Meta's pay-or-consent model hides 'massive illegal data processing ops': lawsuit Consumer groups are filing legal complaints in the EU in a coordinated attempt to use data protection law to stop Meta from giving local users a "fake choice" between paying up and consenting to being profiled and tracked via data collection. Essentially, as any of our readers based in the European Union, European Economic …
It's not illegal. "Pay or Okay" was also allowed by the AEPD (Spanish regulator) which followed the French regulator's lead, as did the German regulator. The Spanish regulator gave a date for any organisation which wanted to convert to "Pay or Okay" - that was the 11th of January. Low and behold, most of the Spanish press did that. The big newspapers each charged their own individual subscription fees, the smaller media outlets set up a common platform where paying one subscription got you access to all of them.
National EU regulators capitulated to national press lobbying and Facebook are simply citing precedent saying what's good for national press outlets is equally good for them. Now it's up to the EDPB to say to Facebook "what you're doing is already allowed, carry on" or find against the national regulators that are already allowing this. The EDPB is all the national regulators in the EEA, many of whom don't want to lose face doing a volte-face.
This does not affect UK-GDPR so oddly enough UK-GDPR is now better than GDPR in that respect.
The EU will have to bring it's stray sheep in line.
That said, the development that a handful of them caved to special interests and broke rank from the bulk of the EU regulators shouldn't be a earth shattering surprise, or much of a speed bump. The EU regulators spelled out pretty clearly (and correctly) that an alternative between spyware and payment was a false choice more akin to blackmail than consent, and was wholly inconsistent with the principals of the EU framework.
What was a surprise was it was Germany that joined France and Spain and not a serial PITA like Orban's Hungary. I'll have to dig deeper into that one before I can get my head around it.
They were doing so well after Schrems...
UK too. Or have to toggle off a thousand individual "legitimate interest" options, which are presented in a separate tab to the main cookies options.
Some sites are getting better though, with "Reject All" for cookes and "Object All" for legitimate interset. But the default state is usally everything on, and you have to opt out, which is contrary to the rules.
They need to start enforcing some of this and making a strong example of some offenders.
The number of sites operating in violation of EU law does not mitigate the seriousness of the transgression(s). Actually, it just makes it more grotesque.
But the real killer here is that there is no enforcement.
This is one of these cases where I'd like to see reversal of burden of proof. Every website should publicly proof their complete and correct handling of any data within EU law. The proof and trail leading to it should be accessible by any person in the EU without any limitations. Failure to do so should automatically cause the company to be shuttered and prevented from doing any business, anywhere.
It doesn't, obviously. You can pay in money, or you can pay by viewing ads. The GDPR is no obstacle to this.
It's a significant obstacle to paying with your personal data, especially without informed consent. Meta is not offering any option that doesn't involve this. Hence the problem.
asked to say yes to data processing – to "choose to continue to use Facebook and Instagram with ads" – or to pay up for a "subscription service with no ads on Facebook and Instagram." Meta, of course, made the changes in an attempt to comply with EU law.
But privacy rights folks weren't happy about it from the get-go, with privacy advocacy group noyb (None Of Your Business), for example, sarcastically noting Meta was basically proposing you pay it in order to enjoy your fundamental rights under EU law.
I don't quite understand this. What fundamental right is this? Why aren't Facebook allowed to monetize their users? There are three choices, "pay for Meta", "allow Meta to show advertising", or "don't use Meta". Why do they have to provide a fourth option "Use Meta for free and opt out of tracking"?
I'm going to get downvotes for this for sure... its not like I'm on Meta's side here, but I just can't understand why they aren't allowed to choose the conditions in which users access Meta.
Facebook are welcome to monetise all of their users.
They can still sell and serve advertising, they just aren’t allowed to use non consensual intrusive data gathering to (allegedly) improve the targeting of that advertising.
Obviously they’ve so far managed to persuade advertisers that non-targeted advertising is less valuable and they might have to develop a pricing model which reflects that, but, on the basis of what the current model puts in front of me that would probably be more reflective of its actual value to the advertiser… :-)
The problem isn't targeting; it's tracking. Tracking is the thing that provides the data you use for targeting. If you track, it's a problem, regardless of whether you then target or not.
If this all sounds like stuff that would apply to an enemy combatant, rather than a user of a service you're offering, that is not a coincidence.
Not exactly. If you have a profile they collect data from you based on your interactions with their sites. When you post, react, comment, or chat storing that data is core expected above-board functionality that you agree to, otherwise they cannot provide you a profile. The social media side of their business is a service which records aka literally 'tracks' your activity, and shares it with other people, all depending on your consent options. That's their offering. Under GDPR they of course need to make that tracking data available to you and give you a right to delete it.
Using *that* tracking data to ad target without your consent is disallowed. Ditto collection of extra tracking data that isn't already necessary.
As much of that collection is not actually essential for a user to "use" the services. This drives to the heart of the issue, meta/Facebitch is trying(like your post seems to be) to re-frame the argument and consent away from consent to use the services and consent to be tracked to something like "provide you a profile".
Say I don't want a profile(and I really, really don't) but I also don't want to be locked out of being able to read the thread of posts my cousin is using plan her wedding in a Facebook group. Other than making them public, there is no option offered (paid or otherwise) to allow her to let me see those post without agreeing to intrusive tracking all over the internet, in perpetuity, weather or not I am logged in.
Once social media became the new de-facto public square(which Facebook insisted on trying to make itself, investing an eye watering fortune to promote the idea in the process) the idea of forcing people to either give blanket and generally uninformed consent or be excluded from social life is exactly the abuse of it's dominant position that forced the regulators to act in the first place.
Well, I can phrase it more accurately, but those are all separate things, despite what Meta would have you believe.
Having account functionality, so that you can store user preferences and subscriptions and whatnot is one thing. The user explicitly puts data in their account, by logging in and then toggling settings and subscribing to threads and whatnot. That is how you provide the service, it is expected functionality, and it is not a problem. If done right, you wouldn't even need a cookie consent banner.
Tracking, where you record all user interactions and build a profile, is a different thing. The user is giving you data, but they are doing it without informed consent, often without even awareness. That is not required to provide your service, it is not necessarily expected functionality, and it is a problem. It is arguably required to fund the service, but nobody has a right to a business model that breaks the law. Meta could make this above board by obtaining the relevant consent, but so far they have done everything they can to avoid it.
Tracking on third party websites, and tracking of users that don't even have a logged-in account, which is also something that Meta does, is a slightly different thing too, and it's a bigger problem. I don't think that there is any way this is legal, but enforcing this would hurt Meta immensely, and they know it.
Serving ads is not a problem. You can fund a website this way. You probably won't become the richest person in the world, but it's been done.
Serving targeted ads is only a problem because in order to target ads, you need to track. But it's not really a problem in itself. Because of this, asking money in return for not showing ads and/or not targeting ads doesn't solve anything, if you keep tracking. Meta could get explicit informed consent, track what happens on their websites alone and only to logged users, and then use that tracking data to target ads, and this could be made to work. But they don't want to, and they'll fight tooth and nail to avoid it, because it would be far less profitable.
Selling a service for money is also, obviously, not a problem. Again, you probably won't become the richest person in the world.
Meta is trying to convince everyone that user accounts are the same thing as tracking, that ads cannot exist without tracking, and that websites cannot be funded without ads. None of this is true.
You're missing the point. I'm not denying they track. (I think you might be surprised by the options they now provide to turn it off in Europe but whatever).
The point is: even if they didn't do any wider tracking and I have a Facebook profile, and I like a post on FB by a friend about, say, GDPR rules being enforced in Europe, then they will currently use that information (which they cannot avoid storing) to try to serve me ads. Ads from some GDPR compliance service, or an awareness campaign by the UK's ICO, or maybe even someone selling bound copies of the legislation.
The more recent rulings say that even though they collect that data they shouldn't subsequently use it to target ads without your consent. Which is why:
"The problem isn't targeting"
The EU disagrees with this.
Let me rephrase it more simply:
- Tracking implies collection of data. This is disallowed without consent.
- Targetting implies processing of data. This is separately disallowed without consent, even if the data has been lawfully collected for some other purpose.
Hence they're both a problem.
They are allowed to show adverts. They're not allowed to process personally identifying information to serve those adverts without the users' consent.
The intent of the law is that there should be several options: tailored adverts, generic adverts or fee and no adverts. Facebook don't want to offer the middle ground.
I'm presently looking at a car brand that requires three separate logins to be created to use its vehicles in full, one of which is for Google.
What they're trying to do is to slope-shoulder their GDPR requirements whilst offering Google in the dashboard, but the direct implication is that they're selling cars with features that require you to part with your privacy before you can actually use them or suffer reduced functionality. None of that is in the glossy brochures or made clear at the point of purchase, which amount to forced disclosure which just happens to be illegal under GDPR. Add to that a very liberal use of 'legitimate interest' in their privacy statements (read; enthusiastic abuse of a backdoor that can only have been the result of heavy lobbying because it basically neutralises your protection, with offenders likely to claim "wir haben es nicht gewußt" when caught) and frankly, they should be made to complain about toilet brushes because they hurt.
I know Mozilla did a study of car privacy, but that was very US centric. Maybe there's a need for one on this side of the pond because we're definitely on a road to nowhere here.
Why is "advertising" being elided with "data theft"?
To be more precise, these two things are absolutely NOT RELATED:
(1) Meta pushes advertising to its customers
(2) Meta reads and stores and sells data extracted from customer transactions
Item #1 has nothing to do with GDPR.
Item #2 is illegal.
So....Meta customers might pay to switch off item #1......so what?
It's a simple bait & switch-
...which they said were unfair because it "misleads" consumers into thinking that "by opting for the paid subscription as it is presented, they get a privacy-friendly option involving less tracking and profiling."
If people opt to pay to get an ad-free FaceMelta experience, they should be free to do so. They should also be free to opt out of FaceMelta's cyber stalking and data rape, as is a requirement under GDPR. Don't pay and get raped is extortion, plain and simple.
Problem is they've been allowed to get away with it. So I was just thinking about how to solve this problem, admittedly in the context of energy policy and discovered-
Cape Enniberg, Faroe Islands, 750 m above North Atlantic
Which I propose naming the Cliffs of Stupidity. Build 3 walls leaving the cliff side open, secure those. Then place FaceMelta execs, and other assorted lying scumbags inside. This isn't capital punishment given they're free to make a choice. Put video feeds on PPV, or just have those ad funded and it would quickly pay for itself. The prospect of a meaningful punishment might also discourage other data rapists and assorted scumbags.
You are correct on #1 and #2, but this is an issue with #3:
Meta are providing a free service conditional to consent to tracking.
GDPR requires users be able to revoke consent at any time.
Forcing a user to pay to revoke consent is the breach of GDPR as a) some users may not have the facility or funds available at that time, b) making a payment requires provision of sensitive information that has to be processed and stored (not subject to GDPR - it's a legal requirement) and the user may not want to provide those details.
Now, if Meta provided their service free with adds, but they didn't track the user - that would be fine. It's the forced consent for tracking that's the problem.
@Helcat
....but who says that when the customer pays up, Meta does actually stop data collection?.....and actually stops selling stolen data?
Who....exactly....will validate that the processes at Meta ACTUALLY DO STOP?
I can only see a promise to stop pushing advertising!
Which is a good point. IF they offered use of the service (or at least, some parts of it*) without the ads or data harvesting for a reasonable fee then I could consider that - I keep getting people telling me I "need" to be on Faecesborg to deal with them and the like. But, given their history I could not trust them not to take the money and still harvest my data illegally - basically they've long since destroyed any credibility or trust.
Their wording is clear:
Agree to free plus tracking
OR
Pay up and get not SERVED targeted advertisements
=> In every single proposal I read from them there is nowhere a mention of not being tracked, only not being shown clear evidence you are being tracked.
=> Given they track non Facebook users on near every single non Facebook website, they cannot possibly guarantee they will not track users that pay up. Technically it's near impossible to do so so long they (illegally) track non users as well.
=> Hence the choice they put users for is not only illegal, and free consent can not be given when the choices do not meet the legal requirements, but the wording of the choice is deceptive to start with. That all by itself makes the renewed consent the non paying users give uninformed to start with. Slightly less uninformed consent would require the wording:
Agree to not pay money but be tracked and presented targeted adds
OR
Agree to pay and be tracked but not be presented targeted adds so long you pay
=> The reason they don't use the first wording is clear: it would look a lot less attractive to users / victims, it would be more clear to regulators and politicians that Meta does comply in no single way and it would open up Meta to massive breach of contract lawsuits if paying customers discovered that they were promised no tracking on Meta services and third party websites but still were; hence Meta spends plenty of effort to not make that promise but equally spends a lot of effort to fool users and regulators into believing that they make that promise.
it's an ongoing battle. Legislation, government and the law all take their own sweet time. So I may be wrong - but the feeling I'm getting is that there'll be all these cases at the edges, and no major effect.
Facebook were allowed to build a global face-recognition system right under our very noses, with barely a peep from anybody. They never got consent for it, they just suddenly said, "we can tag your photos" and users lapped it up. Nobody did very much of anything, and even with our new data laws, this doesn't appear to be an area of policy interest. Who knows who else has got access to that - it's probably all been sold into AI models - and every government who wants it.
Then we have the incredibly creepy data-theft that Facebook do whenever they get their claws into someone's phone. Put the app on there, and your contacts have gone off to Facebook HQ to allow them to associate even more data. A friend today got one of those friend recommendations on FB. For a bloke she met on an online dating site a couple of years ago. Presumably he's just pub FB on his phone, it's taken their two numbers and put them back in touch.
When I used Facebook my account was on an old email address. But I started getting friend links to people I knew. I'm guessing through some association of friends' gobbled data with them also having my actual email address - I guess Facebook were able to connect the dots and then find other people who had mine in their address books. Not a problem for me. I only used a different email because I'm awkward - and I barely used it for friends (I was on there for family stuff). But it's a lot more worrying for people with reason to need privacy, and it's the sort of creepiness that these laws should be addressing, and really don't seem to have made a dent in this business model from Google, Facebook et al.
"they just suddenly said, "we can tag your photos" and users lapped it up"
This story is from a few years ago. A woman at work used to post loads of pictures on Facebook, and she'd post photos of get togethers, work meets, her daughter (though carefully only referring to her as "my daughter" as the daughter didn't trust Facebook), and so on.
Along comes Facebook to helpfully tag who's in the photos. At first she's like "this is useful, my friends can find the photos they're in more easily".
Where it backfired is when she realised that it was tagging more than her friends, some photos had tags of people she hadn't set up connections to, and it tagged her daughter by name (which Facebook shouldn't have known).
That freaked her out so much that she requested her account be deleted.
So, I'd imagine at least some people found the tagging to be creepy...
Facebook probably knows about me. I don't want to know about it. Thankfully fewer phones come with an un-uninstallable Facebook app built in these days.
I don't think it's the GDPR that's failed, more like humanity. Most kids are usually taught not to read someone's diary or journal because we inherently value and respect privacy. Sadly, too many people have decided there's a greater value in dollars and cents in violating people's privacy. Given the way execs tend to display sociopathic tendancies, maybe this shouldn't be a suprise.
But GDPR is an attempt to correct this situation, it just doesn't go far enough or have meaningful penalties. If the basic data protection principles of the minimum data necessary were better enforced, we'd have some of our privacy back. But data rape is now worth billions and there's a lot of lobbying to normalise this behaviour. Politicians don't seem to understand the problem. Sunak was whining about mob rule and spending an extra £31m on protecting MPs. Democracy is all about mob rule, ie the biggest mob wins the election, and gets to pick the people who'll represent them. If our elected representatives don't represent us, then it's only natural that the mob might try to remove them. This is already starting to happen, ie the 'invisible' riots in Brussels, or Poland that for some reason most of the MSM isn't reporting. The peasents are revolting, and it's not even Summer yet.
But GDPR is an attempt to correct this situation, it just doesn't go far enough or have meaningful penalties.
But GDPR does have meaningful penalties. The fines can be very large. It's not going to stop outright crooks. And insufficient enforcement means grabbing peoples' data is always a relatively low-risk thing to do. But it's dialled down the problem from a lot of normal companies - who might have been tempted to sell on some data to marketing companies for cheap - but now probably think that's not worth the risk, for such little reward.
But massive data theft is the whole business model of Google and Facebook. If the legislation was working, they would have be reconfiguring their entire companies to work in Europe. But they aren't. They're playing at the edges of targetted advertising, and the underlying mass-data collection continues unabated. Even if they lose on the advertising, and so make a bit less profit - that's still not really the major issue. And it's relatively easy to investigate and enforce on these few huge companies, even if the next tier down of offenders are a much tougher challenge - becuase there's so many of them.
There's a fundamental misunderstanding here. One that Meta is doing their very best to exploit.
Tracking is not advertising.
The GDPR is about tracking, not ads. You can serve ads on a web page without tracking, it's how it was done in the 90s. If you do, GDPR won't stop you in the least.
If Meta wants to offer a paid service with no ads, good for them, but that's irrelevant. If they want to be compliant that way, they need to offer a paid service with no tracking. But they don't want to do that, because tracking is where they make their real money.
After all, it takes a global-scale service like Meta or Google to make tracking really useful... but anyone can serve untracked ads with equal effectiveness. If it got established that you can't track users without informed consent, and you can't leverage refusal of service to gain consent, and this was actually enforced, then the advertising monopoly would dissolve overnight. Even the argument that tracking is useful for users in the form of better search result is hollow in the face of how web search results on major sites are steadily getting worse.
So they're trying to muddle the issue by saying "oh, but we offer an ad-less service, so that's fine!" - no, it's not fine, we're talking about tracking, not ads. Even offering a service where the ads don't target me is irrelevant, as long as you keep tracking me.
Conflating tracking and advertising, believing that they are one and the same, that you can't advertise without tracking and that therefore the only way to fund a website is either through payment or through tracking, is IMHO a big part of how we got into this mess, and furthering this confusion is outright deceptive on Meta's part.
There's also the not-insignificant problem that, at this point, even if Meta offered a paid track-less service, nobody in their right mind would trust them to actually not take your money and then track you anyway.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
