Meta's 'consent or pay' data grab in Europe faces new complaints

A controversial move by Meta last year, when it switched to charging users in the European Union for an ad-free subscription to Facebook and/or Instagram unless they agreed to be tracked and profiled so it could keep running its attention-mining microtargeting ad business, has triggered a set of complaints from consumer rights groups. The complaints are being brought under the bloc's data protection rules.

Currently, Meta charges regional users €9.99/month on web (or €12.99/month on mobile) to opt out of seeing any adverts per linked Facebook and Instagram account. The only other choice EU users have if they want to access Facebook and Instagram is to agree to its tracking -- meaning the offer is to literally pay for privacy, or "pay" for free access by losing your privacy.

Eight consumer rights groups from across the region are filing complaints with national data protection authorities against this "consent or pay" choice, the European consumer organization, BEUC -- which is a membership and coordinating body for the groups -- announced today.

"It is crucial that any consent provided by consumers is valid and meets the high bar set by the law, which requires such consent to be free, specific, informed and unambiguous. This is not the case with Meta’s ‘pay-or-consent’ model," they argue in a paper about the complaint, which goes on to suggest Meta is seeking "to coerce consumers into accepting its processing of their personal data."

"Meta keeps consumers in the dark about its data processing, making it impossible for the consumer to know how the processing changes if they choose one option or the other. The company also fails to show that the fee it imposes on consumers who do not consent is indeed necessary, which is a requirement stipulated by the Court of Justice of the EU," they also write, adding: "Under these circumstances, the choice about how consumers want their data to be processed becomes meaningless and is therefore not free."

The eight consumer groups*, located in the Czech Republic, Denmark, Greece, France, Norway, Slovakia, Slovenia and Spain, argue Meta has no valid legal basis for processing people's data for ad targeting under the bloc's General Data Protection Regulation (GDPR) -- asserting the company is processing personal data in a way that is "fundamentally incompatible with European data protection law."

Specifically, they're accusing Meta of violating the GDPR principles of purpose limitation, data minimization, fair processing and transparency.

Penalties for confirmed breaches of the regulation can reach up to 4% of global annual turnover. More importantly, companies can be ordered to stop unlawful processing -- with the potential for regulators to reform privacy-hostile business models.

Commenting in a statement, Ursula Pachl, deputy director general of BEUC, said:

Meta has tried time and time again to justify the massive commercial surveillance it places its users under. Its unfair "pay-or-consent" choice is the company’s latest effort to legalise its business model. But Meta’s offer to consumers is smoke and mirrors to cover up what is, at its core, the same old hoovering up of all kinds of sensitive information about people’s lives which it then monetises through its invasive advertising model. Surveillance-based business models pose all kinds of problems under the GDPR and it’s time for data protection authorities to stop Meta’s unfair data processing and its infringing of people’s fundamental rights.

BEUC said a legal analysis it undertook with members and the data rights law firm, AWO, concluded that Meta's processing of consumers’ personal data breaches the GDPR in multiple ways. As well as lacking a valid basis, some of the processing for ads "appears to rely invalidly on contract," the analysis suggests.

The analysis also queries what legal basis Meta relies upon for content personalization -- finding this is "not clear" and "there is no way to verify" all of Meta’s profiling for this purpose is both necessary for the relevant contract and consistent with the GDPR principle of data minimization. The same questions are attached to Meta's profiling for advertising purposes.

It also found Meta’s processing in general is not consistent with the principles of transparency and purpose limitation -- highlighting a lack of transparency, unexpected processing, use of a dominant position to force consent, and "switching of legal bases in ways which frustrate the exercise of data subject rights," which it also said it not consistent with the GDPR principle of fairness.

As we've reported before, Meta's self-serving "consent or cough up" offer is already facing a number of other GDPR complaints, including one brought by privacy rights group noyb that's focused on the premium price Meta has put on privacy; another is focused on the asymmetry in the choice Meta has devised, which makes it super simple for users to agree to its tracking but a lot more arduous to protect their privacy, including if they wish to change their mind and withdraw previously given consent.

Earlier this month three DPAs also requested that the EU's regulatory body for data protection, the EDPB, issues an opinion on the legality of consent or pay.

That guidance is still pending. But fresh complaints -- and this pincer action by consumer protection and privacy rights groups -- could pile pressure on the EU's data protection regulator not to rubber stamp a tactic privacy campaigners have long warned is a cynical attempt to circumvent the bloc's data protection rulebook for commercial gain.

Meta has already lost the ability to use other legal bases it had claimed authorized its ads' processing -- following earlier privacy complaints (and a competition challenge). This means obtaining users' consent is, basically, the last chance for it to continue operating its tracking ads business in the EU, where the law requires a valid legal basis for processing people's data (the GDPR names six legal bases but the rest aren't relevant for an adtech business like Meta's).

If Meta's latest consent coercion fails, it could -- finally -- be forced to reform its surveillance business model. As we've written before, the stakes are high: for Meta and for web users in Europe.

Today's complaints are not the first filed against Meta's consent or pay tactic by consumer protection groups -- some of which argue it's breaching the bloc's rules on consumer protection, too. Broader, coordinated action from the sector last November saw BEUC and 18 of its member groups filing complaints against what they dubbed “unfair, deceptive and aggressive practices” by Meta that they assert breach the bloc's consumer protection rules.

Those complaints were filed with the CPC, a regional network of consumer protection authorities. If Meta does not engage with the CPC's process, such as by offering concessions aimed at remedying the groups' complaints, it could face enforcement action by consumer regulators (which are empowered to issues fines of up to 4% of global turnover).

At the time, the BEUC said it may also look to bring a data protection complaint against Meta's controversial consent offer -- which is the development we're seeing today.

"Meta must stop any illegal processing of consumers’ personal data, including for the purpose of advertising," it wrote in a press release. "Any illegally collected personal data must be deleted. In addition, if Meta would like to use consumers’ consent as legal basis for its data processing, it must ensure that this consent is indeed freely given, specific, informed and unambiguous, as required by the law."

Meta has previously argued its consent or pay offer is lawful under the GDPR. However, its blog post defending the controversial tactic does not make any mention of how it complies with EU consumer protection law.

There's a further consideration here too: The European Commission oversees enforcement of Meta's compliance with the Digital Services Act's (DSA) rules for larger platforms and Digital Markets Act (DMA) -- two newer, pan-EU regulations that stipulate consent has to be obtained for processing personal data for ad-targeting purposes. These regulations also ban the use of sensitive personal data or minors' data for ads and state that consent must be as easy to withdraw as it is to provide. So another very pertinent question, vis-à-vis Meta's consent or pay offer in the EU, is what the Commission will do?

The EU's executive is empowered to enforce the DSA and DMA on Meta -- which could include issuing corrective orders. Breaches of the DSA can also lead to penalties of up to 6% of annual turnover, while the DMA can see fines as high as 10% (or even higher for repeat offenses).

So while the latest consumer group GDPR complaints against Meta will likely have to wend their way back to the tech giant's lead data supervisor in the EU, Ireland's Data Protection Commission, which continues to face criticism over how weakly it enforces the GDPR on Meta and other tech giants, there are a number of other avenues where the company's consent choice is facing scrutiny. And -- potentially -- faster and firmer enforcement action too.

*The BEUC members filing GDPR complaints against Meta are CECU, dTest, EKPIZO, Forbrugerrådet Tænk, Forbrukerrådet, Poprad, Spoločnosť ochrany spotrebiteľov (S.O.S.), UFC-Que Choisir and Zveza Potrošnikov Slovenije (ZPS). A ninth consumer group, the Netherlands-based Consumentenbond, is not filing a complaint but will be sending a letter to the Dutch data protection authority, per BEUC.