Insights < BACK TO ALL INSIGHTS
Ad-Tech Europe: The Moving Target Marking Targeted Advertising
Ad-Tech Europe: The Moving Target Marking Targeted Advertising
By: Nicole Kardell
The European Data Protection Board (“EDPB”) recently published an opinion on the legality of pay-or-consent models for online platforms offering services in Europe. While the opinion is non-binding and limited to “large online platforms[1],” companies that offer platforms large and small in Europe should pay attention to the EDPB’s analysis—it will inform their future guidance for entities large and small.
The upshot: Pay-or-consent models [for large online platforms] are NOT okay. Why? Because, according to the EDPB, people cannot give valid consent when they are faced with a binary choice that is not meaningful.
We anticipated this response from the EDPB after gaining insights from a webinar in recent weeks in which a head at the Norwegian Data Protection Authority, Tobias Judin, advocated the position that data privacy is not only for the rich and pay-or-consent models have a disparate impact on people at different economic levels. The issue, as he presented it, was that people who are cash-strapped cannot freely make a choice between paying for platform access to preserve their privacy and getting access for free by allowing use of their personal information for behavioral advertising. People who use major online platforms (like Facebook) have come to rely on these platforms for communications and information access. Suddenly facing a choice between paying for continued access or giving up their personal data for that access is not in fact a choice because they cannot afford the subscription fee (especially if they have accounts with several platforms, each of which may use this model). In other words, there is no valid consent in the pay-or-consent model because people (unless they are rich) really don’t have a choice. Either they give over their personal data to the platform or are denied access.
Facebook’s parent company, Meta, proposed the pay-or-consent model for European users in October after the company was found to be processing users’ personal data without a legal basis. (We wrote about the matter and provided background on legal bases to process personal data in Europe last December. You can get these details here.) The model was Meta’s attempt to produce a legal basis (consent of the user) while maintaining a revenue stream.
Three supervisory authorities (including Norway, from which hales Mr. Judin) were underwhelmed by Meta’s approach and requested the EDPB weigh in on the pay-or-consent model. The EDPB took a stance that echoes Mr. Judin’s concerns: when there is not a meaningful choice because people cannot afford one of two options, a user’s consent is not valid and therefore there is no legal basis for processing the personal data.
The EDPB suggested that large online platforms should consider other models that do not involve payment requirements, so that individuals can have a meaningful choice. For instance, a free alternative without behavioral advertising. The Board’s opinion highlighted criteria for meaningful consent under the General Data Protection Regulation (“GDPR”), including conditionality, detriment, imbalance of power and granularity (See here at para. 70 for the Board’s basis). It also noted that platforms should confirm that those who do not consent are ultimately penalized in any way, such as being excluded from important services or network access.
Again, the Board’s analysis was limited to large online platforms, non-binding, and it noted that validity of pay-or-consent models should be assessed on a case-by-case basis. So, if you are an upstart with a great idea but a small footprint, or you have a respectable but not significant user base, should you shrug your shoulders and proceed as usual? If you are doing business in Europe, we would recommend that you start thinking now about your business model and your revenue streams (current and future). What is veiled as non-binding now can morph into new law at the stroke of a [CJEU] pen.
Some suggestions:
- For advertisers: Your days of offering targeted ads in Europe may be limited. Now is the time to tweak your approach and enhance your advertising impact on a less particularized audience.
- For service providers: Consider a fully transparent approach to consent that allows users to review and be ok with data sharing (I for one am happy that Facebook knows that I am a dog owner and enthusiast and that it serves me relevant ads on training, food and toys. Or consider a consent model that lays out choices on elements of data sharing that are ok and those that are not. For instance, I am happy to be tagged as a dog owner and enthusiast. But I wouldn’t want Facebook tagging me for advertising purposes, on health conditions or other sensitive data.)
- For market entrants: If you are just starting out, add a subscription service immediately. LinkedIn has been this way for years. Users from the outset understand the difference in services and have not suddenly been deprived of certain networking opportunities.
[1]What constitutes a large online platform? There is not a clean definition, but a multi-factor approach the incorporates elements like number of users, company market position, conduct of large scale processing… along with many other factors, which you can review here on pages 10-11.