By John Gruber
WorkOS: APIs to ship SSO, SCIM, FGA, and User Management in minutes. Check out their launch week.
The EDPB — the EU’s legislature of privacy authorities — adopted a draft opinion today determining that large online platforms can’t offer a “pay or okay” model as a strict binary and must also offer a third, free choice that doesn’t utilize personalized advertising.
Given which way the wind’s been blowing in the EU, this is unsurprising, but make no mistake, this is a radical stance. From the EDPB’s draft ruling (PDF):
The offering of (only) a paid alternative to the service which includes processing for behavioural advertising purposes should not be the default way forward for controllers. When developing the alternative to the version of the service with behavioural advertising, large online platforms should consider providing data subjects with an ‘equivalent alternative’ that does not entail the payment of a fee. If controllers choose to charge a fee for access to the ‘equivalent alternative’, controllers should consider also offering a further alternative, free of charge, without behavioural advertising, e.g. with a form of advertising involving the processing of less (or no) personal data. This is a particularly important factor in the assessment of certain criteria for valid consent under the GDPR. In most cases, whether a further alternative without behavioural advertising is offered by the controller, free of charge, will have a substantial impact on the assessment of the validity of consent, in particular with regard to the detriment aspect.
With respect to the requirements of the GDPR for valid consent, first of all, consent needs to be ‘freely given’. In order to avoid detriment that would exclude freely given consent, any fee imposed cannot be such as to effectively inhibit data subjects from making a free choice. Furthermore, detriment may arise where non-consenting data subjects do not pay a fee and thus face exclusion from the service, especially in cases where the service has a prominent role, or is decisive for participation in social life or access to professional networks, even more so in the presence of lock-in or network effects. As a result, detriment is likely to occur when large online platforms use a ‘consent or pay’ model to obtain consent for the processing.
In its opinion on Meta’s use of the Pay or Okay model, the EDPB effectively says that any sufficiently valuable product must offer a free version that doesn’t monetize via behavioral ads. That the quality of being indispensable means consumers must have unfettered access to it.
What makes this all the more outrageous is that many major publishers in the EU use this exact same “pay or OK” model to achieve GDPR compliance — and none offer a free alternative with non-targeted ads. Don’t hold your breath waiting for Der Spiegel to offer free access without ads. Christ, they don’t even let you look at their homepage without paying or consenting to targeted ads. And Spotify quite literally brags about its ad targeting. But Spotify is an EU company, so of course it wasn’t designated as a “gatekeeper” by the protection racketeers running the European Commission.
They’re not saying “pay or OK” is illegal. They’re saying it’s illegal only if you’re a big company from outside the EU with a very popular platform.
Meta’s only options for compliance with this ruling, as I see it:
Offer a new free tier with contextual, rather than targeted, ads. To achieve an ARPU equivalent to Meta’s paid and free-with-targeted-ads tiers, this new offering would likely have to inundate users with a veritable avalanche of annoying ads. This, I would wager, would be deemed “malicious compliance” and thus also illegal.
Offer a new free tier with contextual, rather than targeted, ads — but only show roughly the same frequency of ads as their lucrative free-with-targeted-ads tier. This is what the EDPB (and EC) are demanding, and seemingly think they can force Meta to do. Meta would almost certainly see ARPU plummet for all users who opt into this tier. Who knows if the revenue would even be sufficient to break even per such user?
Invent some novel way to generate as much revenue per non-targeted ad as targeted ones. This is the “nerd harder” fantasy solution, a la demanding that secure end-to-end encryption provide back doors available only to “the good guys”.
Cease offering Facebook and Instagram in the EU. (WhatsApp doesn’t monetize through targeted ads, so isn’t germane to this ruling.) This is the option the EDPB and EC believe “unthinkable” for Meta to take, because the EU is, in their minds, an indispensable market.
I don’t see how Meta can risk the second choice. Meta could afford to see ARPU plummet solely within the EU, and at first thought, you might think some revenue per EU user is surely better than no revenue at all from the EU. But if Meta caves and complies with this ruling by offering a free tier with significantly lower ARPU, that opens the door for regulators and legislative bodies around the globe to demand the same. Then, poof goes Meta as an industry colossus.
I suspect the EU regulatory bodies have some surprises coming regarding how this is going to play out.