Privacy & Information Security Law Blog

On April 17, 2024, the European Data Protection Board (“EDPB”) adopted its non-binding Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms (the “Opinion”), stating that such models generally are not compliant with the EU General Data Protection Regulation (“GDPR”), though their use should be considered on a case-by-case basis.

The Opinion, which was requested by the Dutch, Norwegian and German (Hamburg) data protection authorities following Meta’s use of the model on its Facebook and Instagram platforms, considers the use of “consent or pay” models where users are asked to consent to processing for the purposes of behavioral advertising on large online platforms. The EDPB states that the concept of “larger online platforms” may cover, but is not limited to, “very large online platforms” as defined under the Digital Services Act and “gatekeepers” as defined under the Digital Markets Act.

The Opinion states: “[i]n most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee,” adding that this should not be the default approach adopted by controllers, who should instead consider offering an “equivalent alternative” that does not require payment of a fee.

In assessing whether these models would permit the collection of valid, “freely given” consent, as per the GDPR definition, controllers are advised by the EDPB to evaluate in each case whether there is an imbalance of power between the data subject and the controller, taking into account the position of the platform in the market, the existence of lock-in or network effects, the extent to which the data subject relies on the service and the main audience of the service.

Read the EDPB’s press release here, and the full Opinion here.