Adtech giant Meta’s attempt to continue tracking and profiling Facebook and Instagram users in Europe despite the bloc’s sweeping data protection laws faces a second challenge from a privacy rights advocacy group. noyb. It supports a new complaint, filed with the Austrian Data Protection Authority, alleging that the company is violating EU law by crafting an option that makes it more difficult for users to withdraw consent to its tracking ads than to consent to them.
Cast your mind back to last year and you’ll remember some of the key privacy decisions against Meta (in January and July) that invalidated the legal grounds it had previously claimed for processing Europeans’ data to target ads – after years of privacy campaign complaints.
What followed, last fall, was a claim from Meta that it would switch to a consent-based basis for tracking. However, the choice it made requires users who don’t want to be tracked and categorized to pay for monthly subscriptions to access ad-free versions of its products. Facebook and Instagram users who want to continue free access to the services must “consent” to being tracked — which Meta claims is valid consent under the bloc’s General Data Protection Regulation (GDPR). But of course Noyeb and the complainants supporting him do not agree with this.
Noyb’s previous complaint against Meta’s copy of consent, which was filed with the Austrian DPA last November, focused on the amount Meta charges users for not being tracked — an initial cost of €9.99 per month on web or €12.99 per month on mobile per account link. — which it says is “disproportionate” to the amount of value the company derives per user. This second complaint addresses how easy (or rather not easy) Meta makes for users to withdraw their consent to tracking under this arrangement.
Withdrawing consent in the scenario created by Meta requires users to sign up for a monthly subscription. While consenting to being tracked is very easy: users just need to click OK. The legal issue here is that the GDPR requires consent for it to be as easy to withdraw as it is to give it. So noyb’s follow-up complaint takes aim at the inherent friction of Meta charging users money to protect their privacy.
“Once users consent to being tracked, there is no easy way to withdraw it later,” a press release said. “This is illegal. Although Article 7 of the GDPR clearly states that “withdrawal must be as easy as giving consent”, the only option to “withdraw” consent (with one click) is to purchase a subscription worth €251.88. In addition In addition, the complainant had to navigate through numerous windows and banners to find the page where he could actually revoke his consent.
Commenting on this, Massimiliano Gelmi, data protection lawyer at… Noib added: “The law is clear, withdrawing consent should be as easy as giving it in the first place. It is painfully clear that paying €251.88 a year to withdraw consent is not as easy as clicking the ‘OK’ button to accept the tracking.
Penalties for confirmed GDPR violations can reach 4% of global annual revenue — but Meta, which made $116.61 billion in 2022 by tracking and profiling billions of users to sell targeted ads, is likely concerned that regulators might in the European Union and end up being forced to offer users a truly free option to opt out of being tracked, which could hamper its regional ad tracking business. Last year, the company suggested that about 10% of global ad revenue comes from users in the European Union.
that Frequently asked questions published last month by the Austrian Data Protection Authority, on the topic of cookies and data protection, discusses the controversial issue of “payment or consent,” as charging for consent is sometimes called. In it writes DPA [in German; English translations here are generated with AI] “Paying for access to a website”Can “represents an alternative to consent” – emphasis thereon – but states that this is subject to full compliance with the GDPR, including that consent is specific (i.e. non-broadcast); That the company does not have a monopoly or “quasi-monopolistic” position in the market; The price of the payment alternative is “appropriate and fair” and is not “formally offered at an entirely unrealistically high price.”“, As he says.
However, the DPA also notes that there is no case law from the EU’s highest court on “payment or consent” to date – and so it cautions the FAQ as representing its “current view”. Many privacy experts expect the issue to finally be settled by referral to the European Court of Justice.
Meanwhile, GDPR complaints against Meta are typically referred by EU data protection agreements to the Irish Data Protection Commission (DPC), the company’s main data supervisor under the regulation’s one-stop-shop (OSS) mechanism. This means that Noib’s complaints against Meta’s “pay or agree” tactic are likely to end up on a desk in Dublin sooner or later. In fact, the Irish regulator has claimed to be reviewing Meta’s approach since the company floated the idea last summer.
If the DPC switches its review of Meta’s approach to approval on the basis of a formal investigation, it could take years, combined, of investigation before a final regulatory decision is made on the tactic – as was the case with another noyb complaint against the legal basis of Meta’s advertising; It was introduced in May 2018 but not decided upon until January 2023 (a decision which is now subject to legal appeal by Meta in Ireland).
In this case, the decision that finally came out of Ireland was in fact the DPC acting on instructions from the European Data Protection Board (EDPB), which had to step in to settle disputes between EU regulators. So it seems unlikely that swift action will be taken to crack down on privacy on the Meta’s consent game, unless other DPAs decide to take matters into their own hands.
On paper, they can do it. Although there is an OSS mechanism in the GDPR, which could lead to the appointment of a lead authority to deal with complaints about cross-border processing, the Regulation includes emergency powers that allow other data protection officers to take action to mitigate data risks in their own markets to protect users. locals. They can also follow up on any temporary measures they impose domestically by asking the EDPB to make their temporary measures permanent and at EU level – as well It happened last year When the Norwegian DPA submitted a petition to the EDPB regarding Meta’s legal basis for advertising. However, by then, Meta had switched its purported basis to consent, meaning it could only avoid regulatory intervention. (Which explains that delaying implementation is rejecting implementation.)
“the [Austrian] The authority should order Meta to make its processing operations compliant with European data protection law and provide users with an easy way to withdraw their consent – without having to pay a fee,” Noebe wrote, urging a fine “to prevent further breaches of the GDPR.” .
Noib is also petitioning the Austrian Data Protection Authority to instigate urgent action – citing recent case law of the European Court of Justice that it says indicates that a data protection authority’s discretion in deciding whether or not to instigate urgent action is limited by “their duty to provide effective protection “Data protection rights” “Thus, in specific situations (such as ours), the data subject has the right to take urgent action,” suggested a noyb spokesperson.
But so far, they said, Austrian authorities have resisted the call for emergency measures. “The Austrian Data Protection Authority has just told us that it has received the complaint, that there is no right to urgent action and that another data protection authority may be the lead supervisory authority. But the complaint has not yet been formally referred to the Data Protection Commission at As far as I know.”
While all these winding regulatory twists and turns have taken place, the upshot for Facebook and Instagram users in Europe is that their privacy remains at Mark Zuckerberg’s mercy – unless or until they abandon use of his dominant social networks entirely – because, in parallel with all of this and after years of… Privacy Scrutiny and Sanctions The ad tech giant has managed to continue profiting from Europeans’ personal data all along; Its treatment of ad targeting although its legal foundations have been challenged or even, for several months, invalidated (as happened in the months between the exclusion of its claim of (first) contractual necessity (then legitimate interests) and Meta’s switch to alternatives (earlier last year legitimate interests; Now agree)).
However, we are seeing more moves to sue Meta over privacy — such as the $600 million competition damages claim brought last year by publishers in Spain who said its lack of a legal basis for micro-targeting users leads to unfair competition that should be compensated. about her. – So the ad tech giant could face a reckoning in the form of higher costs stemming from legacy data protection breaches, as well as the potential for future penalties flowing from new privacy complaints if they lead to breach results.
It should be noted that the GDPR has only a limited number of legal bases (six) for processing personal data. Many of them are simply unrelated to ad tech giants like Meta, while others have been ruled out by regulators and the European Court of Justice. So, it narrowed its options for tracking users and profiling them for ads — to one possibility: consent. How Meta frames this choice is where the privacy measure is now.