Privacy Corner Newsletter: May 8, 2025

‍

In this edition of the Privacy Corner Newsletter:

‍

• Nice try: General court shuts down Meta's challenge to the EDPB’s 'consent or pay' opinion
• A broken cookie mechanism and excessive ID requirements land Todd Snyder a $345k CCPA fine
• The EDPB greenlights a short extension for UK adequacy—just this once
• What we’re reading: Recommended privacy content for the week.

‍

Nice try: General court shuts down Meta's challenge to EDPB 'consent or pay' opinion

‍

The EU's General Court has dismissed Meta's attempt to annul an opinion from the European Data Protection Board (EDPB) concerning 'consent or pay' models.

‍

• Meta's action sought to overturn EDPB Opinion 8/2024, which addressed valid consent for “consent or pay” models used by “large online platforms”.
• The General Court ruled the EDPB opinion is not a legally binding act subject to challenge because it does not, by itself, produce legal effects on Meta.
• The Court also dismissed Meta's associated claim for financial compensation from the EDPB as manifestly unfounded.

⇒ What’s the case about?

‍

In case T-319/24, Meta attempted to challenge EDPB Opinion 8/2024, adopted by the Board on April 17, 2024 at the request of several data protection authorities (DPAs).

‍

The DPAs asked the EDPB about whether large online platforms could satisfy GDPR's consent requirements when implementing “consent or pay” models, where users choose between “consenting” to targeted ads or paying a fee.

‍

Meta argued the opinion was flawed and sought its annulment and compensation for alleged damages.

‍

Meta lodged its complaint under Article 263 of the Treaty of the Functioning of the European Union (TFEU), which allows for the judicial review and annulment of certain EU acts. 

‍

Other big tech companies, such as WhatsApp and TikTok, have also tried to use Article 263 TFEU to challenge the EDPB.

⇒ What did Meta want?

‍

Meta asked the General Court to annul the EDPB's opinion entirely, or at least the relevant parts. The company also claimed non-contractual liability (meaning that the EDPB allegedly owed Meta money for causing it a loss).

‍

The EDPB opinion argued that large online platforms running consent-or-pay models should offer a subscription tier that is both free and involves less processing of personal data. Meta said this would cause a drop in ad revenue that the EDPB should compensate.

⇒ What did the General Court decide?

‍

The Court sided with the EDPB, finding the claim for annulment inadmissible. It emphasized that an action for annulment under Article 263 TFEU is only available against acts intended to produce binding legal effects.

‍

The Court found that the EDPB opinion did not, in itself, alter Meta's legal position. While DPAs should "take utmost account" of some EDPB opinions—namely those issued under Art. 64(1) GDPR—this specific obligation doesn't apply to Art. 64(2) opinions (like the one Meta challenged).

‍

The Court held that Meta's rights are still protected because it can challenge any subsequent binding decisions made by national DPAs (like the Irish Data Protection Commission) that might apply the opinion's reasoning.

‍

The Court also dismissed Meta’s claim for compensation, finding no direct causal link between the opinion itself and any potential damage. Any such damage would more likely stem from Meta's own business decisions or future binding decisions by DPAs, not the advisory opinion.

Broken cookie mechanism and excessive ID requirements land Todd Snyder a $345k CCPA fine

‍

Fashion retailer Todd Snyder, Inc. has agreed to pay a $345,178 fine and overhaul its privacy practices to settle allegations by the California Privacy Protection Agency (CPPA) that it violated the CCPA.

‍

• For 40 days, Todd Snyder’s website had a broken “cookie preferences center” that prevented users from opting out of the sale or sharing of their personal information.
• The company also required consumers to submit a government-issued photo ID to opt out of the sale or sharing of their data via a separate webform.
• The settlement mandates significant changes to Todd Snyder's opt-out mechanisms, verification procedures, and internal training.

What’s the case about?

‍

The CPPA alleged that Todd Snyder, a national retailer selling men's clothing online and in stores (including five in California), failed to honor consumer opt-out requests and improperly demanded verification for these requests, violating key provisions of the California Consumer Privacy Act (CCPA).

‍

The CPPA's factual findings, which Todd Snyder partly admitted to, outlined several violations.

⇒ Broken opt-out mechanism

‍

For 40 days starting in late 2023, when consumers clicked the "Cookie Preferences Center" link, the consent banner would "instantaneously disappear," making it impossible to submit opt-out requests. 

‍

The broken cookie preferences center also meant Opt-out Preference Signals (like the Global Privacy Control) weren't processed.

⇒ Excessive verification

‍

To submit CCPA requests to Todd Snyer, consumers had to provide their first name, last name, email, country of residence, and a photograph of themselves holding an ID.

‍

Because Todd Snyder’s cookie preference center was broken, consumers were forced to use this request mechanism to opt out of the sale or sharing of their personal information. The CPPA pointed out that the CCPA prohibits businesses from requiring verification for opt-out requests.

‍

But even for other types of requests that do require verification (such as the right to access or erase personal information), the CPPA found that Todd Snyder unlawfully required government identification. 

‍

The CCPA requires businesses to match identifying information to what they already hold and to avoid collecting more information than necessary, especially sensitive data like government ID. 

⇒ What does Todd Snyder have to do now?

‍

Under the Stipulated Final Order, Todd Snyder must:

‍

• Pay a $345,178 administrative fine within 30 days.
• Stop requiring verification for “Do Not Sell or Share” requests
• Stop demanding more information than is necessary for other types of CCPA requests.
• Ensure compliance with Opt-out Preference Signal requirements.
• Develop procedures to identify and process opt-outs, including via third-party trackers, and monitor the effectiveness of these methods.
• Train personnel on CCPA requirements within 90 days.
• Implement a contract management process for external data recipients within 180 days.

‍

In particular, this case should remind CCPA-covered businesses to monitor the functioning of their cookie consent mechanisms and not implement unnecessary hurdles that prevent consumers from exercising their privacy rights.

‍

EDPB greenlights short extension for UK adequacy—just this once

‍

The European Data Protection Board (EDPB) has given its approval to a six-month "technical extension" of the UK's current EU adequacy decisions, which pushes their expiry date to December 27, 2025.

‍

• The European Commission proposed the extension to allow for the conclusion of the UK's ongoing data protection and privacy reforms, the Data (Use and Access) Bill (DUAB).
• The EDPB agrees that this short delay is necessary for the Commission to properly assess the UK's updated legal framework once the new bill is adopted.
• This opinion only covers the extension; it's not a new assessment of UK data protection standards, which the EDPB will scrutinize later.

⇒ What's this opinion about?

‍

In Opinion 06/2025, adopted on May 5, 2025, the EDPB responded to the European Commission's proposal to extend the UK's existing adequacy decisions under both the GDPR and the Law Enforcement Directive (LED).

‍

These decisions, first granted in June 2021, allow personal data to flow freely from the EEA to the UK. They included a "sunset clause" and were due to expire on June 27, 2025, unless renewed. In March, the Commission extended this deadline by six months.

‍

As part of the adequacy process, the EDPB has issued a non-binding opinion on the decision to grant an extension.

⇒ Why the extension?

‍

The Commission granted an extension to the sunset clause because the UK introduced a new Data (Use and Access) Bill (DUAB) in October 2024, which is still making its way through Parliament and isn't expected to pass before late spring.

‍

The Commission argued that assessing the UK's "essential equivalence" requires a stable legal framework. Extending the current decisions by six months gives the UK time to finalize the DUA Bill.

‍

This means the Commission can then assess the actual, updated UK data protection law, rather than a moving target. During this extension, the 2021 adequacy findings remain in place.

‍

In its opinion, the EDPB recognized the "necessity” of the Commission’s “technical and time-limited extension".

⇒ Is this a new adequacy decision?

‍

No. The EDPB is very clear that this Opinion "only concerns the proposed 6-month extension" and "does not assess the level of protection afforded in the UK".

‍

The EDPB explicitly states this opinion doesn't revisit its 2021 opinions on the original UK adequacy (Opinions 14/2021 and 15/2021), and those views "remain valid" (para 6). The Board expects the Commission to consider those earlier points in any future full assessment.

⇒ What does the EDPB think about further extensions?

‍

The EDPB "understands that this extension is exceptional and caused by the ongoing legislative process in the UK and that it should not, in principle, be further prolonged".

‍

Essentially, the EDPB sees this as a one-off to deal with the timing of the DUA Bill, not an open door for repeated delays.

‍

If the DUAB, once passed, significantly weakens UK data protection in a way that affects essential equivalence, the Commission could still suspend or amend the adequacy decision even before the new December deadline.

‍

While the DUAB is less radical than the data protection reforms introduced by the UK’s previous government, the law still includes some controversial plans to reform the UK’s DPA and loosen rules around sharing data with public authorities.

‍

Businesses relying on UK adequacy should keep an eye on the DUAB as it progresses through the legislative process.

‍

What We’re Reading

‍

• Verbraucherzentrale NRW requests Meta to cease and desist AI training in the EU: Noyb’s statement on a case against Meta’s AI training policy.
• Conformity Assessments under the EU AI Act: A step-by step guide: The Future of Privacy Forum and OneTrust provide an overview of conformity assessment requirements under the EU’s AI Act.
• Attor­ney Gen­er­al Ken Pax­ton Takes Legal Action Against Chi­nese Com­pa­nies Vio­lat­ing Tex­ans’ Pri­va­cy Rights: The Texas Attorney General takes aim at companies allegedly transferring personal data to China.

‍