Meta, the GDPR and the new regulatory frontier for European gatekeepers
The resolution that the European Commission issued on April 23, 2025 against META Platforms, Inc. is not just another fine; it is a doctrinal breakthrough that redefines the scope of consent in the digital platform ecosystem and, incidentally, tests the legal framework of the General Data Protection Regulation (GDPR) against the most recent Digital Markets Act (DMA). With 200 million euros of sanction – and the added threat of daily coercive fines if in sixty days it does not adjust its model – Brussels reminds the sector that personal data is not a currency with which a gatekeeper can finance, at will, its dominant position.
From "mere formality" to substantive consent
Anyone who has accompanied European technology companies on their journey through the GDPR knows that the word consent had been degrading for years until it became a click-through process: it was enough to display a banner that offered "Accept" and, in smaller print, "Configure" or "Reject". The DMA, however, introduces an additional architecture: it requires that the user can choose an equivalent service – in features and experience – that works on less intrusive or contextual advertising. In other words, it is not enough to invoke the GDPR; it is necessary to ensure that the refusal does not penalize the Internet user economically or functionally.
This is the cornerstone that breaks the controversial "consent or pay" model that Meta implemented in November 2023. By offering a monthly subscription for those who refused personalized advertising, the platform transferred the cost of privacy to the user, emptying the content of the consent required by Article 5.2 of the DMA. The Commission explicitly acknowledges that the model did not provide "a less personalised, but equivalent alternative", nor did it allow the user to freely consent.
The consequence is clear: consent can no longer be analyzed in a purely formal key, but in a material key: Is there real bargaining power? Can the user access the service, on equal terms, without a massive transfer of their data? If the answer is no, the consent becomes fictitious and, therefore, invalid.
The GDPR as a support and not as a limit
Although the GDPR remains the great magna carta of European privacy, the Commission has made it crystal clear that the new DMA standard is cumulative, not a substitute. The systematic interpretation is interesting: Article 4.11 of the GDPR defines consent as “free”, but the DMA, aware of the asymmetries between gatekeepers and users, details what structural conditions can corrupt that freedom. Thus, the obligation of the functional equivalent becomes a practical corollary of the principle of freedom proclaimed in the GDPR.
In other words, the European legislator recognises that in highly concentrated digital markets the capacity for choice is diluted; for this reason, it reinforces guarantees with an instrument of ex-ante competition. The message to Spanish operators is direct: complying with the GDPR is no longer enough if the business model rests on the leverage of personal data on a large scale.
Implications for digital platforms operating in Spain
Since Meta's designation as gatekeeper in September 2023, anyone aspiring to scale their digital project – whether from Madrid, Barcelona or Malaga – must ask themselves if their data flow could be considered “systemic”. The Meta case extends, by analogy, a series of practical obligations:
- Primacy of the principle of minimisation: combining data extracted from different services requires a differentiated legal basis and a privacy-by-default design logic.
- Prohibition of dark patterns: the Commission values not only the literalness of legal texts, but the decision architecture that leads to mass acceptance.
- Need for a functional equivalence analysis: any "unmonitored" version must preserve benefits, performance and social participation; degrading experience or imposing tariff barriers leads, as happened to Meta, to the terrain of non-compliance.
The file also illustrates how the AEPD and the European Commission can act in a concerted manner: the Spanish authority, which had already been sanctioning walls of pure cookies, will now have a Community precedent to intensify its scrutiny of local pay-or-ok strategies.
Market power as a critical variable
A novelty of the resolution is the explicitness of the competitive advantage derived from the hyper-accumulation of data. The Commission underlines that Meta groups information from Facebook, Instagram, Messenger and Marketplace, consolidating "unique" profiles that reinforce its advertising hegemony. Hence, the obligation to offer a "less personalized" but competitive service also has a pro-competitive dimension: preventing the volume of data from becoming an insurmountable barrier to entry for startups.
For startups – especially those that intend to monetize via adtech or the attention economy – this finding implies that data policy is intertwined with market strategy: obtaining large volumes of personal information no longer guarantees a sustainable advantage if the combination of such data violates the DMA regime.
A compass for upcoming litigation
The Decision of 23 April is, at the same time, a precautionary warning: the Commission reserves the right to examine the new option of "less personalised ads" that Meta launched in November 2024. If the investigation concludes that this formula still does not respect functional equivalence, the coercive fines provided for in article 31.1 of the WFD will fall.
This anticipates a second wave of litigation: each adjustment that Meta or any other gatekeeper implements will be scrutinized not only by the Directorate-General for Competition, but also by consumer organizations and data advocates. At the national level, it is foreseeable that the AEPD will incorporate the notion of equivalent service into its criteria when assessing the validity of consent in environments dominated by large platforms.
Towards a data ecosystem that respects freedom and competition
With this resolution, Brussels transcends the patrimonialist vision of privacy: personal data is not "sold" or "rented" in exchange for functionality; it is an attribute of human dignity, unavailable to the mercantile whim of the gatekeeper. For companies operating in Spain – from unicorns to budding e-commerce firms – the lesson is unequivocal: the GDPR is no longer the goal, but the starting point.
At Certus we understand that the challenge is not only to avoid penalties, but to integrate the principle of free consent and the logic of fair competition into the DNA of each digital business model. Whoever does so will not only sleep peacefully before the Commission; they will also gain in reputation and trust, increasingly valuable currencies in the data economy.
