Late last year, following half a decade of legal debate and enforcement, Meta started offering EU-based Facebook and Instagram users a paid subscription tier without behavioural advertising. 

With stricter data protection requirements hitting ad revenues, companies are seeking new ways to monetise personal data. Under “consent or pay”, users must pay a monthly fee if they do not consent to ads based on tracking and profiling. 

But it begs the question whether consent or pay complies with the GDPR’s concept of freely given consent. European regulators’ answers could impact many companies reliant on advertising revenue. 

European Data Protection Board (EDPB) Opinion 

The European Data Protection Board (EDPB) published an opinion on 17 April about consent-or-pay models among “large online platforms”. 

“Large online platforms” are not defined in law, but the board clearly has Meta and other large tech companies in mind. The opinion has no binding legal effect on Meta and does not mention the company outside of its footnotes. But EU regulators have taken a relatively firm stance against the consent-or-pay model implemented on Facebook and Instagram. “In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.” 

The implication is that Meta and other large online platforms may offer users a paid option without behavioural advertising but should also offer further alternatives without behavioural advertising—also for free. This approach would arguably defeat the object of the paid tier. However, the EDPB notes that a “free alternative without behavioural advertising” could include “contextual or general advertising” or ads “selected from a list of topics of interests.” 

A shift to these less intrusive advertising models would be a victory for privacy campaigners. But by significantly restricting how Meta collects and uses data about millions of people, it could also make social media advertising much less effective. 

The Information Commissioner’s Office (ICO) consent-or-pay consultation 

Since last summer, the Information Commissioner’s Office (ICO) has been writing to the UK’s most-visited websites, insisting that they offer users a clear and easy way to reject advertising and analytics cookies. The ICO has yet to “name and shame” any non-compliant companies, despite threatening to do so by the end of January. But perhaps in response to some industry pushback, the regulator is considering endorsing the “consent or pay” model in the UK. 

“In principle, data protection law does not prohibit business models that involve ‘consent or pay,’” the ICO states in its “call for views” on consent-or-pay, before reiterating the importance of meeting the GDPR’s consent requirements. 

In assessing whether an organisation can charge people to avoid behavioural advertising or other data-processing, the ICO recommends that an organisation consider, among other things: 

  • What fee is “appropriate” to ensure people do not consent to behavioural ads merely to avoid paying? 
  • How will it give people enough information to make a free, informed choice? 
  • Will people suffer a “detriment” if they face a choice between paying a fee, consenting to behavioural advertising, or losing access to a service? 

As such, establishing a compliant and profitable consent-or-pay model might be extremely challenging. But with regulators enforcing increasingly stringent cookie rules, many organisations are likely to try. 

HewardMills’ tech and marketing experts know the law and understand how important online advertising can be to businesses. Speak to us about cookie scanning and guidance to ensure you meet regulatory requirements while optimising your marketing strategy. 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at