EDPB issues opinion on ‘pay or consent’ model for behavioral advertising

European Data Protection Board opinion evaluates ‘consent or pay’ model, emphasizing GDPR compliance. Criteria include offering alternatives, avoiding harm, considering power dynamics, and providing processing options.

Cyber,security

The European Data Protection Board (EDPB) adopted an opinion on the validity of the ‘consent or pay’ model deployed by large online platforms. Essentially, the opinion comes after the Dutch, Norwegian, and German (Hamburg) Data Protection Authorities (DPA) requested the EDPB to clarify the circumstances under which ‘consent or pay’ models related to behavioral advertising can be implemented.

The EDPB took into account the General Data Protection Regulation (GDPR) provisions as well as the Court of Justice of the EU (CJEU) case law, which stated that in most cases, such models would not be compatible with the requirements of valid consent established under the GDPR. The opinion clarifies that obtaining consent from users does not mean that the body determining the purpose and means of data processing (i.e. data controllers) complies with the GDPR.

For consent to be considered valid and free, the data controllers should follow the following criteria:

  1. Conditionality: The data controller should ensure that consent is given freely, and if they refuse to consent, they should be given an ‘equivalent alternative’. This would include options that do not use data processing for behavioral advertising.
  2. Detriment: The users should be able to have a genuine choice and refuse their consent without being harmed, such as unable to access the platform’s services.
  3. Imbalance of power: The data controller should consider the platform’s position in the market and its impact on users.
  4. Granularity: The users should be able to freely choose which type of purpose processing they will accept.

Why does it matter?

In plain language, the ‘pay or consent’ model is not prohibited per se; it just needs to fall under the four criteria. While this opinion is not binding, the national DPAs who requested clarification may implement these changes into their national laws.

What is important is that this whole process began because Meta was the platform that implemented the ‘pay or consent’ model in October 2023 as a response to comply with the CJEU ruling on privacy protection. However, this received a backlash from 28 digital rights groups which urged the EDPB in February 2024 to reject this approach as this model would have negative privacy implications by any industry sector with an ability to monetise personal data via consent.

Therefore, this opinion could also change Meta’s privacy policy in the EU and EEA areas and its ‘pay or consent’ model, or it could implement alternative options to ensure GDPR compliance.