Meta has been given time till September 1, 2024, to respond to concerns raised by the European Commission over its "pay or consent" advertising model or risk-facing enforcement measures, including sanctions.
The European Commission said the Consumer Protection Cooperation (CPC) Network has notified the social media giant that the model adopted for Facebook and Instagram might potentially violate consumer protection laws.
It described the new practice as misleading and confusing, with authorities expressing worries that consumers might have been pressured into choosing quickly between either paying for a monthly subscription or consenting to their personal data being used for targeted advertising.
This, the agency said, could have been motivated by fears that they "would instantly lose access to their accounts and their network of contacts."
Meta, which introduced a subscription plan for European Union (E.U.) users in late 2023, has run into hot water over offering what's essentially not a choice at all and for extracting a "privacy fee" to exercise their data protection rights.
As per the E.U. Digital Markets Act (DMA), companies in gatekeeper roles are required to seek users' express consent before utilizing their data for offering services that go beyond their core functionality (e.g., advertising) or provide access to a less personalized but equivalent version of the platforms for those who refuse to opt in.
"Gatekeepers cannot make use of the service or certain functionalities conditional on users' consent," the Commission noted earlier this month, stating that Meta's model is in violation of the DMA.
The Commission further called out Meta for using vague terms and branding the service as "free" when, in reality, it forces consumers to agree to their data used for personalized ads, not to mention making the experience confusing by making them "navigate through different screens" to determine how their data is used and processed for advertising purposes.
Meta, however, considers the paid version a legitimate business model, and has pointed to a ruling from the Court of Justice of the European Union (CJEU) last July that a company may offer an equivalent alternative version of its service "for an appropriate fee" that does not rely on data collection for ads.
That said, it bears noting here that the judgment pertains to in the context of users signing up for Meta's services, and not to existing users (which is where the aforementioned issues associated with changes to the consent model come from). It remains to be seen if it can be interpreted as a legal precedent.
"Consumers must not be lured into believing that they would either pay and not be shown any ads anymore, or receive a service for free, when, instead, they would agree that the company used their personal data to make revenue with ads," Didier Reynders, E.U. Commissioner for Justice, said.
"Traders must inform consumers upfront and in a fully transparent manner on how they use their personal data. This is a fundamental right that we will protect."
The development comes days after Nigeria's Federal Competition and Consumer Protection Commission (FCCPC) fined Meta $220 million after an investigation showed that the company's data sharing on Facebook and WhatsApp violated local consumer, data protection, and privacy laws by collecting users' information without their consent.
"Meta Parties shall immediately and forthwith stop the process of sharing WhatsApp user's information with other Facebook companies and third parties, until such a time when users have actively and voluntarily consented to each and every component of the liberties Meta parties intend to exercise with respect to the information of the data subjects," a final order issued last week read.
Earlier this May, the Turkish competition board imposed a $37.20 million penalty against the American tech giant over its data-sharing practices across Facebook, Instagram, Threads, and WhatsApp.
It also follows a report that Oracle has agreed to pay $115 million to settle a class-action lawsuit in the U.S. accusing the database software and cloud computing company of breaching users' privacy by collecting their personal information and selling it to third-parties.
Google, meanwhile, has become the subject of a new probe initiated by the Italian data protection authority over how it gets users' consent prior to combining personal data from different services and if it provides adequate information to influence that choice.
"Google may use techniques and methods for requesting consent, and also for setting up the mechanisms for obtaining consent itself, which could condition the freedom of choice of the average consumer," the Garante alleged.
"Indeed, the customer would be induced to take a commercial decision that he/she would not have taken otherwise, by consenting to the combination and cross-use of his/her personal data among the plurality of services offered."