Meta, the adtech giant, faces a second challenge to its bid to continue tracking and profiling users of Facebook and Instagram in Europe despite comprehensive data protection laws adopted by the bloc by noyb, an advocacy group that focuses on privacy rights. It's backing a new complaint, one that is to be filed with the Austrian data protection authority, alleging that the company is violating EU law by framing a choice so it's much tougher for users to opt out of its tracking ads than to consent to them.

Wind your mind back to last year and you’ll recall a couple of major privacy decisions against Meta (in January; and July) invalidated the legal bases it had previously claimed for processing Europeans’ data for ad targeting — after literally years of privacy campaigner complaints.

What then followed, last fall, was a claim from Meta that it would be switching to a consent basis for tracking. But the choice it presented forces users who do not wish to be monitored and profiled to pay it for monthly subscriptions to access ad-free versions of its services. Facebook and Instagram users who want to continue receiving free access to the services have to "consent" to its tracking— which Meta claims is valid consent under the bloc's General Data Protection Regulation (GDPR). Of course noyb, and the complainants it backs up, do not agree.

Where noyb’s earlier complaint against Meta’s version of consent, filed with the Austrian DPA last November, focused on how much Meta is charging users not to be tracked — an initial cost of €9.99/month on web or €12.99/month on mobile per linked account — which it argues is “way out of proportion” to how much value the company derives per user, this second complaint addresses how easy (or rather not easy) Meta makes it is for users to withdraw their consent to tracking under the arrangement.

In the scenario Meta devised, withdrawing consent makes users have to sign up for a monthly subscription. Agreeing to its tracking is easy, though: Users simply need to click 'okay'. The legal issue here is that, according to the GDPR, consent must as easily be withdrawn as it was granted. So noyb's follow-up complaint targets the inherent friction in Meta charging users money to protect their privacy.

"Once users have consented to being tracked, there's no easy way to withdraw it at a later date," it writes in a press release. "This is illegal. While Article 7 of the GDPR unmistakably states that 'it shall be as easy to withdraw as to give consent', the only option to 'withdraw' the (one-click) consent, is to buy a €251.88 subscription. Moreover, the complainant had to pass through several windows and banners to reach the page where he could actually revoke consent.

The law is clear, to withdraw consent must be as easy as to give it in the first place. It is painfully obvious that paying €251,88 per year to withdraw consent is not as easy as clicking an 'Okay' button to accept the tracking", adds Massimiliano Gelmi, a data protection lawyer from noyb.

Penalties for proven violations of the GDPR can go as high as 4% of worldwide annual turnover-but Meta, which brought in $116.61 billion in 2022 by tracking and profiling its billions of users to sell targeted ads, is more likely to be worried that EU regulators might actually make it offer users a genuinely free choice to deny its tracking, which could knee-cap its regional tracking-ads business. Last year the firm estimated that some 10% of its worldwide ad revenue emanates from users based in the EU.

An FAQ issued last month by the Austrian DPA, on the subject of cookies and data protection, examines the thorny question of "pay or okay", as paying for consent is colloquially known. In it the DPA observes [in German; English translations here are generated with AI] that paying for access to a website "can represent an alternative to consent" — emphasis its — but says that this is provided the GDPR is fully complied with, including consent being specific (i.e. non-bundled); that the company does not have a monopoly or "quasi-monopoly" position on the market; and the price for the payment alternative is "appropriate and fair" and not offered "pro forma at a completely unrealistically high price", as it puts it.

However the DPA also notes there is no case law from the European Union's top court on "pay or okay" yet — hence it caveats the FAQ as representing its "current view". And many privacy experts expect that the issue will, finally, have to be settled via a referral to the CJEU.

In the meantime, GDPR complaints lodged with EU DPAs against Meta are usually passed back to the Irish Data Protection Commission (DPC), who is the company's lead data supervisor under the regulation's one-stop-shop OSS mechanism. That means noyb complaints against Meta's 'pay or okay' tactic will probably land at some desk in Dublin sooner or later. Indeed, the Irish regulator said it was reviewing Meta's approach since the company first floated it last summer.

If the DPC switches its review of Meta's approach on consent to a formal inquiry footing it could still take years, plural, of investigation before a final regulatory decision on the tactic — as was the case with another noyb complaint against Meta's legal basis for ads; filed all the way back in May 2018 but not decided until January 2023 (a decision that's now under legal appeal by Meta in Ireland).

In that case, the decision which finally emerged out of Ireland was actually the DPC acting on instruction from the European Data Protection Board (EDPB), which had to step in to settle disagreements between EU regulators. So a speedy privacy clamp down on Meta's gaming of consent seems unlikely — unless other DPAs decide to take matters into their own hands.

On paper, they can do this.  Although there is the OSS mechanism in the GDPR that may potentially result in a lead authority being appointed and dealing with cross-border complaint matters, the regulation retains emergency powers that permit other DPAs to act to reduce data risks in their home markets in protection of local users. They can follow up any interim measures they enforce regionally by requesting the EDPB to make their stopgap action permanent and EU-wide as happened last year when Norway's DPA requested the EDPB to intervene on Meta's legal basis for ads. Of course, by that time, Meta had already changed its claimed basis to consent, making it just avoid the regulatory intervention. (Which only goes to prove that enforcement delayed is enforcement denied.)

"The [Austrian] authority should direct Meta to bring its processing operations into compliance with European data protection law and allow users an easy way to withdraw their consent — without a fee, writes noyb, calling for a fine "to deter further breaches of the GDPR".

noyb is also petitioning the Austrian DPA to instigate an urgency procedure – citing recent CJEU case law it argues shows that "the discretion of DPAs to decide whether or not to open an urgency procedure is put boundaries by "their duty to ensure effective protection of data protection rights". "Therefore, in particular circumstances (like those in our case) the data subject has a right for an urgency procedure", a noyb spokesperson suggested.

Still, so far, they reported, the Austrian authority has resisted the call to take emergency measures. "The Austrian DPA has just told us that they received the complaint, that there is no right to an urgency procedure and that another DPA might be the leading supervisory authority. But the complaint wasn't yet officially referred to the DPC as far as I know," said noyb's spokesperson.

While all these tortuous regulatory twists and turns have played out, the upshot for Facebook and Instagram users in Europe is that their privacy remains at Mark Zuckerberg's mercy - unless or until they abandon using his dominant social networks entirely - since, in parallel with all these years of privacy scrutiny and sanction, the adtech giant has been able to keep cashing in on Europeans' personal data the whole time; processing it for ad targeting despite its legal bases being under challenge or even, for several months-long stretches, invalidated (as happened in the months between its claim of (first) contractual necessity (and then legitimate interests) being ruled out and Meta switching to alternatives (earlier last year legitimate interests; now consent)).

That being said, we are witnessing more efforts to litigate Meta on privacy — including the $600 million damages claim it faces from publishers in Spain last year, who allege that its lack of statutory authority to microtarget users equals unfair competition for which they are entitled to recompense — so the advertising conglomerate might be set to meet a reckoning in the form of increasing costs continuing to arrive down the line over legacy violations of data protection, and the very live prospect of further sanctions flowing from new privacy complaints should they reach breach findings.

It's worth noting the GDPR only has a limited number of legal bases-six-for processing personal data. Several are simply irrelevant for an adtech giant like Meta, while others have been ruled out by regulators and the CJEU. So its options for tracking and profiling users for ads have narrowed — to a single possibility: Consent. How Meta frames this choice is where the privacy action is now.

Meta responds
Meta spokesperson, Matthew Pollard, refused to send a statement on the latest complaint filed by noyb — but he referred back to an earlier blog post the tech giant published in October when it announced what it described as the "subscription for no ads" for Facebook and Instagram users in Europe, flagging an earlier claim in the post that Meta's offer "addresses the latest regulatory developments, guidance and judgments shared by leading European regulators and the courts over recent years".

Another section of the older blog post which Pollard was eager to flag is where it claims the choice it's come up with for users, i.e. continued free access while being tracked or paying Meta for ad-free access, "conforms to direction given by the highest court in Europe", as it puts it.

The underlined passage continues: "[I]n July, the Court of Justice of the European Union (CJEU) actually approved the subscriptions model as the means through which users consent to data processing for targeted advertising. And before that, CJEU ruling, many European data protection authorities had recognized that a subscription service qualified as part of a consent model, including such bodies in France, Denmark, and Germany.

However the guidance from France’s CNIL, which Meta’s blog post directly references, emphasizes the need for “case-by-case” analysis of so-called “cookie paywalls”, with the data protection regulator warning that “the making the provision of a service or access to a website conditional on acceptance of the deposit of certain trackers is likely to harm, in certain cases, to freedom of consent” [the CNIL’s text is in French; here we’ve translated it into English using AI].

The French regulator further advises that if users wish to refuse all tracking, publishers should offer what it calls "a real and fair alternative allowing access to the site and which does not imply having to consent to the use of their data" [emphasis its].

However, in the case of an exclusif service—such as "dominant or essential service providers"—the CNIL's advice continues: "the Internet user's choice in such a case would, by definition, be constrained since the service in question is only available on the site provided".

In this case, the editor of the site on which consent to trackers is required to access it must be especially attentive to the presence of a potential imbalance between him and the Internet user, which would most probably deprive the latter of a real choice," it continues. "He must therefore facilitate access to this alternative for the user.

Facebook and Instagram would obviously both qualify as dominant service providers (arguably even essential services, given the hold they continue to exert on the social networking space thanks to network effects). So the CNIL's approach to paywalls would, presumably, require Meta to prove it's ensuring ease of access to the non-tracking version of its product.

But, noyb's complaint argues, charging users to fork out a credit card and pay an ongoing fee is hard to describe as "ease of access". Plus, as noted above already, guidance from the Austrian DPA seems to indicate paywalls would not be acceptable in situations where a company possesses "a monopoly or quasi-monopoly position on the market" like Meta's social networks do.

The CNIL’s blog post also discusses the need for any charge levied by publishers for access to their content to be “reasonable” — and encourages them to publish an analysis of their justification for the fee charged to ensure “greater transparency” for Internet users. We’ve asked Meta to send us its breakdown of how it arrived at the fees it’s charging users to avoid its tracking ads. Update: "Our pricing is squarely in line with competing subscriptions offered by other tech companies — for example, YouTube Premium. Additionally, it's worth noting that our pricing already contains the fees Apple and Google charge through respective purchasing policies," Pollard responded to this.

Meta has previously sought to justify the pricing for its “no ads” sub by suggesting it’s charging a similar monthly fee to streaming services such as Netflix, Spotify and YouTube. But, as we’ve pointed out before, the comparison is a very poor one, given Meta obtains the user generated content that populates its services for free, whereas streaming services pay large amounts of money to license professionally produced music, TV series, films etc.

Another previous claim by Meta, which stated its subscription is competing with Reddit's non-ad premium offer at a similar price, also seemed uncertain as the latter seems to be significantly cheaper than Facebook and Instagram's subscriptions. Moreover, Meta is also double dipping in the process because it demands individual subscriptions for every account that a user has on its services. So, with multiple accounts on its social networks, users will incur higher costs from multiple subscriptions.

Returning to the CNIL's guidance, it also cautions publishers against trying to unfairly package consent — with its advice saying "targeted advertising and personalization of editorial content are two different purposes that must be distinguished when determining the purposes governing access to the service".

In Meta's scenario users are only being given a choice between agreeing to its tracking or paying to get "ad free" access to content. For users who will pay to avoid the tracking ads it is not clear they will avoid their personal data being processed to drive other types of content personalization on Facebook and Instagram, which also engages in tracking of users to determine how to arrange content feeds. So the CNIL might well find other faults here, were it the regulator in charge of investigating this complaint.

While turning to the Danish guidance also referred to in Meta's blog post, the regulator emphasizes here, too, that in a cookie paywall scenario "consent must be voluntary", writing [in Danish; this is a machine translation]: "The question is therefore whether an approach where visitors — as an alternative to consent — ​​can, for example, pay for access to content or a service, meets this voluntary requirement, and which requirements this approach must meet in that case."

It continues by noting that there is a "general lack of clarity" about the legality of 'pay or okay'. But quotes four criteria it says it will employ to decide the issue — which embrace the establishment of a "reasonable price" for the payment alternative, with the regulator cautioning that "the pricing of this alternative must not be so high that the visitors' freedom of choice is rendered illusory in practice".

The German advice Meta's blog post refers to, quoting from March last year, a decision by the Conference of Independent Data Protection Supervisory Authorities of the Federal and State Governments, again, underlines that consent alone should meet all requirements of the GDPR, such as being "freely given". The regulators also make it known that 'pay or ok' is possible — "in principle".

But their ruling also cautions against a blanket 'accept all' consent for different processing purposes.

"If there are several processing purposes that differ significantly from one another the requirements for voluntariness must be met in such a way that consent can be granted on a granular basis," the German authorities write [in German; this is a machine translation]. "Above all, this means that users must have the possibility to choose the single purposes for which consent is to be given; these can be actively chosen by users themselves (opt-in). Only if purposes are very closely related can a bundling of purposes can be considered. A blanket overall consent for different purposes in this respect cannot be effectively granted."