Facebook on a mobile phone
VoxEU Column Competition Policy

Meta’s offer

Meta has been contesting what constitutes compliance with the General Data Protection Regulation ever since that law came into force in 2018. This column argues that with its new offer, Meta artificially lumps together two very different levels of privacy while offering a service that no one asked for: one with a high subscription price, tracking, and no ads. Europe is missing the choice that is the most popular, ‘just right’, option: advertising based on what a user does on Meta’s site.

Meta’s situation in Europe mimics the traditional tale of Goldilocks, who finds the bears’ cottage and helps herself to the porridge that is too hot followed by the porridge that is too cold before finding the porridge that is ‘just right’. Meta has a similar problem. It has offered dishes that are too hot and too cold, while the regulator and the public want the service that is ‘just right’ to be brought to the table. Not only is this option the most popular, it is responsive to the requirements of European privacy laws.

Meta has been contesting what constitutes compliance with the General Data Protection Regulation (GDPR) ever since that law came into force in 2018. The Irish data protection authority is widely viewed to have enabled Meta’s resistance as well as greatly slowed the process. 1 If Meta were to fully comply, it would earn less profit in Europe (as evidenced by the fact that the company has not already complied), and that profit loss provides a reason to engage in what seems to be endless litigation.

After delaying compliance with the law for five years, the fact that Meta’s new offer is worse for consumers than the likely illegal status quo gives the impression that Meta is thumbing its nose at European law. Consumer advocates have already voiced their discontent with Meta’s subscription model and filed complaints against it, while regulators announced further investigations into its adoption (e.g. noyb 2023, BEUC 2023, Wired 2023). This subjective impression of Meta’s attitude is important in the context of a broader roll out of European regulation of digital platforms coming through the Digital Markets Act, the Digital Services Act, and the Data Act, to name a few. If Meta demonstrates that compliance with European digital regulation is effectively optional, or can be delayed indefinitely by costly legal process, the legitimacy of that law will be at risk, as will effective future regulation of digital platforms for the benefit of European citizens.

Consent

The idea of the GDPR is to protect users from exploitation of their personal data by limiting the ability of companies to gather and use those data without the explicit consent of the user. The analysis below will focus only on the problem of non-sensitive data. The collection and use of sensitive data such as health, sexual orientation and the like are (appropriately) subject to stricter rules. What may be more interesting from a commercial perspective is information that a consumer is actively looking to buy a new car or a holiday at the beach. For digital platforms that fund themselves with advertising, the GDPR offers two legal approaches to use personal data of this type to carry out that business model: either get consent from end users, or use the data only to complete a requested contract with the user. 2 An example of the latter is an e-commerce company that gathers and uses your home address in order to send you the package that you ordered. The contract option is not a good fit with social media advertising. Knowing that a user browsed some yellow cardigans on Etsy is not necessary to provide that user the content posted by friends and family that is Facebook.com’s service. The second option – consent – is therefore the appropriate solution for Meta and others operating ad-supported social media. However, one way users can be manipulated into giving consent is when the platform withholds specifics or does not provide a clear description of what data are being gathered. Another example is when a digital platform is allowed to control the choice environment and it sets defaults and dark patterns to ensure users ‘choose’ to share all their data. As explained in recital 32 and stated in Article 4(11) of the GDPR, ‘consent’ cannot be driven by such dark patterns because that consent is not specific, granular, well-informed, not rushed, and freely given. 3 These listed attributes are required of consent given under the GDPR.

We have an important empirical example of users’ choices when they are offered a simple and transparent choice. Apple’s App Tracking Transparency (ATT), released in April 2021, gave users a simple choice as they opened an app – to be tracked by that app or not. A huge majority of US users (about 85%) chose not to be tracked (Adjust 2023). Meta predicted a loss of $10 billion in global revenue in 2022 from this change in users’ ability to control their privacy (New York Times 2022). This real-world pattern of behaviour in a clean choice architecture demonstrates that most users prefer not to be tracked.

The menu

Meta’s services in Europe, and elsewhere, have earned revenue by selling targeted ads that are inserted into content, and not by requiring the user to pay any money. Its advertising can be based on (at least) three kinds of information: contextual data, personal data from Meta platforms, and personal data Meta gathered by tracking a user across the Internet. Continuing to track and use those latter categories of data is highly profitable for Meta because they improve the match between the ad and the user which, in turn, raises the price of the ad. Higher priced ads generate higher profits.

Interestingly, if Meta's users are willing and able to persist in navigating through layers of the settings menu, it is possible to find an "information and permission" page that allows users to request not to be tracked off Meta properties.  4 This less intrusive choice is similar the choice offered by Apple in ATT. Meta continues to monetise such a user through selling contextual ads as well as targeting ads based on personal data from the user’s activity on the platform itself. The user in this example obtains a Meta service by watching ads but without paying any monetary price, and while sharing personal on-Meta data and not sharing personal off-Meta data. Outside the Apple ATT screen, however, this offer is difficult to find. It requires navigating to remote pages and enduring ‘friction’, or ‘sludge practices’, to get to the choices the user wants to make.

Subscription

The offer Meta announced on 30 October is a plan that costs users €12.99 per month if purchased on their mobile devices and shows no ads. 5 Meta did not announce any lessening of data gathering or tracking, but simply describes the plan as “your info won’t be used for ads”. The European Consumer Organisation (BEUC) describes it as “choose to lose” (BEUC 2023). There are a number of reasons why this offer appears to disrespect European law.

First, the offer is simply a change in business model – funding the service with a subscription rather than advertising – that does not improve users’ privacy at all. Meta states no change in the data collection practices around this offer, meaning that it will continue to track the user. 6 The GDPR has nothing to say about a platform’s business model per se because ads need not profile any user based on their personal data – for example, a platform can show the same ad to all users. Changing a business model only, and not the nature of privacy protection, is not responsive to a request for compliance with a law that controls the gathering and processing of data.

A second issue is that the offer is likely misleading to users who have not been following these debates in detail because it implies that, by paying a subscription, the platform will cease tracking them. Indeed, BEUC has already filed a complaint against Meta for the lack of clarity and truthfulness in the offer (BEUC 2023).

In general, the characteristics that the GDPR requires in order to conclude that users have truly given consent are missing from the offer: it is not specific, granular, well-informed, nor freely given. Furthermore, without any change in data gathering, the offer does not improve privacy, so there is no reason for consumers to pay for the subscription if they are interested in keeping their fundamental rights.

Rather, the offer appears to be designed to keep users in the ‘free’ offer by contrasting it to an expensive subscription. However, the single ‘free’ offer bundles together the option Meta likes best (full tracking and no compensation for users) with a suppressed option it is trying to avoid (the ad-supported, no-tracking, zero-priced option). The only option not to be tracked while obtaining Facebook freely (outside of iOS) is hidden to users. Users would need to find this option in a second step after agreeing first to the option that includes tracking. This artificially restricted menu of two options will cause users to ‘choose’ to give away to Meta their valuable data – because of exploitative choice architecture, not because of their true preferences.

What is a free choice?

The European Center for Digital Rights (noyb) has calculated the annual ad revenue per user earned by Meta in Europe between Q3 2022 and Q3 2023to be €62.88 (noyb 2023). This sum is less than the annual cost of the subscription (€156), meaning that the subscription actually earns the platform more profit per user than the original ‘free’ business model. This rough calculation suggests that the new offer is a net price increase for the gatekeeper while not improving privacy. Given that Meta has been repeatedly found to have a dominant position in personal social networking, 7 it may be abusive of that position to respond to a requirement for more privacy with a price increase to end consumers while simultaneously misleading them about the privacy benefits.

A third relevant law in Europe is the Digital Markets Act. Meta has been designated a gatekeeper under that law and both Instagram and Facebook have been designed as Core Platform Services that must comply with the rules in the Act by March of 2024. Importantly, only the largest gatekeepers are subject to the DMA, whereas the GDPR applies to all data controllers. Because gatekeepers have entrenched market power, often due to network effects, the DMA mandates a change in behaviours to increase fairness and contestability. Article 5(2) prohibits a platform from combining data across its own services and between its own and other services without user consent. Consent, again, must not involve dark patterns, 8 meaning that Meta must offer users clear options and free choice. A ‘choice’ of tracking at a price of zero and no tracking at a price of €156 may not be a free choice for many consumers. Young people, in particular, are particularly vulnerable and may have no income of their own.

The missing menu option is the one that involves no tracking, has a zero monetary price, and shows ads. The DMA describes it concretely in Recital 36 and 37:

Recital 36: To ensure that gatekeepers do not unfairly undermine the contestability of core platform services, gatekeepers should enable end users to freely choose to opt-in to such data processing and sign-in practices by offering a less personalised but equivalent alternative, and without making the use of the core platform service or certain functionalities thereof conditional upon the end user’s consent.

Recital 37: The less personalised alternative should not be different or of degraded quality compared to the service provided to the end users who provide consent, unless a degradation of quality is a direct consequence of the gatekeeper not being able to process such personal data or signing in end users to a service…

The reason it is missing from the up-front menu is likely because Meta realises that market forces would drive consumers away from the tracked option to the non-tracked option if they are offered separately at the same price. To continue with the food analogy, Meta’s offer is like a menu of bad, good, and excellent wine at prices of €10, €10, and €20, respectively. Today the good wine is hidden. But if it were placed on the menu with the other two, why would any consumer buy bad wine for €10 if they can have good wine for €10? Demand for tracking (bad wine) will be small if a user can have a more private service (good wine) for the same price of zero.

A better menu

The menu of two extremes that Meta currently offers in Europe is missing the choice that is the most popular, ‘just right’, option: advertising based on what a user does on Meta’s site.

It is far better for consumers if Meta offers three options. Ironically, the missing product is already available, but buried deep in Meta’s settings; this is the ‘just right’ service of zero price, no tracking, and ads based on user activity on the platform. The second is a service without any ads and without tracking that comes with a positive price, while the third offers users a negative price to accept tracking of (non-sensitive) activity around the internet.

If Meta wants many users to choose tracking, its price must fall further to make more sharing attractive. Meta will have to offer negative prices, namely, some kind of benefit or subsidy to get users to choose the tracked option. A negative price is symmetric to the positive price that the platform charges to see no advertising at all. The latest rigorous evidence suggests there is a 27% loss when Meta stops using off-Meta data to target a user (Wernerfelt et al. 2022). 9 If this is the surplus at stake, it will be worthwhile for Meta to make tracking attractive to end consumers.

Selling this option requires Meta to transparently and fairly convince users to give up their privacy by offering them some benefit. Such a contract would need to be fully compliant with all regulations so that it presented a truly attractive option to users and not one that is exploitative. (As noted above, adherence to rules prohibiting the processing of sensitive data is assumed.) Careful design of choice screens that comply with GDPR would be needed. If the new privacy environment is accurately described and the choice environment is fair, users’ rights are protected and any choice becomes freely given.

Users may enjoy receiving ads about shoes if they shopped for shoes the previous day and did not find a pair they wanted; or they may benefit from ads about coffee shops in Antwerp if they regularly visit Antwerp. Whether users want such ads is an open, and empirical, question. Users may vary in how much they dislike being tracked around the internet, and in the value they put on the offered benefit.

A gatekeeper that wants to compensate users for being tracked to generate personalised ads could simply give them money. The problem this raises is the likelihood of scammers setting up fake accounts to earn any such subsidy. A more practical approach might be to partner with an entity that can authenticate the user and perhaps is already billing the user, such as their mobile carrier. Users could agree to share more data with Meta in return for Meta providing them a discount on their Orange monthly bill for example. In this way, real users obtain a share of the surplus they create with their data. 

Until the law stops gatekeepers from using their market power to simply take valuable user data, the business model of paying consumers will remain underdeveloped. Platforms will need to use tools and strategies to deal with bots attracted by monetary payments. For example, today Meta claims to investors and advertisers that it efficiently authenticates its users by removing fake accounts, and that most users are genuine (e.g. Meta 2019, 2021). Partnering with MNOs where a user is already paying a fee each month, or with app stores that offer in-app purchases like gaming (perhaps Meta will open an app store), could be one strategy that avoids this problem.

Consumers may have a hard time distinguishing the privacy difference between a contextual ad and one that is personalised based on their behaviour on the platform, yet the legal treatment of these practices is different. Depending on how different these ads are in user experience, commercial value, and legal requirements may determine whether it is reasonable for platforms to offer one service – one menu option – that includes both.

Goldilocks again

With its new offer, Meta artificially lumps together two very different levels of privacy while offering a service that no one asked for: one with a high subscription price, tracking, and no ads. A better menu, one that is both compliant with data laws in Europe and good for consumers, is straightforward. The first option has a subscription price and no advertising. However, this option should not involve Meta gathering the personal data the platform uses to create ads because no ads are being shown; this first option therefore has the least tracking and the most privacy. The second option has no monetary price, shows ads, gathers personal data on Meta, and does not track the user off Meta. A third option asks consumers to share their personal data both on and off Meta in return for a subsidy, or negative price. Here, the Goldilocks metaphor is useful again. The Apple ATT experiment demonstrated that the middle option can be hugely popular and therefore may be ‘just right’ in this context. The other two options may be too hot or too cold for some users, but attractive to others. They can be freely chosen if so. In principle, there could be many menu options on either side of the ‘just right’ choice. Indeed, more competition in ad-supported platforms that may arise under the DMA seems likely to generate a variety of creative options.

Disclosure: Professor Scott Morton is currently instructed by Dr Lovdhal-Gormsen as an economic expert in Dr Lovdhal-Gormsen’s proposed opt-out consumer class action against Meta in the UK Competition Appeal Tribunal. She regularly consults both for corporations and government agencies as an economic expert in antitrust and merger cases. At the time of writing her other clients include Microsoft, SiriusXM, several small US healthcare companies, and several nascent electric auto makers. 

References

Adjust (2023), “ATT two years on: Opt-in rates keep climbing”, 5 July.

BEUC (2023), Choose to lose with Meta: An assessment of Meta’s new paid-subscription model from a consumer law perspective.

European Union (2023), Study on the impact of recent developments in digital advertising on privacy, publishers and advertisers, Final Report.

ICCL – Irish Council for Civil Liberties (2021), Europe’s enforcement paralysis.

Meta (2019), “How Does Facebook Measure Fake Accounts?”, 23 May.

Meta (2021), “How We’re Tackling Misinformation Across Our Apps”, 22 March.

New York Times (2022), “A Change by Apple is Tormenting Internet Companies, Especially Meta”, 3 February.

noyb (2023), “noyb files GDPR complaint against Meta over “Pay or Okay””, 28 November.

Wernerfelt, N, A Tuchman, B Shapiro and R Moakler (2022), “Estimating the Value of Offsite Data to Advertisers on Meta”, Becker Friedman Institute for Economics Working Paper No. 114.

Wired (2023), “Norway’s Privacy Battle With Meta Is Just Getting Started”, 15 November.

Footnotes

  1. See, for example, ICCL (2021) and an open letter from noyb (https://noyb.eu/sites/default/files/2020-05/Open%20Letter_noyb_GDPR.pdf).
  2. GDPR Article 6: “(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. CJEU may have left open a path for advertising to be a legitimate interest (section f), but this possibility is beyond the scope of this column.
  3. REGULATION (EU) 2016/ 679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of 27 April 2016 - on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/ 46/ EC (General Data Protection Regulation) (europa.eu)
  4. I understand that the way it works is that the data continue to be physically gathered but not associated with a user account.
  5. Users can buy the service for only €9.99 if they purchase it on Facebook rather than in the mobile app store. Notice that Meta is taking advantage of the DMA by disintermediating the mobile app store. Meta sells the subscription on Facebook and users can then consume the service using a reader app on the handset. Meta charges a higher price on the app store. These features are all enabled by the DMA.
  6. BEUC (2023: 5) explains how Meta uses the data to benefit its business.
  7. See, for example, FCO 2019 Facebook decision B6-22-16, para 165, and Federal Trade Commission v Facebook Inc.: Substitute Amended Complaint for injunctive and other equitable relief (8 September 2021), paragraph 190.
  8. The DMA Article 13(6) says that gatekeepers may not make “exercise of those rights or choices unduly difficult, including by offering choices to the end-user in a non-neutral manner, or by subverting end users’ or business users' autonomy, decision-making, or free choice via the structure, design, function or manner of operation of a user interface.”
  9. See also 2.4.1 in European Union (2023).
AdobeStock_283593790_Editorial_Use_Only.jpeg
VoxEU Column

Designing regulation for digital platforms: Why economists need to work on business models

    ![](../../../../../../../../../../var/folders/34/zq18d8kx7kbgby0j06p_j6t40000gn/T/TemporaryItems/NSIRD_screencaptureui_EM2XPo/Screenshot 2022-01-04 at 17.01.16.png)
  • Competition Policy
    • ![](../../../../../../../../../../var/folders/34/zq18d8kx7kbgby0j06p_j6t40000gn/T/TemporaryItems/NSIRD_screencaptureui_EM2XPo/Screenshot 2022-01-04 at 17.01.16.png)
  • EU policies