Apple & Meta handed first EU Commission non-compliance decisions under the Digital Marketing Act

On 23 April 2025, the EU Commission found that Apple had breached its anti-steering obligation under the DMA (Digital Marketing Act) and that Meta breached the DMA obligation to give consumers the choice of a service that uses less of their data. It subsequently handed out fines €500m and €200m to Apple and Meta respectively.

These decisions highlight the importance that the EU has in implementing the DMA to non-compliant companies. While the anticipated penalties are the first to be issued under the DMA, it has been argued that they’re significantly lower than previous fines given to ‘big tech’ companies in breach of EU data protection laws. 

Here, qualified Data Protection Practitioner Eleanore Beard and Trainee Solicitor Emily Rickard outline more about each fine and the legality of ‘consent or pay’ models.

What is the DMA?

The DMA is the EU’s law to make the markets in the digital sector fairer and more contestable. It establishes a set of clearly-defined objective criteria to identify ‘gatekeepers’ — large digital platforms that provide core platform services, such as online search engines, app stores and messenger services. 

The DMA is one of the first regulatory tools to comprehensively regulate the gatekeeper power of the largest digital companies.

The Apple fine explained

Under the DMA, app developers that distribute their apps via Apple’s App Store should be able to inform customers — free of charge — of alternative offers outside of the App Store, steer them to those offers and allow them to make purchases. 

The EU Commission found that Apple failed to comply with this obligation. 

The restrictions imposed by Apple meant that app developers couldn’t fully benefit from the advantages of alternative distribution channels outside of the App Store and that — since Apple prevents app developers from directly informing consumers of such offers — customers similarly couldn’t fully benefit from alternative and cheaper offers. Apple failed to demonstrate that these restrictions were objectively necessary and proportionate. 

The EU Commission has ordered Apple to remove the technical and commercial restrictions on steering and refrain from perpetuating its non-compliant conduct in the future. 

The fine imposed takes into account the gravity and duration of the non-compliance. 

The Meta fine explained

‘Consent or pay’ is a business model that offers potential service users a choice either to pay a fee to access the service or consent to the service provider using their personal data to provide personalised advertising. 

Under the DMA, gatekeepers must seek users’ consent for combining their personal data between services. Those users who don’t consent must have access to a less personalised but equivalent alternative. 

In November 2023, Meta introduced a binary ‘consent or pay’ advertising model. EU users of Facebook and Instagram had a choice — consent to a personal data combination for personalised advertising or pay a monthly subscription for an ad-free service. 

Since this didn’t give users the required specific choice to opt for a service that uses less of their personal data but is otherwise equivalent to the ‘personalised ads’ service, it wasn’t compliant with the DMA as it failed to allow users to exercise their right to freely consent.

As a result, Meta has been fined €200m.

In November 2024, Meta introduced a new version of the free personalised ads model that allegedly uses less personal data to display advertisements. The Commission is currently assessing this new alternative. 

Will the EU Commission’s decision affect trade tensions?

The recent spiralling trade war between the EU and US may have influenced the Commission’s decision. 

Since Donald Trump’s return to the White House, protectionist and aggressive trade policies have been implemented towards the EU — imposing 25% tariffs on EU steel, aluminium and cars. 

Although there’s currently a ‘ceasefire’ in these tariff wars, the Trump administration has criticised the EU Commission’s decision, stating that it represents an unfair targeting of American companies. 

However, the fines are argued to be considerably lower in comparison to other fines received by the likes of Google, which included a record €4.1bn antitrust fine in 2018. This may show the EU’s intention not to escalate the current conflict.

The ICO and consent or pay models

The ICO published guidance in January 2025 about consent or pay models, stating that they can be compliant with data protection regulations providing that consent is freely given and other legal requirements are met. 

However, following Meta’s fine for its consent or pay model, we wonder whether the ICO will release further guidance after the EU Commission finalises its opinion of Meta’s new model. 

As per the ICO’s January 2025 guidance, the four key factors to help assess if consent is given freely are:

1. Power imbalance — are users truly free to choose?

Consent for personalised ads is unlikely to be freely given when people have little or no choice about whether to use a service or not.

2. Appropriate fee — is the cost fair and not coercive?

Consent for personalised ads is unlikely to be freely given when the alternative is an unreasonably high fee. Fees should be set to provide a realistic choice between the options. 

3. Equivalence — is the fee option genuinely comparable?

The core services made available under the consent option and the paid option must be equivalent to one another. 

4. Privacy by design — is user privacy protected at every step? 

You must provide clear, understandable information about what the options mean and what each one involves. 

Consent for personalised ads is unlikely to be freely given when people don’t understand how their personal information is being used or that they can access the service without having to agree to the use of their personal information. 

Talk to us

Need advice on how to stay compliant with the ever-changing regulatory landscape? Our specialist data protection solicitors can help. 

We offer bespoke data protection management and GDPR compliance training to help guide your journey to compliance.

Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form below.