On Monday, the European Commission announced that it is launching investigations into Alphabet, Apple, and Meta under the Digital Markets Act (DMA). Meta is being investigated for the “Pay or Okay” model it introduced last October in the EU, EEA and Switzerland. From the EC’s press release:
Finally, the Commission has opened proceedings against Meta to investigate whether the recently introduced “pay or consent” model for users in the EU complies with Article 5(2) of the DMA which requires gatekeepers to obtain consent from users when they intend to combine or cross-use their personal data across different core platform services … The Commission is concerned that the binary choice imposed by Meta’s “pay or consent” model may not provide a real alternative in case users do not consent, thereby not achieving the objective of preventing the accumulation of personal data by gatekeepers.
The EC is seemingly alleging two distinct violations:
- That Meta contravenes Article 5(2) of the DMA by gathering consent once but applying that consent across two separate “core platform services.” Keep in mind that the phrase “core platform service” doesn’t relate to a product but rather a use case within a product, for which any given product might feature several. The EC has identified six gatekeepers and 22 core platform services among them: presumably, the two core platform services relevant in Meta’s case are Social Media (the Facebook and Instagram products) and Ads;
- That Meta is not providing consumers with all-encompassing choice such that every user could potentially prevent Meta’s “accumulation of personal data” from them.
I covered Meta’s evolution in the EU last year in detail as the company navigated the various legal bases for data processing under the GDPR until arriving at “Pay or Okay.” I provide a history of Meta’s reactions to various privacy decisions in the EU, starting in January 2023, in Meta, subscriptions, and the EU’s Privacy Gordian Knot. For a more in-depth review, see:
- EU privacy watchdog to Meta: first-party data is off limits for ads personalization (January 2023);
- Meta to offer an opt-out for personalized ads in EU (March 2023);
- Norway’s privacy regulator temporarily bans Meta’s behavioral advertising (July 2023);
- Meta’s inevitable detour with EU privacy: “Pay or Okay” (September 2023).
This episode of the Mobile Dev Memo podcast, with EU privacy law expert Mikołaj Barczentewicz, was dedicated exclusively to exploring Meta’s adoption of the Pay or Okay model in the months after it was launched. At the time, the use of Pay or Okay seemed entirely irrelevant to the DMA, with the model’s legitimacy more likely to be questioned by the European Data Privacy Board (EDPB), which is tasked with enforcing the GDPR.
28 NGOs petitioned the EDPB last month to reject Meta’s use of the Pay or Okay model. The EDPB has yet to issue guidance, although the EDPB sided with Norway’s DPA in expanding that country’s ban on Meta’s behavioral targeting approach to the entirety of the EU last October and has seemingly taken an antagonistic stance towards personalized advertising in general.
But in a July 2023 decision, the CJEU, Europe’s highest court, ostensibly clarified that the Pay or Okay model could be acceptable given that any paid alternative to consent to data processing was made available for an “appropriate fee.” I proposed a standard for determining an appropriate fee in the aptly titled What is an “appropriate fee” for a social media subscription?. In the piece, I determined that the price point for the Meta subscription fell within the range of similar content subscriptions (Netflix, Spotify, Disney+, etc.) but wondered whether any price point would comport with a more philosophical objection to personalized advertising:
One might argue, however, that Meta’s “pay-or-okay” subscription product stands in contrast to these (aside from YouTube) because it is an alternative to a free version that is gated by consent and monetized by ads. In other words, some might contend that the problem with the price point isn’t that it exists, but rather that it exists as the only consumer access alternative to data processing for personalized advertising. This argument could be used to determine that, in the case where a subscription serves as a foil to personalized advertising, the price point cannot be anchored to any commercial rubric but instead should serve to provide the greatest possible consumer accessibility.
With its investigation into Meta’s use of this model, this philosophically-animated approach is evidently where the EC has landed. The EC’s concerns about Meta’s use of the Pay or Okay model are not rooted in the DMA as written but seem wholly pretextual, merely utilizing the DMA as a beachhead from which to launch an offensive against personalized advertising. And while the EC’s proceedings are in the earliest stages, they invite three pointed concerns about their logical validity.
The DMA does not mandate that gatekeepers make every possible business model available in monetizing their products. The EC’s second point is that Pay or Okay institutes a “binary choice” between monetization through personalized advertising or monetization through a subscription, two fundamentally distinct business models. This construction of a “binary” implies that users are deprived of all other choices of business models. But Pay or Okay is not a binary choice: the tacit third choice available to consumers is not to use the service at all. If the EC argues that the DMA mandates that a version of any gatekeeper’s product be offered that is exclusively monetized by contextual advertising, which is a third, distinct business model, then it’s not a stretch to imagine that it ultimately requires that any possible business model be offered as a monetization option. This idea was captured in a question asked of Meta during its DMA workshop last week: “Why can’t you just sustain your business with non-personalized ads without charging a subscription?” But again: contextual advertising, personalized advertising, and subscriptions are three wholly distinct business models. Substitute “metered usage” or “upfront, one-off pricing” for “non-personalized ads” in the question, and it’s clear how the notion becomes unwieldy and untenable.
There is no reason to believe personal data must necessarily be commingled between social media exposures and ad interactions. For the Pay or Okay model to violate Article 5(2) of the DMA, user data would need to be combined across core platform services without a user’s explicit consent for doing so. But there is little reason to believe that ad interactions inform the social content that is populated into a user’s feed (and data flows in the opposite direction — the curation of ads based on surrounding content — is the definition of contextual advertising and doesn’t require personal data). Meta’s blog post announcing the Pay or Okay model launch clarifies that a subscription merely exempts users from advertising but doesn’t degrade the social product feed experience. If ad interactions informed feed content selection, the social feed would be impaired by the absence of personalized advertising, requiring disclosure. As an aside, it’s worth noting that the DMA’s implication here — that advertising and product personalization are mutually reinforcing — seems to undermine the broader point that personalized advertising runs counter to consumer interests.
Pay or Okay has already been scrutinized by the EU privacy machinery and deemed compliant with the GDPR. As we discuss in the Pay or Okay episode of the Mobile Dev Memo podcast, the Pay or Okay model is widely used throughout the EU in compliance with the GDPR, primarily by news publishers like Der Spiegel, Bild, and Zeit. The model has been interrogated under the restrictions of the GDPR and deemed permissible. The EC’s objection to Meta’s use of Pay or Okay hints at a vague interpretation of the DMA that proscribes the “accumulation of personal data by gatekeepers” that is absent in the text. Further, that nebulous aspiration orbits the regulatory influence of privacy, not competition, which is the DMA’s purview. By the same token: the EDPB, which enforces the GDPR, will issue guidance on Meta’s use of the Pay or Okay model imminently. Why would the EC need to investigate the model separately under the guise of competition concerns?
I have vigorously and consistently advocated for the consumer benefits of personalized advertising while recognizing that various aspects of the digital advertising ecosystem are indeed inimical to consumer interests. These are not contradictory positions: privacy-invasive data capture and exploitation can be suppressed while still enabling advertising personalization, which is the engine of the internet. Any coherent legislation aimed at either safeguarding user privacy or stimulating competition should acknowledge that consumer privacy and personalized advertising are not mutually exclusive concepts. Instead of targeting a specific business model — which only emerged because the European privacy machine’s dogged war of attrition on personalized advertising eliminated all other commercial avenues available to it — any regulatory body should seek to promote the use of novel approaches to preserving privacy and consumer choice while achieving the economic benefits of personalization.
Recent