Meta’s controversial pay or be tracked ‘consent’ choice for users the European Union is facing questions from the European Commission. Today the bloc said it’s sent Facebook and Instagram’s owner a formal request for information (RFI) under the Digital Services Act (DSA), asking it to provide more detail on the “Subscription for no Ads options” it gives regional users of its two major social networks.
“In particular, Meta should provide additional information on the measures it has taken to comply with its obligations concerning Facebook and Instagram’s advertising practices, recommender systems and risk assessments related to the introduction of that subscription option,” the Commission wrote in a press release.
Meta was contacted for a response to the Commission’s RFI. But spokesman, Matthew Pollard, told us it has no comment at present.
Meta made the controversial switch to a so-called “consent or pay” business model in the EU last fall, after challenges to two other legal bases it had claimed for processing users’ data for ad targeting forced it to rethink its approach.
Meta’s ad-free subscription is controversial because under EU data protection law consent must be informed, specific and freely given if it’s to be valid. But the choice Meta has framed requires users to either pay it monthly subscriptions (starting at €9.99/month) in order to gain access to ad-free versions of the social networks — or else they must agree to being tracked and profiled for its targeted advertising.
There is currently no way for EU users to access Facebook or Instagram for free without being tracked.
Privacy and consumer rights groups quickly cried foul over Meta’s self-serving tactic and a raft of complaints have since been filed under EU data and consumer protection law — breaches of which can lead to fines of up to 4% of global annual turnover. (See: here, here, here and here.)
Now the EU itself is stepping in with an RFI under the DSA, the bloc’s recently updated ecommerce rulebook.
This separate pan-EU regulation has — since last August — applied a set of algorithmic accountability and transparency rules to larger online platforms (aka VLOPs), including Facebook and Instagram.
The DSA is highly relevant because it stipulates that larger platforms must obtain consent from people to use their data for advertising; and that consent must comply with the bloc’s data protection rules and be as easy to withdraw as it is to provide.
The regulation also entirely bans the use of sensitive data or minors’ data for ads — and it’s not clear how Meta prevents sensitive data from being processed by its ad targeting engines given how — for example — people’s political views may be inferred by its behavioral tracking and proxies used to target ads on sensitive categories. (The company claimed, back in 2021, to have removed advertisers’ abilities to target sensitive categories. But its ongoing tracking and profiling of users creates opportunities for advertisers to target proxies.)
Nor is it clear how successful (or otherwise) Meta is at preventing minors from accessing Facebook and Instagram. Children would obviously not be able to sign up and pay for a monthly subscription to access the ad-free versions of these services — so minors could be forced to accept its tracking, despite the DSA banning the use of minors’ data for ads.
While data protection complaints against Meta typically end up being routed back to the Irish Data Protection Commission (DPC), which leads on oversight of Meta’s compliance with the General Data Protection Regulation (GDPR) — but still hasn’t produced a view on the legality of Meta’s ‘consent or pay’ model — the Commission itself is responsible for enforcing the DSA’s subset of extra rules for VLOPs. Penalties for violations of the DSA can reach up to 6% of global annual turnover.
In the first six months of the EU’s enforcement role, it has sent out a raft of RFIs to platforms — including several earlier asks on Meta (related to disinformation, child protection and election security) — as well as opening two formal investigation proceedings (on X and TikTok). But the Commission appears to have paid less attention to compliance issues related to advertising consent — until now.
Back in November, MEPs Kim Van Sparrentak and Paul Tang tabled written questions to the Commission asking for its views on the legality of Meta’s ‘consent or pay’ offer under EU data protection law and under the DSA — with the pair pointing out “alternatives for tracking, such as contextual advertising are available and feasible”.
In its response, dated almost two months later (January 30), the Commission wrote that “the processing of personal data for personalised advertising must comply with the [GDPR]”; and said it is “currently monitoring and assessing the compliance of VLOPs, including Facebook and Instagram, with their DSA obligations”. But the EU avoided providing a specific answer.
In follow-up questions last month, the MEPs criticized internal market commissioner, Thierry Breton, for what they couched as “inadequate answers” — repeating their ask for a clear verdict on Meta’s ‘pay or consent’ model. These new questions were tabled as “priority questions” — amping up pressure on the Commission for a quick response.
One week later Meta has now received an RFI from the Commission asking about the ad-free subscription. The EU has given Meta until March 22 to provide the requested information.
“After tabling written questions multiple times to the European Commission, asking it to act upon Meta’s very questionable ‘pay or consent’ model, I’m happy the Commission is finally following up,” MEP Paul Tang told TechCrunch today, after we highlighted the Commission’s RFI on Meta’s ad-free subscription. “It’s about time Meta faces the music and provides the answers all of us have been demanding.”
In parallel with this DSA attention on Meta’s consent or pay model, three data protection authorities recently asked the European Data Protection Board, a GDPR steering body, to formulate an opinion on the legality of consent or pay — which remains pending but could arrive as soon as later this month. (The Board’s view may help shape how the GDPR is enforced on Meta’s mechanism. So it will also be one to watch.)
We also reached out to Ireland’s DPC for an update on its review of Meta’s consent or pay model — which has been ongoing for around six months. A spokesperson told us: “The DPC’s assessment in this matter is ongoing, as such we are unable to say more at this stage.”
Further requests
The Commission’s RFI to Meta today contains some further asks — related to several topics that were already included in earlier formal info requests under the DSA.
“These previous RFIs covered issues such as terrorist content, risk management related to civic discourse and election processes, and the protection of minors,” the EU wrote. “The present RFI builds on Meta’s previous replies and asks additional information concerning the methodology underlying Meta’s risk assessment and mitigation measures reports, the protection of minors, elections and manipulated media. The RFI also requests Meta to provide information related to the practice of so-called shadow banning and the launch of Threads.”
Meta has until March 15 to provide the EU with responses to these requests.
It’s not yet clear whether the bloc will open a formal investigation of Meta under the DSA, although all these RFIs suggest there are multiple compliance issues it feels demand closer scrutiny. In its press release today, the Commission wrote that it will assess Meta’s replies to determine its next steps. So we may know more in a few weeks’ time.
As well as potentially opening a formal investigation, as the bloc already has in the case of X’s and TikTok’s DSA compliance, the EU could issue more RFIs if it still feels it needs more information from Meta. It also has powers to impose fines for incorrect, incomplete, or misleading information in response to these requests.