the argument; more detail is unpacked in A deep dive on European data privacy law;
  2. That consent may be impossible for consumers to give freely when a service is sufficiently large and ubiquitous. It’s important to remember that the CJEU case was related to the ability of a competition authority (in this case, Germany’s Federal Cartel Office) to consider data privacy cases. The CJEU ruled that, with very limited scope, a competition authority could impose restrictions related to data privacy, but that data protection authorities (DPAs) would have veto power over those decisions. Given the competition lens, however, the CJEU proposed that it could be difficult for a consumer to freely give consent to a service that is so pervasive that its use is effectively impossible to decline.

The second question is abstract, but the first is fairly concrete: if personalized advertising is interpreted through the GDPR as needing separate consent from the more fundamental product engagement use case with social media, then there may be no way to bundle those two use cases together for the purposes of capturing consent. This is conceptually consistent with the decisions that were made related to Meta’s use of contractual necessity and legitimate interest: the core social media use case could legitimately claim those legal bases, but the (in the eyes of EU privacy regulators) ancillary use case of personalized advertising couldn’t, and so the two distinct purposes required independent GDPR treatments. To my mind, Pay or Okay is terra incognita with respect to privacy-related regulatory compliance.

I’ve written extensively on this topic. For more context, see: