EU finding that Meta’s subscription option violates DMA could impact many sites.
Meta continues to hit walls with its heavily scrutinized plan to comply with the European Union’s strict online competition law, the Digital Markets Act (DMA), by offering Facebook and Instagram subscriptions as an alternative for privacy-inclined users who want to opt out of ad targeting.
Today, the European Commission (EC) announced preliminary findings that Meta’s so-called “pay or consent” or “pay or OK” model—which gives users a choice to either pay for access to its platforms or give consent to collect user data to target ads—is not compliant with the DMA.
According to the EC, Meta’s advertising model violates the DMA in two ways. First, it “does not allow users to opt for a service that uses less of their personal data but is otherwise equivalent to the ‘personalized ads-based service.” And second, it “does not allow users to exercise their right to freely consent to the combination of their personal data,” the press release said.
Now, Meta will have a chance to review the EC’s evidence and defend its policy, with today’s findings kicking off a process that will take months. The EC’s investigation is expected to conclude next March. Thierry Breton, the commissioner for the internal market, said in the press release that the preliminary findings represent “another important step” to ensure Meta’s full compliance with the DMA.
ARS VIDEO
How The Callisto Protocol’s Gameplay Was Perfected Months Before Release
“The DMA is there to give back to the users the power to decide how their data is used and ensure innovative companies can compete on equal footing with tech giants on data access,” Breton said.
A Meta spokesperson told Ars that Meta plans to fight the findings—which could trigger fines up to 10 percent of the company’s worldwide turnover, as well as fines up to 20 percent for repeat infringement if Meta loses.
Meta continues to claim that its “subscription for no ads” model was “endorsed” by the highest court in Europe, the Court of Justice of the European Union (CJEU), last year.
“Subscription for no ads follows the direction of the highest court in Europe and complies with the DMA,” Meta’s spokesperson said. “We look forward to further constructive dialogue with the European Commission to bring this investigation to a close.”
However, some critics have noted that the supposed endorsement was not an official part of the ruling and that particular case was not regarding DMA compliance.
The EC agreed that more talks were needed, writing in the press release, “the Commission continues its constructive engagement with Meta to identify a satisfactory path towards effective compliance.”
Critics: Meta only gives illusion of choice
Meta may struggle to defend its “pay or OK” model, which was rolled out last November.
Specifically, the CJEU ruling came in a Meta case over compliance with the EU’s General Data Protection Regulation (GDPR), not the DMA.
In that case, the court said that under the GDPR, “users must be free to refuse individually”—”in the context of” signing up for services— “to give their consent to particular data processing operations not necessary” for Meta to provide such services “without being obliged to refrain entirely from using the service.” This “means that those users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations,” the CJEU said.
But privacy experts and data regulators immediately pushed back against Meta’s plan to apply this logic to DMA compliance by charging subscriptions that a consumer protection agency said only seemed to provide the illusion of choice.
Privacy advocacy group NOYB joined regulators in filing a complaint to block Meta’s plans to charge subscription fees to comply with the GDPR. NOYB argued that for a family of four, “data protection could soon cost €35,000” which was “more than the average full-time income in the EU.” Further, industry numbers suggested that only 3 to 10 percent of people “want to be tracked,” but “more than 99 percent decide against a payment when faced with a ‘privacy fee,'” NOYB argued.
Due to questions about whether users were freely giving consent or simply priced out of choosing a less invasive option, Meta tried offering to slash its subscription fees in half. Meta is still awaiting feedback on whether its price cut resolved regulators’ complaints, and it remains unclear how popular subscriptions were in the EU—a fact that could arguably help or hurt Meta’s case.
In an op-ed last week, Meta’s president of global affairs, Nick Clegg, wrote that the EU was losing “fertile ground for innovation” by coming down too hard on tech companies. Just weeks ago, Meta halted plans to train AI in the EU after data regulators warned the tech giant that it did not seem to have a legitimate interest to do so under the GDPR without getting consent from users.
NOYB chair Max Schrems told Ars that if the EC finds that Meta’s “pay or OK” model violates the DMA, it could have sweeping consequences not just for gatekeepers like Meta under the DMA but for all websites required to comply with the GDPR in the EU.
“The DMA actually refers to the GDPR when it comes to valid consent,” Schrems told Ars. “So if this is not valid for Meta (under the DMA), this will likely mean that ‘pay or OK’ is also not legal for any other website under the GDPR.”
According to Schrems, “there are (in some EU Member States, like Germany, France or Italy) now a lot of websites that try to do ‘pay or OK’ on their cookie banners.” That practice could end in the event of a Meta loss, since “the logic of the Meta case would also apply to any other ‘pay or OK’ website because the DMA refers to the GDPR here—which applies to any website.”
Schrems celebrated the EC’s preliminary findings, telling Ars that NOYB “argued for a long time that ‘pay or OK’ is not freely given consent under the GDPR or the DMA.”
“This decision shows that the Commission is now filling a gap that the data protection authorities leave wide open,” Schrems said, suggesting that the European Data Protection Board lagged when enforcing the GDPR, failing to reach a finding in that Meta case before the data protection authorities stepped in to enforce the DMA.