Advertisement

EU signals doubts over legality of Meta's privacy fee

The European Union has given its strongest signal yet that a controversial tactic rolled out by Meta last November to extract consent to tracking from regional users of Facebook and Instagram -- by forcing them to choose between paying a monthly subscription or agree to tracking -- won't wash under the bloc's updated digital governance and competition rules.

On Tuesday, digital EVP and competition chief Margrethe Vestager cast doubt on Meta's privacy fee, telling Reuters: "I think there are many different ways to monetize the services that you provide. Because one thing are the very targeted advertising that builds on data being consumed. Another way of showing your advertising is to make that contextual. So I think it's important to continue the conversation with Meta and we will assess also finally, what is the next push in order for them to be compliant with the DMA [Digital Markets Act]."

In wider remarks to the news agency -- discussing a new fee Apple announced in response to the DMA -- she also said: "There are things that we take a keen interest in, for instance, if the new Apple fee structure will de facto not make it in any way attractive to use the benefits of the DMA. That kind of thing is what we will be investigating."

The comments suggest the Commission is paying careful attention to any attempts by gatekeepers to use economic coercion as a tactic to circumvent the intended impact of the bloc's digital rules. Or, in other words, that tech giants are going to need to abide by both the letter and the spirit of the law.

The EU's goal for the DMA is to loosen Big Tech's grip on tipped digital markets and stamp out unfair tactics that flow from their ability to throw their weight around when it comes to imposing their own rules on other businesses and consumers.

Meta was designated a gatekeeper under the DMA last September, with the EU listing several so-called core platform services -- including its ads business and aforementioned social networks -- falling in scope of ex ante competition rules that include limitations on the use of people's data for ads. The Commission itself is responsible for enforcing this rulebook on gatekeepers.

Meta is also subject to the bloc's Digital Services Act (DSA), an updated approach to online governance that includes a subset of extra rules for very large online platforms (VLOPs). Meta's social networks, Facebook and Instagram, are both designated. And the Commission oversees Meta's compliance with the DSA's rules for VLOPs, too.

Both the DSA and the DMA demand in-scope platforms obtain consent for ads processing. Whereas Meta stands accused -- by privacy rights campaigners, consumer protection organizations and some EU lawmakers -- of using unfair tactics and economic coercion to force Europeans to hand over their data.

While the Commission didn't appear to take much note when Meta switched on its controversial paywall last fall, it has clocked the growing outrage by civil society groups and others. And, earlier this month, the EU sent a formal request for information (RFI) to Meta about this aspect of its DSA compliance.

Responding to questions TechCrunch sent Wednesday regarding the EU's DSA enforcement in this area, a Commission spokesperson described Meta's "subscription for no ads" (SNA) offer, as the company refers to the "consent or pay" tactic, as "a fundamental shift from Meta’s previous non-subscription-based service model."

"Due to a current lack of information in the context of the introduction of the SNA options, the Commission is currently unable to ascertain whether Meta is upholding its obligations under the DSA, in particular concerning transparency about how content is delivered to users and potential effects on systemic risks," the spokesperson told us.

They stipulated Meta must provide "additional information on the measures it has taken to comply with its obligations concerning Facebook and Instagram's advertising practices, recommender systems and risk assessments related to the introduction of that subscription option," adding: "The Commission services will assess the information provided by Meta."

The EU did not provide any clue as to how long these assessments -- nor any enforcement -- might take it. But an RFI is a preliminary, info-gathering step.

(NB: Meta launched the ad-free subscription across the EU at the end of October, while the deadline for Facebook and Instagram's compliance with the DSA expired in late August. So it's been operating the mechanism with the DSA in full force for almost five months.)

The EU's spokesperson went on to highlight the fact that under the DSA, targeted advertising is expressly prohibited to minors -- emphasizing: "Hence minor users cannot be given the choice to opt in."

Meta has previously claimed it does not offer the "consent or pay" paywall to minors, writing in a blog post back in December: "The subscription for no ads will be available for people aged 18 and up, and we’re continuing to explore how to provide teens with a useful and responsible ad experience given this evolving regulatory landscape."

However, accessing Facebook and Instagram does not entail robust age verification, so it's not clear how Meta can be sure minors are not being served the mechanism and clicking on the consent option to gain access to its services -- and having their data unlawfully processed by its adtech. If that's happening, it would be a clear breach of the DSA. (Reminder: Confirmed breaches of the regime can lead to penalties of up to 6% of global annual turnover.)

For its part, Meta continues to maintain that its consent paywall is compliant with all relevant EU laws.

The Commission, meanwhile, has previously said child protection is one of a handful of priority areas for its enforcement of the DSA.

In wider remarks about compliance requirements on Meta's business, the EU spokesperson told us: "According to consumer law, consumers should be in a position to make economic choices in a fair and unbiased manner so that they do not take a decision that would be contrary to their interest."

"Consumers are used to Facebook or Instagram being free of monetary payment (“zero price”)," they added. "If they are being offered to pay in order to not be exposed to advertising (and the agreement to share their data which comes with it), the new system needs to be well described without influencing towards one or the other option.

"Consumers should be given time to reflect before making that decision, and not being put under pressure to accept it quickly."

As noted above, consumer protection groups have filed a number of complaints about Meta's privacy fee -- arguing Meta is breaching EU consumer protection and privacy rules.

When the adtech giant launched consent or pay last year, it immediately switched from providing free access with tracking -- but with the ability for EU users to opt out of use of their data for ads by exercising their right to object to its claimed "legitimate interest" use of their data at that point -- to offering a binary choice of being tracked or paying a monthly subscription that starts at €9.99 per month per account on web (or €12.99/month on mobile).

There's currently no way for users in the EU to use Facebook or Instagram and not be tracked.

Privacy rights campaigners challenging Meta's tactic, under the bloc's General Data Protection Regulation (GDPR), argue its pricing is way out of proportion to the value it derives per user. They suggest Meta's strategy is a blatant attempt to circumvent EU laws by making privacy an unaffordable luxury. Or, basically, manipulation through economic coercion.

In a sign Meta may be feeling some heat about its compliance claims in this area, it emerged earlier this week that it had offered to lower the cost of its ad-free subscription in discussions with privacy regulators. However, privacy rights groups point to the mechanism itself as the problem, arguing it prevents users from exercising a free choice, as the GDPR requires.

It may well fall to the Commission to arbitrate this one. Although data protection authorities also have an iron in the fire, as enforcers of the GDPR. And the Irish Data Protection Commission has been reviewing Meta's approach since last year. However the EU could help accelerate a resolution by using the DSA to step up pressure on Meta ahead of the (typically) plodding pace of privacy enforcement.

Vestager's remarks also suggest the Commission already takes the view that Meta's privacy fee is noncompliant with the DMA. The DMA, which is a competition/market power regulation, contains even higher penalties -- of up to 10% of global annual turnover or more -- for confirmed breaches (versus 6% for DSA and 4% for GDPR).

The Commission's spokesperson sidestepped direct questions we asked about Meta's DMA compliance and its approach to enforcement here but noted that the deadline for Meta and the other gatekeepers to meet all the requirements expired on March 7. "The Commission will now assess the compliance of designated gatekeepers and not hesitate to take formal enforcement action, using the entire toolbox at its disposal to fully enforce the DMA," they added.

The DMA introduces mandatory consent mechanisms for gatekeepers wanting to combine and cross-use personal data -- across their own and third-party services -- which EU sources have told us implies giving end users a real choice. The phrasing points back to the definition of consent under the GDPR: Specific, informed, unambiguous and freely given -- and without an obvious power imbalance between data subject and controller.