Published:Nov 21, 2023

Digital democracy|Digital privacy

Meta’s paid subscription — is it GDPR compliant?

Meta’s decision to apply the so-called “Pay or Okay” approach¹ in the EU raises a lot of discussions among lawyers, privacy advocates, and even data protection authorities. While Meta is trying to justify the application of this approach based on its belief “in an ad-supported internet, which gives people access to personalized products and services regardless of their economic status”², many doubt the legality of this approach. Surfshark’s Head of Legal Gytis Malinauskas gives some insights into this in the context of the General Data Protection Regulation (GDPR)³.

Key insights

  • Article 7 of the GDPR³ requires consent (when the data is processed on the basis of consent) to be given freely. But the price of €160 a year¹ requested by Meta for ad-free service is regarded by many as rather high⁴, potentially limiting the freedom of users to choose not to have their data processed.
  • Recital 43 of the GDPR⁵ states that if the processing of personal data is not necessary for the provision of services, then even if consent has been provided, it cannot be regarded as given freely. In Meta’s case, advertising is not necessary⁶ for the provision of services, which raises questions about the legitimacy of the consent.
  • In January of 2023, Meta was fined €390 million because it was found to have ad practices that do not comply with the GDPR⁷. In total, Meta has been fined €2.6 billion under the GDPR⁸.
  • As pointed out by NOYB, Meta made €72,5 billion from advertising in the European Union between 2018 and 2022⁹. NOYB also claims that a significant part of this revenue could have been achieved from unlawful personalized advertising, so there may still be plenty of room for improvement in GDPR enforcement.
  • Users of Meta platforms now have the choice to experience ad-free social media and to opt out of data tracking but at a hefty price tag. This raises questions not only on how compliant it is with the GDPR but also how ethical it is to charge users merely for privacy. Privacy advocates are already signaling intentions to contest Meta’s new model, setting the stage for an intriguing development.

Methodology and sources

Surfshark’s Head of Legal, Gytis Malinauskas, looks at Meta’s new subscription model and presents insights in the context of the GDPR.


¹ NOYB (2023). Meta (Facebook / Instagram) to move to a “Pay for your rights” approach;² Meta (2023). Facebook and Instagram to Offer Subscription for No Ads in Europe;³ General Data Protection Regulation (2023);⁴ EDRi (2023) Meta plans paid subscription for users who don’t want to be tracked;⁵ PrivazyPlan (2023) Recital 43 EU GDPR;⁶ Alexander Hanff (2023) EDPB orders a ban of Meta's processing of personal data for behavioural advertising;⁷ The New York Times (2023) Meta’s Ad Practices Ruled Illegal Under E.U. Law;⁸ Surfshark (2023) ⅓ of social media's GDPR fines linked to children;⁹ NOYB (2023) Irish Data Protection Authority gives € 3.97 billion present to Meta.
The team behind this research:About us