Is Meta's targeted advertising GDPR compliant?

Image of Carlo Cilento

Published on Dec 12, 2023 and edited on Apr 16, 2024 by Carlo Cilento

In November Meta started offering paid subscriptions to EU users of Facebook and Instagram: users can now choose to pay for an ad-free account on the platforms, or stick to the current, “pay-with-your-data” model.

Meta’s decision is not a profit-seeking move, but rather a new compliance strategy. And privacy and consumer advocates challenged this new strategy right off the bat.

Here is what the new subscription system is all about and why it could mark a historic shift in the digital economy for the EU.

  1. Targeted advertising as a business model
  2. Meta and the GDPR: a long story short
  3. Subscriptions under attack
  4. How will noyb’s litigation play out?
  5. How will the outcome impact the digital economy and EU citizens?
  6. What are the alternatives to targeted advertising?
  7. What is really at stake?
  8. Updates
Logo of the Government of the United KingdomThe UK Government chose Simple AnalyticsJoin them

Targeted advertising as a business model

The core issue behind Meta’s recent legal issues with EU regulators is that targeted advertising is difficult to justify under the GDPR. This puts the company’s entire business model at risk in the EU.

Most of Meta’s revenue comes from targeted advertising. Facebook and Instagram analyze all user interactions with the platform and track them around the web with cookies and pixels to create a detailed profile for each user. This profiles help Meta predict what kind of content users will positively engage with, and what advertising they will be interested in.

While this sounds innocuous enough, the enormous amounts of personal data collected about users, and the very detailed nature of these data, make profiling an invasive and dangerous practice.

With its data-driven algorithms, Meta can figure out intimate information about you and share them with its advertising partners. This raises severe privacy concerns and enables predatory and discriminatory marketing strategies such as advertising cutthroat subprime mortgages to users from low-income households, or advertising ineffective and untested dietary supplements to consumers who struggle with their body image.

Meta is hardly the only company doing this. The large-scale extraction and monetization of personal data is the core business model of Big Tech and countless other companies. As such, the outcome of Meta’s legal issues will impact the digital economy as a whole in the EU.

Meta and the GDPR: a long story short

Meta’s legal strategy for justifying user profiling started showing cracks a year ago in a high-profile decision from the European Data Protection Board (that is, the EU body that brings all EU/EEA data protection authorities together).

Back then, Meta’s privacy policy claimed that profiling was necessary because targeted advertising was a part of its terms of service. All legalese aside, the argument means that Meta can spy on you because you have a contractual right to see targeted advertising. The EDPB was not convinced and the case ended with fines for a total €390M from the Irish privacy watchdog.

Meta later tried to justify its profiling practices by invoking legitimate interest- a very broad notion under the GDPR. But EU regulators were still not happy and the new justification was shot down by the EU Court of Justice in the Bundeskartellamt ruling this summer (a very important case we already wrote about). This ruling later led to a ban on targeted advertising for the entire EU.

Shortly after Bundeskartellamt, Meta changed its strategy once again: starting January 2024 the company will rely on the user’s consent for profiling and targeted advertising. So, Meta will provide its platforms on the requirement that the user consents to being profiled for targeted advertising.

But the GDPR sets a high bar for valid and free consent. It is highly doubtful that a monopolist can collect valid consent through a one-sided, take-it-or-leave-it proposition in a consumer contract.

This is where subscriptions come to the rescue: Meta is looking to make a case that consent to profiling is freely given when the proposition becomes “take it, or leave it, or give me €250 a year”.

At the end of the day, nothing is really changing in Meta’s business model. Paid subscriptions are just a paint job for the same, surveillance-based business model. Whether users are willing to pay or not, is of no consequence to Meta: the end goal is not to get 1% of the users to fork over some cash, but to justify profiling the other 99%.

Of course, Meta could simply make profiling an optional aspect of its relationship with Facebook users. But there is a problem: consumers do not like surveillance and most of them would say “no, thanks” if given a fair choice when it comes to profiling. Meta knows this and is trying every trick to make profiling practically mandatory.

Subscriptions under attack

Meta’s new compliance strategy has already been challenged before the Austrian data protection authority by noyb- a privacy NGO already involved in some of the litigation we mentioned above.

Noyb claims that the pay-for-privacy approach does not make user consent any more free than it was under the pay-or-ok model, and that the subscriptions offered by Meta are an alibi to justify the commodification of personal data and put a price tag on the fundamental right to data protection.

At the same time, some members of the European Consumer Organization (an organization of national consumers associations) are challenging Meta’s pay-or-ok policy before ** national consumer protection authorities** across Europe. Their legal challenge appears to be somewhat similar to noyb’s, although the focus is consumer law and on the lack of alternatives in a monopolized social media market.

We are happy to see privacy and consumer advocates fight this important battle at the same time. We talk a lot about the GDPR and surveillance on this blog, but it is not the only instrument that can protect Europeans against commercial surveillance. Consumer law can play a crucial role- and so can competition law, especially after the Bundeskartellamt ruling.

How will noyb’s litigation play out?

Unfortunately, the Bundeskartellamt ruling of the Court of Justice might give Meta some legal ammunition. Reading between the lines, there might be some room for pay-or-consent approaches to profiling under the GDPR.

It is also worth noting that the GDPR itself may leave some room for extorting consent under the last paragraph of Article 7- an embarrassing, infuriatingly vague provision that shows clear signs of lobbying.

Without Article 7(4) there would be no room for Meta’s approach under EU law, period. But the Article creates some ambiguity on the limits of consent under the GDPR. Because of this ambiguity, noyb’s litigation could play out either way.

How will the outcome impact the digital economy and EU citizens?

The precedents set by the EU regulators when dealing with Meta so far impact other actors as well and make the widespread pay-with-your-data business model difficult to justify. Noyb and the BEUC’s legal battles are worth watching closely, as it will clarify whether this business model can survive in Europe with a pay-for-privacy paint job.

If EU regulators shoot down Meta’s pay-for-privacy policy, there will simple be no room left for paying with your data under EU law. If they do not, we expect many more companies to follow Meta’s lead and offer paid, ad-free subscriptions as their compliance strategy.

But more importantly, if regulators approve Meta’s pay-or-consent policy, they will jeopardize the protection of the GDPR by creating a dangerous precedent.

Every Big Tech is a monopolist in some crucial digital market. They can easily pressure users to give up their privacy rights unless they can afford an arbitrarily established price tag.

By now, platforms such as Facebook are too deeply embedded in their digital lives to make this a realistic option for most users. In fact, the dominating platforms go out of their way to make it as difficult as possible for you to leave them- by either artificially increasing the costs of switching, or just buying out the competition (see Instagram). In a deeply monopolized market that funnels so much of today's social interaction, the notion that you are free to leave Facebook is a convenient narrative that serves the interests of these powerful monopolies.

The subscription is not cheap, either. Meta is charging €250 a year for the right not to have your data harvested and exploited. If other monopolists start following suit, the numbers will quickly add up to a privacy tax that many consumers in the EU will not be able to afford. This will be especially true for lower income citizens who are simultaneously the most exposed to the harms of online surveillance.

What are the alternatives to targeted advertising?

If regulators shoot Meta’s targeted advertising down for good, contextual advertising may become an attractive option for many companies. Contextual advertising entirely depends on content: for instance, a website about rock music could display ads for concert tickets or guitar shops.

Contextual advertising is inherently privacy-friendly because the ad provider does not need to know what an individual visitor is interested in- just what content they are viewing on the screen. Needless to say, contextual advertising is also a lot easier to implement in a GDPR-compliant way than targeted advertising.

That being said, contextual advertising is not without detractors. While some praise its privacy-friendly nature, others claim that it is not profitable enough to make most services and websites financially sustainable.

There is some truth in this argument: targeted advertising can certainly lead to higher engagement. But targeted advertising also requires more intermediation, and requires intermediaries to play a much bigger role. This means that a greater portion of the revenue needs to be shared.

To make things worse, Google is a monopolist in several key markets within the ad tech ecosystem. In the real-time bidding process for advertising spaces, Google represents the buyers and the sellers at the same time, while also owning and running the auction house (as explained in this press release from the US Department of Justice). Google's monopoly allows it to set exorbitant prices and siphon a huge portion of the market revenue at the expense of the publishers and advertisers it serves.

Bottom line, targeted advertising is potentially more effective than contextual advertising. But in practice, this advantage in effectiveness does not necessarily mean better revenues for publishers or better return on investment for advertisers, because Google controls the ad tech environment and demands an enormous portion of the market revenue.

What is really at stake?

All technicalities aside, litigation against Meta’s new strategy revolves around a very simple question: are personal data a commodity?

Big Tech certainly agrees. It treats your data as a commodity and has been doing so for longer than a decade. It knows better to say so openly, but actions speak louder than words.

Many voices in the privacy community disagree, including noyb and virtually every other privacy advocacy organization. After all, data protection is acknowledged as a fundamental right not just under the GDPR, but also under the EU Charter of Fundamental Rights- one of the highest sources of EU law.

Rights come at a cost, and privacy is no exception. There will be some negative consequences to EU regulators killing Meta’s business model. In all likelihood some services would simply not be profitable without their current data monetization model. Even if contextual advertising turned out to work well, it would likely not work well for every company.

But the social risks of the pay-or-consent model far outweigh whatever degree of market disruption might result from killing it off for good. Many Europeans will not be able to pay privacy fees to every monopolist out there. This is especially true for marginalized communities, minorities, and low-income citizens. These parts of the population are the easiest marks for the unethical and borderline criminal marketing strategy enabled by commercial surveillance.

At the end of the day, the who need privacy the most are always the least able to afford it. Regulators should not allow Meta to put a price tag on privacy. It’s that simple.

Updates

The EDPB is expected to issue guidance on pay-or-consent shortly. In the meantime, 28 privacy NGOs signed a letter urging the EDPB to take a stance against the practice. You can view the letter on noyb's website_

In the meantime, Meta allegedely offered EU regulators to lower the price for Meta subscriptions. We are not exactly sure how this will fix the issues with pay-or-ok and we don't expect Meta's critics to be impressed by the concession (and noyb certainly isn't).

We are passionate about privacy. It is a human right, and one that is becoming more important with each day as the world becomes more and more interconnected.

This is why we created Simple Analytics. Our privacy-first tool allows our customers to get all the insights they need in an ethical, privacy-friendly way. Simple Analytics delivers accurate insights without cookies, without trackers, and without collecting a single bit of personal data! If this sounds good to you, feel free to give us a try!

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial