惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
The GitHub Blog
The GitHub Blog
T
Threatpost
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - Franky
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell
M
MIT News - Artificial intelligence
小众软件
小众软件
Hugging Face - Blog
Hugging Face - Blog
云风的 BLOG
云风的 BLOG
S
Security Affairs
P
Proofpoint News Feed
L
LINUX DO - 最新话题
宝玉的分享
宝玉的分享
S
Security @ Cisco Blogs
H
Hacker News: Front Page
Security Archives - TechRepublic
Security Archives - TechRepublic
Vercel News
Vercel News
Engineering at Meta
Engineering at Meta
Know Your Adversary
Know Your Adversary
Y
Y Combinator Blog
美团技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
月光博客
月光博客
量子位
博客园_首页
The Last Watchdog
The Last Watchdog
D
DataBreaches.Net
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed
The Register - Security
The Register - Security
Schneier on Security
Schneier on Security
H
Help Net Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Visual Studio Blog
Google DeepMind News
Google DeepMind News
F
Full Disclosure
C
Cyber Attacks, Cyber Crime and Cyber Security
MyScale Blog
MyScale Blog
aimingoo的专栏
aimingoo的专栏
S
Schneier on Security
L
Lohrmann on Cybersecurity
S
Secure Thoughts
Stack Overflow Blog
Stack Overflow Blog
Cloudbric
Cloudbric
Microsoft Security Blog
Microsoft Security Blog

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Cookies 101 Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
Meta loses key privacy battle
Carlo Cilent · 2024-04-30 · via Blog of Simple Analytics

On April 17 privacy scored an important win: the European Data Protection Board (that is, the organization that brings EU privacy watchdogs together) clarified that personal data are not a commodity and took a clear stance against Meta’s pay-or-ok approach to GDPR compliance. This is a step forward for EU privacy law and a big deal for the tech industry.

Before you pop the champagne, please note that the story is not quite over yet. Meta will no doubt drag the legal battle to the Court of Justice of the European Union, and the Court will have the last word. That being said, the EDPB siding with Meta’s critics is a very good sign.

  1. The background
    1. What this is not about
    2. Meta vs. the GDPR
    3. Pay-or-ok
  2. What did the Board say?
    1. Pay-or-ok doesn’t cut it
    2. There are alternatives
    3. What about smaller players?
  3. What happens next?
  4. Conclusions

Here is all you need to know about the EDPB’s Opinion, and why it matters. Let’s dive in!

The background

What this is not about

Before we explain what this legal battle is about, let's dispel a possible misconception: Meta is not under attack for putting a price on its platforms.

Meta is a for-profit entity and has a right to price its services however it sees fit, including requiring subscriptions to previously “free” platforms. No one contests this right- so what is the problem?

Well, Meta is using subscriptions as an argument to show that its business model as a whole- and especially the harvesting and mining of data from free users- is compatible with the GDPR. In other words, the point of Meta’s subscriptions is to justify spying on free users. This is what is problematic under the GDPR- not subscriptions per se.

Here’s the story in detail, and why it is a big deal for privacy law.

We already discussed the pay-or-ok saga extensively in another blog, so here is the short version.

For more than a decade now, Meta has been aggressively mining user data as a payment for Facebook (and later Instagram). This intensive probing allows the company to profile users and serve behavioral advertising, for which it charges advertisers. This business model is at odds with the GDPR and privacy advocates have been challenging it for a while now- especially noyb, an Austrian NGO with a long history with Meta.

So, commercial surveillance is how Meta makes most of its revenue. By challenging the compliance of its targeted advertising, privacy advocates are questioning the lawfulness of Meta’s very business model under the GDPR. This has important implications for the entire tech industry because many other companies rely on a data-as-payment business model.

So far, Meta responded to these challenges by tweaking some fluff in its privacy policy, eating nine-figure fines, and keeping doing business as usual. But as Meta keeps losing legal challenges, its options grow thin.

Paid subscriptions are the latest act in this long-running saga and the company's last-ditch attempt to save its business model in the EU market.

Pay-or-ok

Meta currently presents EU users with a choice: they can consent to behavioral advertising and use its social platforms for free, or get rid of behavioral advertising and pay €120 a year.

Of course, Meta knows that the vast majority of users won’t pay. The point is not to collect pennies from a handful of paid subscribers, but to justify spying on everyone else. Subscriptions are a trick that allows Meta’s lawyers to claim that consent to behavioral advertising meets the high consent standards of the GDPR- specifically, the requirement for consent to be freely given.

This pay-or-ok approach is controversial in the privacy space. Some see it as a powerful compliance tool that could potentially justify very invasive data mining under the GDPR. They hope that Meta’s approach survives regulatory scrutiny so that they can jump on board and make pay-or-ok the new standard for the digital economy.

On the other hand, Meta’s critics argue that data is not a commodity because privacy and data protection are human rights (and the Charter of Fundamental Rights agrees). They also point out that not everyone in Europe can afford to pay €10 a month to stay in touch with their friends and relatives on Facebook- let alone €10 per month per app, should pay-or-ok become commonplace for social platforms.

The EDPB was called to take a stance in the pay-or-ok controversy and sent a very clear message.

What did the Board say?

The EPBP’ Opinion is quite complex, but in a nutshell, it largely agrees with Meta’s critics. Data are not a commodity and putting a price tag on privacy is no way to collect valid consent under the GDPR.

The EDPB’s Opinion is not binding but holds plenty of weight. After all, the members of the Board are national regulators with the power to fine Meta for GDPR noncompliance.

Pay-or-ok doesn’t cut it

The EPBP took a close look at Meta’s compliance strategy and did not like it one bit.

The Board highlights that Facebook and Instagram benefit from powerful lock-in and network effects: the more social contacts you have on those platforms, the harder it is to leave them (as a a better blogger wrote, social networks are a hostage situation by now). At the same time, Meta’s dominant position on the social media market means that consumers lack alternatives.

This is why the EDPB ultimately agrees with Meta’s critics and refuses to recognize the consent collected by Meta as valid, freely given consent. Bottom line, Meta has no right to profile users based on their behavior.

(Incidentally, market dominance is the reason why the common objection that “platforms are not free to provide” does not work for Meta. In a competitive market, most users would delete their Facebook or Instagram account and move their data to a privacy-friendly competitor. In the real world, tech giants buy potential competitors, leaving users to pick their poison between Meta, X, and ByteDance.)

There are alternatives

Meta and other ad tech players like to present behavioral advertising as a black-and-white issue: either you allow us to probe the digital lives of Internet users inside out, or we go broke and the digital economy dies (see the IAB’s letter to the Board).

But the issue is not black and white. The EDPB was careful to clarify that platforms can provide advertising without consent. This doesn’t necessarily mean contextual advertising, either: for instance, Meta could simply ask users about their interests and use their answers to target ads. In the Board’s view, this less invasive form of advertising could conceivably be carried out without user consent while still complying with the GDPR.

Of course, this reasonable middle ground would be vastly less profitable than Meta’s invasive probing, and the company will keep fighting tooth and nail against privacy rather than tuning the surveillance down a notch.

The EDPB also points out that offering users a third, free option with less intrusive advertising could help Meta justify its business model under the GDPR. But we don’t expect Meta to take this advice anytime soon: the company knows users do not like surveillance and typically say “no, thanks” when presented with a fair, transparent choice such as the one required by the EDPB.

(I would also like to point out another obvious and 100% GDPR compliant way for Meta to monetize from Facebook and Instagram: turn them into paid services, period. No one demands a free meal- not the GDPR, not the regulators, not the privacy advocates. But Meta will never adopt this simple solution because a price tag would cost the company too many users.)

What about smaller players?

The message for Big Tech is very clear, but does the same logic apply to smaller websites and services?

Maybe.

Yup, that’s not the most satisfying answer- but that’s the answer we got.

The Opinion deals with big platforms only, but the Board points out that some of its reasoning may apply to small players as well- which is quite confusing. Overall, we feel like the Board doesn’t want to take a stance on how the rules apply to smaller players- at least for now.

What happens next?

It is worth repeating that the story is not over yet and that the Court of Justice will likely have the last word.

It is hard to say when this will happen. noyb’s complaint with the Austrian authority will probably go all the way to the Court of Justice, but that will take a while- especially if the Irish authority gets involved. In the meantime, Meta is unlikely to change its practices unless the fines start flying.

If the Court sides with EDPB, the ruling will mark a turning point in privacy law. Meta will be forced to rethink its business model and will likely eat gigantic fines. Other big fish will also need to re-evaluate their business model, as privacy advocates won’t hesitate to wield the Meta precedent against them. Long story short, we will move one step closer to the long overdue death of behavioral advertising.

On the other hand, if the Court sides with Meta and sanctions its self-serving interpretation of the law, then pay-or-ok will likely become the industry standard, the GDPR will be substantially defanged against Big Tech, and we will all have little to no expectations of privacy on the platforms that control our digital lives.

Conclusions

This time around, it’s not just Meta against the usual suspects (noyb) . Consumer advocates from the Bureau of European Consumers (BEUC) are also challenging Meta subscriptions and even the European Commission- as the EU’s top antitrust regulator- is looking into pay-or-ok’s conformity to the Digital Markets Act.

We are happy to see actors challenge Meta’s compliance puppet show from different angles. And we are even happier to see the EDBP take a strong stance.

It is impossible to overstate the importance of the pay-or-ok saga. When noyb’s complaint against Meta (predictably) lands in the Court of Justice, the Court will need to make a decision: should the GDPR bend to the surveillance economy, or should it be the other way around?

We don’t have a crystal ball, but the EDPB’s Opinion is a good reason to be optimistic.

We build Simple Analytics because we believe in a privacy-friendly web. We help our customers understand their traffic and expand their audience without collecting a single bit of personal data. Our web analytics tool is easy to learn, customizable, and comes with a hand AI assistant. If this sounds good to you, feel free to give us a try!