Consent-or-pay, also called pay-or-okay, is a compliance tactic used by certain companies, most notably Meta, to drive up the rates at which users consent to data processing under the European Union's General Data Protection Regulation (GDPR). It consists of presenting the user with a tracking consent notice, but only allowing a binary choice: either the user consents to the data processing, or they are required to pay to use the service, which is otherwise free to use if data processing is consented to. The tactic has been criticised by privacy advocates and non-governmental organisations such as NOYB and Wikimedia Europe, who claim that it is illegal under the GDPR. On 17 April 2024, the European Data Protection Board released a non-binding opinion stating that in most cases, consent-or-pay models do not constitute valid consent within the meaning of the GDPR.
Under the GDPR, the processing of a natural person's personal data is only allowed under six lawful bases: consent, contractual necessity, legal obligation under EU or member state law, public interest, protection of vital interest of an individual, and the processor's legitimate interest.[1]
When the GDPR first came into force in 2018, Meta justified its processing of personal data by claiming that its terms of use constitute a contract under which the user consented to the processing of personal data.[2][3] However, this was challenged by Max Schrems, an Austrian privacy activist, who successfully argued that contractual necessity was not a valid basis of data processing when it comes to personalised advertising.[4] In response to this ruling, Meta changed its lawful basis for personal data processing from contractual necessity to legitimate interest, which was also found not to be a valid basis.[5][6] Meta then changed its lawful basis to consent, but chose to implement it in a way where users who consented to personalised advertising could use the service for free, while those who did not were required to pay a monthly subscription fee to continue using the service.[6]
Critics of this consent model have called it "pay-or-okay", claiming that the monthly fee is disproportional and that users are not able to withdraw their consent to tracking as easily as it is given, which the GDPR requires to be the case. Massimiliano Gelmi, a data protection lawyer at NOYB, has stated that "The law is clear, withdrawing consent must be as easy as giving it in the first place. It is painfully obvious that paying €251,88 per year to withdraw consent is not as easy as clicking an 'Okay' button to accept the tracking."[7][8]
On 17 April 2024, the European Data Protection Board released a non-binding opinion stating that in most cases, consent-or-pay models do not constitute valid consent within the meaning of the GDPR.[9]
On 1 July 2024, the European Commission announced that it had opened an investigation against Meta under the provisions of the Digital Markets Act (DMA), with the preliminary findings claiming that Meta's approach was not in compliance with the DMA, an assertion that Meta has disputed.[10]
Although Meta has faced most of the scrutiny and criticism regarding the use of consent-or-pay, other companies have also utilised the tactic. The Austrian Data Protection Authority (Datenschutzbehörde) has found that Der Standard, a German-language newspaper, has acted unlawfully by using consent-or-pay on its site, while others, including Der Spiegel, Die Zeit, Heise, the Frankfurter Allgemeine Zeitung, the Kronen Zeitung, and T-Online, have been accused of doing the same.[11]