Is the “Consent or Pay” model for online advertising compliant? What are the implications of the “Consent or Pay” model for online advertising compliance? How does the “Consent or Pay” model for online advertising adhere to regulations?

On April 17, the European Data Protection Board (EDPB) – an independent body whose main mission is to ensure the application of the GDPR in all EU member countries – announced a non-binding opinion on the compliance of the “Pay or Consent” model. It follows a request made under Article 64.2 of the General Data Protection Regulation (GDPR) by the data protection authorities of Hamburg, the Netherlands and Norway.

The origin of this case dates back to July 2023, a month during which two decisions forced Meta to change the legal basis for processing the personal data of users of its social networks within the European Union. The Court of Justice of the European Union handed down a judgment in which it concluded that “the personalization of advertising by which the online social network Facebook is financed cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the data processing in question, in the absence of the consent of the data subject“.

The same month, Datatilsynet, the Dutch data protection authority, banned it from carrying out targeted advertising for a period from August 4, 2023 until November 3, 2023. The practices had not changed between At this time, the authority referred the matter to the European Data Protection Committee so that it could take a binding decision. His call was heard: the Committee ordered the Data Protection Commission (DPC), the Irish CNIL, to ban “the processing of personal data for behavioral advertising purposes on the legal bases of the contract and legitimate interest“.

Faced with this situation, Meta changed its legal basis by choosing consent and thus launched its first paid subscription in order to benefit from the services of Facebook and Instagram without targeted advertising. Important clarification: the American company may still collect personal data for other purposes, which are specified in its privacy policy.

1 – What to remember from the EDPB opinion?

Broadly speaking, the EDPB considers that, in most cases, it will not be possible for very large online platforms to use the “Pay or Consent” model while respecting the conditions of validity of consent. Under the GDPR, consent must meet several criteria: it must be free, specific, informed and unambiguous. It also considered that offering only a paid alternative to services that involve the processing of personal data for behavioral advertising purposes should not be the default route for data controllers.

(…)