![](data:image/svg+xml;charset=utf-8,<svg height="682" width="1024" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
Meta’s controversial move last year was to switch to charging users in the European Union an ad-free subscription fee to access Facebook and Instagram unless they consented to tracking and profiling, and attention mining. This allows the company to continue posting micro-targeted advertisements. The business has been hit with a series of complaints from consumer rights groups. The complaint has been filed under the bloc’s data protection regulations.
Currently, Meta charges local users €9.99 per month on web (€12.99 per month on mobile) to opt out of seeing ads for each linked Facebook and Instagram account. If EU users want to access Facebook and Instagram, their only other choice is to consent to their tracking. So the offer is: literally pay For privacy. Or you may “pay” for free access by losing your privacy.
Eight consumer rights organizations in the region have complained to their national data protection authorities about this ‘consent or pay’ option, said European consumer organization BEUC, its member and coordinating body. announced today.
“It is important that consent provided by consumers is valid and meets the high standards set by law, and that such consent is free, specific, informed and unambiguous. “This does not fit into Meta’s ‘pay or consent’ model,” they claim in a blog post about the complaint, suggesting that this is what Meta is asking for. “Forcing consumers to accept the processing of their personal data.”
“Meta is secretive about its data processing from consumers, making it impossible for consumers to know how the processing would change if they selected either option. “The EU has failed to show that the fees it imposes on consumers who do not do so are actually necessary, which is a requirement set out by the Court of Justice of the European Union,” they wrote, adding: “Under these circumstances, what consumers want their data to do becomes irrelevant and therefore no longer free.”
Eight consumer organizations* in the Czech Republic, Denmark, Greece, France, Norway, Slovakia, Slovenia, and Spain* agree that Meta uses people’s data for ad targeting under the region’s General Data Protection Regulation (GDPR). claims that there is no valid legal basis for processing. ) – claims the company processes personal data in a way that is “fundamentally inconsistent with European data protection law”.
Specifically, it accuses Meta of violating GDPR principles such as purpose limitation, data minimization, fair processing, and transparency.
Fines for confirmed regulatory violations can reach up to 4% of global annual turnover. More importantly, companies could be ordered to stop illegal processing, and regulators could reform privacy-hostile business models.
BEUC Deputy Director-General Ursula Pacul commented in a statement:
Meta has repeatedly attempted to justify subjecting its users to commercial mass surveillance. The unfair “pay or consent” option is the company’s latest effort to legitimize its business model. But what Meta is offering consumers is smoke and mirrors to mask its age-old essence: collecting all sorts of sensitive information about people’s lives and monetizing it through an invasive advertising model. Surveillance-based business models pose all kinds of problems under the GDPR, and it is time for data protection authorities to stop META’s unfair data processing and violation of people’s fundamental rights.
BEUC has announced that a legal analysis conducted in collaboration with its members and data rights law firm AWO has concluded that Meta’s processing of consumers’ personal data violates the GDPR in a number of ways. In addition to lacking a valid basis, the analysis suggests that some parts of the advertising process “appear to be invalidly dependent on the contract.”
The analysis also questions what legal basis Meta relies on for content personalization, but this is “not clear” and Meta’s profiling for this purpose is All were found to be required by the relevant contract and consistent with GDPR principles, with “no way to verify”. Data minimization. The same question is also attached to meta profiling for advertising purposes.
The report also finds that Meta’s overall processing is not consistent with the principles of transparency and purpose restriction, including lack of transparency, unexpected processing, and use of a dominant position to force consent. , which emphasizes “switching of legal grounds in a way that prevents the exercise of the legal basis”. It also said that this was inconsistent with the GDPR’s fairness principles.
As we previously reported, Meta’s self-serving “accept or cough” offer has already faced a number of other GDPR complaints. These include one brought by privacy rights group noyb, which highlights the premium price Meta charges for privacy. The other, invented by Meta, focuses on choice asymmetries, where it is very easy for users to consent to that tracking, but if they change their mind and want to withdraw consent previously given, etc. , privacy is much more difficult to protect.
Earlier this month, three DPAs also asked the EU’s data protection regulator EDPB to issue an opinion on the legality of consent and payments.
That guidance is still pending. But new complaints, and this pincer move by consumer protection groups and privacy rights groups, have warned EU data protection regulators that the tactic is a cynical attempt to circumvent the EU’s data protection rulebook for commercial purposes. That could put pressure on privacy campaigners not to rubber-stamp the tactics they have long warned about.
meta has already lost the ability to use the other legal bases it claimed to allow advertising processing following previous privacy complaints (and competition challenges). This essentially means obtaining user consent is the last chance to continue operating tracking ads in the EU. In the EU, the law requires a valid legal basis for processing people’s data (GDPR lists six legal grounds, but the rest are non-legal grounds). (not related to business).
IIf Meta’s recent efforts to enforce consent fail, it could ultimately be forced to reform its surveillance business model. As I’ve written before, the stakes are high, both for Meta and for European web users.
Today is not the first complaint filed against Meta’s consent and payment strategies by consumer protection groups. Some say Meta also violates the group’s rules on consumer protection. In November of last year, in a broad coalition of industry actions, BEUC and 18 of its member organizations announced that the coalition’s consumer A complaint was filed for violation of personal protection regulations.
Those complaints were filed under CPC, Regional Network of Consumer Protection Authorities. If Meta does not engage in the CPC process, including by offering concessions aimed at redressing the group’s grievances, the consumer regulator (which is empowered to impose fines of up to 4% of global turnover) may face enforcement action.
At the time, BEUC said it might also consider filing a data protection complaint against Meta’s controversial consent proposal, and this is the development we see today.
“Meta must cease unlawful processing of consumers’ personal data, including for advertising purposes,” it said in a press release. “Personal data collected illegally must be deleted. Furthermore, if Meta wishes to use consumer consent as a legal basis for data processing, it must ensure that this consent is indeed freely given and specific. And we must ensure that it is well-informed and clear, as required by law.”
Meta has previously argued that its consent and offers of compensation were legal under GDPR. However, the company’s blog post defending the controversial tactic makes no mention of how it complies with EU consumer protection law.
There are also additional considerations here. The European Commission oversees the enforcement of Meta’s compliance with the Digital Services Act (DSA) rules for large platforms and the Digital Markets Act (DMA). Two new pan-EU regulations governing consent. Collected to process personal data for advertising targeting purposes. These regulations also prohibit the use of sensitive personal data or the data of minors in advertising. And it states that consent should be as easy to withdraw as it is to provide. So, another very pertinent question is: What will the European Commission do about meta consent or salary offers in the EU?
The EU executive authorities are empowered to enforce the DSA and DMA against Meta, which may include issuing remedial orders. DSA violations can also result in fines of up to 6% of annual turnover, while DMA can result in fines of up to 10% (or even higher in the case of repeat offenses).
So the latest GDPR complaint against Meta by consumer organizations will likely be referred back to the Irish Data Protection Commission, the chief data regulator for big tech companies in the EU, but the Data Protection Commission continues to face criticism about how weak enforcement of the GDPR is. Beyond the tech giants, there are many avenues where the company’s consent choices are facing scrutiny. And potentially faster and more robust enforcement action.
*BEUC members who have filed GDPR complaints against Meta are CECU, dTest, EKPIZO, Forbrugerrådet Tænk, Forbrukerrådet, Poprad, Spoločnosť ochrany Spotrebiteľov (SOS), UFC-Que Choisir, and Zveza Potrošnikov Slovenije (ZPS). A ninth consumer group, Consumentenbond, based in the Netherlands, has not filed a complaint but plans to write to the Dutch data protection authority, BEUC said.
