Paying for Facebook, or how Meta once again attempts to evade the GDPR

Reading time: 6 minutes

Last week Meta, the company behind Facebook, announced a major change in direction. For 15 years, Mark Zuckerberg constantly repeated that ‘Facebook will always be free’. You can still browse Facebook for ‘free’, but as of last week, there is an important nuance, at least in the European Union. From now on, Facebook (and Instagram) are only free if you give Meta permission to use (i.e. sell) your user data for advertising purposes. If you don’t want that (anymore), as of now, you pay 10 euros per month (for using Facebook or Instagram on your laptop) or 13 euros per month (for use on your smartphone or tablet).

What exactly is changing for the users? Where is this change coming from? What do privacy professionals think about this?

Our first reaction: but, wait, Facebook was never really free …

‘If it’s free, you’re the product’ is a witticism we often hear in the context of social media, apps, and all sorts of online platforms, and in this case, it is a perfectly valid statement. No company simply offers ‘free’ services. After all, every company wants to make a profit for its shareholders, and that means that behind every app, service or social media platform, there is also a revenue model.

In the case of Meta (Facebook and Instagram) and many similar services, the revenue model is straightforward. Their business model revolves around collecting and processing user data to create targeted ad profiles. In 2022, Meta generated a whopping $113 billion from ads this way, which accounted for 97.5% of their total revenue.

The core of Facebook’s model is to provide a social networking platform (for free) where users publicly share their entire private lives. This way, Meta can collect, process, package, and pour all these sometimes very personal details about your and my life into profiles and then sell that profile information to the highest-bidding advertiser. From that perspective, Facebook is not a free social media network but simply the highest-performing advertising machine in history. None of this has grown by accident. It is the result of a well-thought-out marketing strategy, using highly targeted techniques to lure users to Facebook for longer and longer periods of time and to keep them there for the sole purpose of being able to show them more targeted ads.

Don’t you ever wonder why you can’t find that interesting post you wanted to read later in your feed, why you have to scroll endlessly to get to that post from your best friend, or even why Facebook sends you permanent push notifications when someone likes your post or leaves a comment? One reason: Meta wants you to be online more frequently and longer so that you can constantly watch the ads. And we all fell for it…

The problem with online data collection: GDPR and ‘free’ consent

However, the General Data Protection Regulation (GDPR) has tightened the rules around data protection within the EU in recent years. Anyone who wants to collect personal data during online surfing sessions or while using social media can actually only do so if they request the free, prior, informed, and active consent of the data subject. This applies not only to Facebook but to all online marketing. It is also one of the main reasons why, for example, IAB Europe’s TCF framework came under fire in the past.

The rules around consent mean that users of online services must know in advance exactly what the website will do with their data and must actively and freely choose to allow or refuse that use. In particular, ‘free’ consent means that users must be offered a genuine, free choice without suffering negative consequences in the event of a refusal of that consent.

Both the GDPR and the jurisprudence of the Court of Justice of the European Union are very clear in this regard, and quite a few tech giants have previously gotten into trouble for not asking their users for proper consent.

Even smaller companies, marketers, and Web managers struggle with correctly applying the rules around opt-ins and consent. As we previously mentioned, consent must be free. However, consent also requires an active act and can never be presumed or implied. Nevertheless, we continue to see websites daily with the message ‘by continuing browsing, you agree that…’ (implied opt-in) or contest forms where an opt-in for direct marketing must be given to participate or where an account must be created to access the offer (enforced or mandatory opt-in).

Meta’s cornering 

In general, we see that large social media companies have been cutting corners on the GDPR for a very long time. Either no consent was asked at all, and it was deemed that they had a legitimate interest in using people’s surfing behaviour for advertising purposes, or consent was implicitly assumed, and as a user, you had to look for the opt-out yourself, or the consent requirements were packaged in such a way that no one understood what exactly they were consenting to. In our view, this is also evidenced by the many hoax messages on Facebook, where users are encouraged to copy/paste a message to allegedly ensure that Facebook will no longer use their data. The success of those hoaxes shows that Facebook users actually have no idea what they have or have not given Meta permission for and how that permission can possibly be revoked or changed.

Meanwhile, it is sufficiently clear that you do need active permission if you want to profile people and sell that profile information, and that certainly doesn’t mean much good for a business model that aims to collect (for free) that profile info from millions or billions of people.

Thus, Meta knows (and has long known) that it needs to adjust. With the recent decision to give users a ‘choice’ between paying or sharing data, Meta now seems to be pushing the boundaries of EU law once again. At first glance, users are allowed to choose how they want to use Facebook and Meta’s other services, namely free with data sharing or paying with privacy guarantees (if that is even guaranteed). 

A real free choice?

The question, however, is whether Facebook is giving users an actual free choice by selecting between continuing to use a service that has been free for more than a decade or suddenly paying a rather expensive subscription. After all, 13 euros a month (or 10 euros for the minority of users who do not use Facebook on mobile) can hardly be called a truly free choice, considering they are paying this amount of money for a service that was previously simply free. The proposed price level de facto forces users to continue using the service for free, and at Meta, they also know very well that no user will choose the third option, namely closing the account.

Moreover, as far as we could verify, Meta will continue to collect your data vigorously in any case, regardless of whether you take out a paying subscription or not. That means that Facebook will still know everything about you. Only your data will (hopefully?) no longer be sold. We don’t even want to start reflecting in this blog on the relevance of an opt-in cookie in this context. That could become a whole new legal hornet’s nest.

In other words, there is no question of a ‘free’ choice, and once again, this is a step backwards rather than forward in terms of privacy and data protection for EU citizens. We have to wait until the EU authorities intervene again to thwart this umpteenth attempt to deprive EU citizens of the rights that GDPR granted them.

Questions about GDPR, or would you like to discuss this topic?

Our team is happy to assist you. Send an email to or book a free appointment here. 

Schedule a free appointment

About the author

Van den Brande

I am the founder and Managing Partner of Sirius Legal. In 2010, I decided to leave the Brussels big city law scene behind me to start practi...