Long Read: Meta's subscription model - do the complaints have merit?

While awaiting the agreed text of the EU's AI Act, it seemed worth revisiting last week's post on the EDPB's urgent binding decision on Meta's personalised ads activity and, more specifically, Meta's response to it.

As discussed last week, the EDPB decision prevents Meta from relying on legitimate interests to process data relating to its behavioural advertising activities. Having already invalidated Meta's reliance on the contractual necessity basis, consent is pretty much the only ground Meta has left to rely on...and that's what it's doing by introducing a subscription model in the EEA and Switzerland that gives users the option of paying fees to use ad-free versions of Facebook and Instagram.

Somewhat predicably, the move has triggered complaints from certain advocacy groups, namely European consumer agency group BEUC and privacy NGO noyb. This post takes a look at some of the main issues raised in those complaints and examines whether the subscription model proposed by Meta is capable of meeting the GDPR's consent requirements.

What's the subscription model and how does it work to obtain consent?

Meta now asks users in the EEA and Switzerland to select whether they wish to take out a subscription to use Facebook/Instagram (until 1 March 2024, €12.99/month) or continue to use the networks for free but with adverts. It goes on to explain that it is offering the option to enable users to decide whether to allow Meta to use their personal data to show advertising due to a development in law in the region, and gives a little further information about how the two options will work. Using the current consent mechanism, selection of the free-with-ads option will be interpreted as the user granting consent to the processing of their personal data for personalised advertising purposes.

Without wishing to patronise readers, it's perhaps worth summarising that consent must be: (i) specific; (ii) freely given; (iii) informed; and (iv) an unambiguous expression of the data subject's agreement to processing. The 'unambiguous expression' must take the form of a positive action demonstrating that the data subject has actively confirmed their consent but it does not need to include the words 'I consent' or 'I agree'. Consent must also be reversible, and withdrawing or refusing consent should be as easy as providing it.

Provided that these elements are met, then from a GDPR perspective the consent will be valid...but it's a notoriously high threshold to meet.

What's the gist of the respective complaints?

BEUC and noyb make multiple claims about Meta's proposal and its alleged breach(es) of data protection and consumer laws. There are myriad issues cited in the complaint documents but the main problems the organisations have with the model seem to be:

• problematic consent collection: the free-with-ads option is preselected as the user's current version, akin to opt-out consent, and there is a disparity between the length of time taken to set up free-with-ads access (consenting) compared to the subscription model (not consenting);

• conditionality: linking consent to the free-with-ads model to the user contract is contrary to Article 7(4) GDPR, as behavioural advertising services are not necessary for the performance of the contract;

• lack of clarity over consent's scope: users cannot be sure whether signing up to the subscription service simply suppresses ads and processing related thereto or actually prevents the tracking and profiling activities that underpin the personalised advertising service;

• imbalance of power due to market dominance: Facebook and Instagram are each so dominant that there is no real alternative to using the platforms, meaning if users were to close their accounts they would lose important information, primarily regarding their connections; and

• high subscription fees: the proposed pricing is argued to be sufficiently high to act as a deterrent to users considering signing up for the ad-free versions.

Can Meta obtain consent this way or are the complaints justified?

Given the range of issues cited in the complaints, it's perhaps worth considering whether the subscription model meets the four elements of valid consent under the GDPR, namely does the selection of the ad-free option constitute specific, freely given, informed and unambiguous consent?

Specific?

This element is perhaps the least controversial in this case. Unlike other online services' subscription options, the sole purpose of the Meta subscription at this stage is to allow users to avoid seeing adverts and having their personal data processed for personalised advertising purposes. On this basis, opting for the free-with-ads version of Facebook/Instagram can feasibly be said to represent specific consent to personalised advertising.

Freely given?

This is where it gets knotty. For a data subject to be capable of freely giving consent to processing of their personal data, they must be provided with a real choice. That choice cannot simply be whether to use the service or not.

Conditionality (bundling consent with contractual acceptance)

Article 7(4) GDPR states that, when considering if consent is freely given, "utmost consent shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of a contract".

The EDPB's Guidelines 05/2020 on consent under Regulation 2016/679 adds further colour to this, explaining that "Compulsion to agree with the use of personal data additional to what is strictly necessary limits data subjects' choices and stands in the way of free consent". It notes that where consent is tied to the performance of a contract, a data subject that opts against consenting to the processing runs the risk of being denied access to the services they've requested.

noyb's complaint claims that Meta engages in conditionality, basing this on its interpretation that Meta now offers two separate products for both Facebook and Instagram:

• Product A: an ad-free Facebook/Instagram service in exchange for a fee; or

• Product B: use of Facebook/Instagram services for free with linked consent to processing.

This argument is difficult to get on board with. The interpretation could be seen to be contrived to build an argument that Meta breaches the consent requirements on this basis, whereas it seems more accurate to present 'Product A' and 'Product B' as options in relation to how Facebook/Instagram services are delivered - pay a monthly fee and don't see adverts when on the platforms, or use the platforms for free but see adverts tailored to user preferences.

Imbalance of power

Both BEUC and noyb raise concerns over the influence of Meta's dominant position in the social networking sector on the balance of bargaining power between the company and its users. They also cite the strong network effects of the services, noting that leaving Facebook, for example, would lead to the loss of all connections, including friends, family and acquaintances, and access to other information available in communities and groups on the site.

Case C-252/21 (the Bundeskartellamt action against Facebook's alleged abuse of a dominant position involving the processing of personal data) considered the issue of whether the fact that a social network enjoys a dominant position plays a role in the assessment of whether consent is freely given. The court determined that it did, although it ultimately found that it would not preclude the users of that network from being able to provide valid consent (albeit that the controller would need to be able to demonstrate that consent was freely given).

Detriment

It is undoubtedly important to ensure that people are not excluded from using such ubiquitous social networks simply because they will not consent to the use of their personal data for processing that is not essential for the delivery of the service to them as consumers. At the same time, GDPR and other data protection laws were not drafted to prevent companies from capitalising on revenue streams that involve personal data processing that complies with legal requirements.

As Meta mentioned when announcing the subscription, the CJEU in Case C-252/21 endorsed the idea of charging an appropriate fee for an equivalent service that does not involve the personal data processing. As such, it may consider its subscription model to provide a satisfactory solution to enable it to continue offering personalised advertising. After all, there are many consumers who see benefit in personalised adverts, and early social networks such as Friends Reunited relied on a pure subscription model and ran into problems as it became clear people were happier to use ad-funded free services than pay monthly fees.

What's a fair price?

The reasonableness of the fee that non-consenting users are asked to pay is pivotal in establishing whether the model is fair enough to allow users to make a free choice. It is a tough question for which data protection authorities may not be appropriate arbiters and there are a number of points to consider:

• difficulties with benchmarking: the paid-for premium alternatives offered by other online services such as Spotify and YouTube offer a number of additional benefits to users such as downloadable content to be used offline. This makes it difficult to quantify the value of an ad-free service. Also, unlike Spotify and YouTube, there is no tangible predecessor product or service to serve as an internal comparator - it is easy to imagine Spotify's elevator pitch mentioning the ability to listen to any song you want for the monthly price of one CD album;

• setting prices for a broad customer base: even within the EU there are real discrepancies between the relative wealth of the average citizen in different member states, which could mean a reasonable price in, say, Germany, is prohibitive to consumers in Bulgaria. While a number of services set one price for the whole bloc, it is not beyond the realm of possibility that Meta's adoption of this strategy would prompt further examination of the fairness of this approach; and

• considering the commercial impact of a data subject's decision: if the default financial model has relied on behavioural advertising to ensure that users do not need to pay to use the service, can the controller account for lost profits with the subscription fee? Would this hold where the controller's profits are considered significant, or would regulators be compelled to determine a 'fair profit' metric (which arguably goes against the principle of free markets)?

Both complaints suggest that the present fee is excessive. noyb goes as far as suggesting that Meta is essentially asking users to pay  €251.88 to retain their fundamental right to data protection - this is a stretch, given that Meta still has an obligation to protect users' personal data even where they consent to processing. Giving the proposed fees a smell test, however, they do seem a touch on the high side - commensurate with certain premium options for other online products that offer other tangible benefits beyond an ad-free service. A lot of people who might otherwise be tempted to pay the subscription could be put off by the numbers. Meta may well have sound reasons for pitching fees at these levels, and if so then it should provide information about the logic involved (to the extent it doesn't already).

Are users sufficiently informed?

The consent mechanism explains that the ad-funded version of the app will involve the processing of personal data for advertising purposes but more information could be provided in terms of what exactly it does with the data.

The two complaints make the very reasonable point that it is not clear whether rejecting consent (i.e. paying for the ad-free version) means that the tracking and monitoring activities employed to enable personalised advertising would stop or whether Facebook and Instagram simply switch off adverts and use the data collected through tracking for other purposes (which anyone paying the subscription is likely to consider intrusive).

The GDPR and EDPB Guidelines focus on what information should be given about processing based on consent rather than in respect of what processing will occur even if the data subject does not give consent, so there is an argument that in the strictest sense, Meta's wording could be said to be sufficient. It is reasonable to suggest, however, that in this situation the user needs to know the extent to which related processing activities will continue in the absence of consent in order to be fully informed of precisely what processing activities consent allows Meta to carry out.

It certainly would be useful to keep the language provided under review to ensure that it remains clear the extent to which processing relating to behavioural advertising will stop – if the information continues to be collected and used for other purposes, this should be made clear in the mechanism. To this end, it may also be helpful to provide a link to the relevant privacy notice.

Unambiguous expression of intent?

The provision of two options, one of which the user must select before accessing the app, should be enough to be considered an unambiguous expression of the user's wishes. There are, however, certain issues that have been flagged in the noyb complaint and which Meta should give thought to.

noyb observes that Meta shows 'Your current setting' as a preselected option prior to the user setting their preferred option. noyb's argument is that this is similar to a pre-ticked box, which would need to be actively deselected to avoid granting consent. Should this be the case - it's not entirely clear from the screenshots in the complaint - it gives rise to the argument that Meta has set up consent as opt-out, which falls foul of the GDPR. While the counterargument is surely that users have been using the ad-funded version (as it was the only option available previously) therefore it makes sense to state this within the content mechanism, this could easily be provided without making it a preselected option - in this case, static text would get the message across without running into regulatory issues.

The ease of refusing consent

noyb also complains that the consent mechanism is unlawful as it requires far more effort to refuse consent than it does to grant it. As mentioned in the complaint, the EDPB has previously established in its cookies banner taskforce report that it is not acceptable to make a user go through additional pages in order to reach a decline button. noyb asserts that this is even more important where payment data needs to be entered in order to refuse consent. That said, although Art. 7(3) GDPR states that withdrawing consent must be as easy as giving it, the GDPR is silent on whether acceptance and refusal processes for consent should be broadly equivalent. 

noyb's point is hard to accept here. Firstly, it is not clear that the rejection of consent is any more difficult to execute than acceptance. Users are required to select either option on the same page, and by confirming they would like to proceed with the ad-free subscription version, they reject consent. Payment - an essential element of the ad-free subscription option - is collected after the user has refused to consent to personalised advertising through the free option. Even considering the payment process to be a part of the refusal process, it is surely unfair to count those payment steps, some of which are required and handled by the financial institutions okaying the transactions, in a comparison against a process that has no need for payment. If this were the case then the only way in which to achieve parity would be to require users to enter payment details and pre-authorise payments prior to making a selection, which brings its own data protection and cyber security concerns.

All being considered, it would appear that the consent process is fair in this regard and does not overly prejudice those who decide against using the ad-funded version of Facebook/Instagram.

So...is it a goer?

The clarity of the options being offered by Meta suggest that the tech giant may well be able to make the subscription model work and justify the use of personalised advertising through user consent. There remain, however, a few issues outlined in the complaints that give rise to uncertainties over whether Meta's consent mechanism will be able to persist in its present form. Nevertheless, it is in Meta's gift to take action to clarify and uncertainties and, if necessary, rectify issues that BEUC and noyb have highlighted that may have merit. Meta therefore may wish to:

• review its pricing model and/or provide information to users about the rationale behind the fees being charged for the ad-free services;

• clarify the extent to which processing relating to personalised advertising is suppressed, for example explaining whether the tracking and monitoring activities will continue and, if so, why they will do so; and

• make it easier to find more general information about Meta's use of personal data during the consent process, such as clearly linking to Meta's privacy information resources (to be fair to Meta here, its announcement makes clear users can use the Privacy Centre to control certain processing, including whether ad personalisation can use data from third party apps and websites - perhaps making this information more easily accessible during the consent process would be helpful in assuring users who have doubts about accepting the ad-funded version).

Even where not strictly necessary, these steps can serve to help enhance the trust that exists between Meta and its user base in relation to personal data processing.

Considerations once consent is obtained

As alluded to earlier in this post, data protection compliance does not begin and end with the collection of consent. Where consent is obtained, Meta must ensure that it complies with the data protection principles set out in Art. 5(1) GDPR, in particular:

• fairness, lawfulness and transparency: while many people who opt for the ad-funded version will see personalised advertising as a positive, there is no getting away from the fact that cutting edge personalised advertising relies on significant amounts of data and can be viewed as intrusive at times. Meta should ensure that fairness is at the heart of any developments in its personalised advertising service and provide sufficient information, including regular updates about its processing activities, to users;

• data minimisation: Meta has access to unrivalled consumer data sets, which can include information from third party sites as well as detailed profiles curated by users of the company's social network services. Although there may be a temptation to use as much of this as possible to improve the effectiveness of its advertising products, it is important not to lose sight of the need to use only as much as possible for the processing activities at hand. A degree of nuance may be required here in order to balance the needs of product optimisation with fairness to the data subjects;

• purpose limitation: if the data collected for advertising purposes is also used for other activities, this would need to be reflected in the privacy notice. Irrespective of whether this is the case, if Meta were to use tracking and profiling techniques used for personalised ad services for other activities, this information should be mentioned in the consent mechanism to avoid misleading users; and

• accuracy and storage limitation: in profiling models, the date range of the information used will impact on the quality of the resulting profile. While it's easy to assume the more information you have the better, in fact with advertising products it may be useful to cull information after a predefined period to ensure that 'stale' information does not dilute the profile and its effectiveness in reflecting a user's current interests.