Season 2, Episode 7: Exploring the Pay-or-Okay model (with Mikołaj Barczentewicz)
Dec 19, 2023
auto_awesome
Law professor Mikołaj Barczentewicz discusses Meta's 'pay-or-okay' model in compliance with GDPR, Norway's ban on targeted advertising, and the European Data Protection Board's guidance on the ePrivacy Directive
Meta has implemented a pay or OK model in the EU, EEA, and Switzerland to comply with GDPR restrictions on data processing.
Meta has gone through multiple changes in its approach to data processing under the GDPR.
The European Data Protection Board recently issued guidance on the ePrivacy Directive, which governs the use of cookies and other technologies for storing or accessing user information.
Deep dives
Meta's Pay or OK Model and GDPR Compliance
Meta has implemented a pay or OK model in the EU, EEA, and Switzerland to comply with GDPR restrictions on data processing. This model offers users a choice between paying a subscription fee or consenting to have their data processed for personalized advertising. The Court of Justice of the European Union has already stated that paid alternatives to consent are possible. Meta's implementation of pay or OK is being challenged by the Norwegian Data Protection Authority, but Meta has several arguments in its favor, including previous approval of similar schemes by other privacy authorities and the existence of comparable models used by legacy media publishers. The outcome of this dispute may have broader implications for the ad-funded internet and the future of personalized advertising.
The Evolution of Meta's Legal Bases for Data Processing
Meta has gone through multiple changes in its approach to data processing under the GDPR. Initially, Meta relied on contractual necessity as the legal basis for processing user data, both for content personalization and personalized advertising. However, the European Data Protection Board forced Meta to abandon this approach for personalized advertising. Meta then shifted to relying on legitimate interests, claiming that personalized advertising was in its legitimate interest and in the interest of its users. However, this approach was also challenged, and Meta announced a further shift towards obtaining user consent for personalized advertising. This led to the implementation of the pay or OK model. Throughout these changes, Meta has faced scrutiny from various privacy authorities and legal challenges, highlighting the complexities of data processing under the GDPR.
The EDPB's Guidance on the ePrivacy Directive
The European Data Protection Board recently issued guidance on the ePrivacy Directive, which governs the use of cookies and other technologies for storing or accessing user information. The ePrivacy Directive requires that such activities only take place with user consent, unless there are specific exceptions. The guidance clarifies the requirements and provides insights into the interpretation of the ePrivacy Directive. It emphasizes the importance of obtaining freely given consent and outlines the limited circumstances in which cookies can be used without consent. This guidance is significant as it further informs the discussions around data privacy and user consent in the EU.
The Pricing Appropriateness Debate
The podcast episode discusses the ongoing debate over the appropriateness of pricing for personalized advertising. While metadata set a price point for personalized advertising, there are activist voices questioning whether the set price is appropriate. The podcast argues that when activist voices begin dictating pricing terms, it becomes problematic as they tend to pursue a single purpose without considering trade-offs. Additionally, there is a debate about the granular choices offered to users and the alternative options given by Meta. The argument is that the pricing of the no-ad bundle might be higher than necessary, which complicates the discussion further.
Imbalance Between Data Subjects and Controllers
The podcast explores the concept of imbalance between data subjects and controllers, as outlined in recital 43 of the GDPR. If a user's reliance on an app is so pervasive that they have no real choice but to use it, then obtaining consent for processing user data becomes difficult. This could potentially lead to a ban on personalized advertising, as consent may not be valid in such cases. However, there is debate about the extent to which this imbalance should be considered, with some arguing for a broader interpretation of the concept. The podcast highlights the risks of giving too much power to independent regulators and the potential unintended consequences of their decisions.
My guest on this episode of the Mobile Dev Memo podcast is Mikołaj Barczentewicz, a law professor at, and the research director of, the Law and Technology Hub at the University of Surrey in the United Kingdom.
In this episode of the podcast, Mikolaj unpacks the realities of "pay or okay," which is the business model that Meta has decided to apply for its users in the EU, the EEA, and Switzerland after various rulings and commentary by EU courts, regulatory bodies, privacy boards, and privacy authorities.
Under this model, a user is provided with a choice that dictates their ability to access a product: they can pay, or consent to having various forms of their data processed, often for digital advertising purposes (which is the "okay" component of the model's name). Several companies have applied this model in the EU in the face of the GDPR's restrictions related to data processing, as we discussed.
Specific topics of our conversation include:
Background on Meta's pay or okay subscription offering;
Norway's banning of Meta's targeted advertising;
and the European Data Protection Board's recent guidance on the ePrivacy Directive.
