Introduction
The recent rise of ‘Consent or Pay’ models has made it one of the most debated monetisation strategies. The model usually gives a user of the service three choices, first to ‘Accept Tracking’, second to pay for access to the website without personalised advertising or tracking, or lastly to leave the service entirely. The model is preferred by the various companies as it preserves advertising revenue while adhering to stricter consent rules. This model often raises a legal question- is this a lawful business practice, or has it made privacy something a user has to pay for?
The answer is not a simple yes or no. As both the European Union (EU) and the United Kingdom (UK) regimes do not make consent or pay models unlawful per se. However, the model only works if it follows basic principles of data protection. In the EU, courts and regulators are particularly sceptical where large platforms force users to an ‘accept behavioural advertising or pay’ model. But in the UK, the Information Commissioner’s Office (ICO) takes a more practical approach and has published a guidance for organisations that want to operate such models.
What is the Consent or Pay model?
Consent or pay models are defined as models where the controller offers data subjects a choice to offer access in exchange for either consent to personalised advertising or payment for an alternative version of a service that does not use personal data for personalised advertising.
The model is different from traditional cookie wall/banner. A cookie wall usually gives the user the option to ‘accept tracking’ or ‘stop access.’ Whereas the consent or pay model introduces a ‘paid route’ to this dynamic. This additional route is important because companies often rely on it to argue that users have a genuine alternative to accepting tracking. However, the mere addition of a payment option does not automatically make consent valid.
European Data Protection Board’s (EDPB) opinion -08/2024 on consent and pay model states that consent from a user may still not be considered freely given if the fee charged is unrealistic, or if the service is essential, the non-consent alternative is not genuinely equivalent, or the interface nudges users toward consenting.
Relevant Privacy laws and Regulations
EU/UK General Data Protection Regulation (GDPR) are the core legal frameworks for assessing consent or pay models. The starting point is Article 6(1)(a) GDPR, which allows personal data to be processed on the basis of consent. Companies rely on these lawful bases where the website uses personalised advertising, profiling or behavioural tracking.
Companies are expected to meet the consent standards mentioned in >Article 4(11)Article 7 GDPR, which adds further conditions, as it requires companies to prove that valid consent was obtained, and users are able to withdraw consent as easily as they gave it.
These requirements must also be streamlined with Article 5 GDPR, especially the principles of lawfulness, fairness and transparency. Even if the consent is formally collected, the processing may still be problematic if the choice presented to users is misleading, excessive or unfairly designed to push users towards tracking.
For websites, companies must also comply with an additional layer of regulation. In the EU, tracking cookies, pixels, local storage, and similar technologies are governed by Article 5(3) of the ePrivacy framework, while in the UK they are regulated under Regulation 6 of Privacy and Electronic Communications Regulations ( PECR). This matters because many ‘consent and pay’ models are not merely seeking users’ consent for personal data processing, rather they are also seeking the user’s consent to set or access advertising cookies and similar tracking technologies on the users’ devices. Companies must therefore ensure that they are compliant with EU/UK GDPR for personal data processing, as well as obtain valid consent under ePrivacy framework or PECR for the tracking layer.
EU Position: Accepted in Principle, but Scrutinised in Practice
The position under the European law is shaped by the CJEU’s judgment in Meta Platforms v Bundeskartellamt, (Case C-252/21). The court emphasised on the fact that users must have the right to refuse processing operations that are not necessary for the performance of contract without being forced to stop using the service entirely. The court also stated that the users may be offered, if necessary for an appropriate fee, an equivalent alternative that is not accompanied by such processing.
The EDPB’s opinion 08/2024 then tightened the position for large online platforms. The EDPB states that in most cases, large online platforms will not meet the requirements for valid consent if they confront users only with a choice between consenting to behavioural advertising and paying a fee. It further suggests that larger platforms should consider offering users a free equivalent alternative without behavioural advertising, such as contextual or general advertising or advertising based on topics selected by the data subject that involves less or no personal data.
UK Position: More Permissive, but Still Conditional
The UK ICO’s 2025 guidance is more operational and business friendly. It states that consent or pay models can be compliant if the companies are able to demonstrate that users have given their consent freely and the model meets conditions laid down in UK GDPR and PECR. ICO states that the companies must conduct a Data Protection Impact Assessment (DPIA) in such instances and document their compliance with both laws.
The guidance focuses on four factors that a company must consider “power imbalance, appropriate fee, equivalence and privacy by design”. It also recognises the right of companies to monetise products & services and that there is no general obligation to provide online services for free. However, commercial entities must ensure that their services operate within the purview of data protection laws.
The practical distinction between the two regimes is that the EDPB’s preferred direction is that companies must give the user a three-option model i.e. consent to behavioural advertising, pay for no behavioural advertising, or access a free equivalent alternative using no or less personal data. Whereas on the other hand, the ICO is more open to the consent and pay model, and permits companies to deploy consent or pay models provided the organisation can evidence fairness, proportionality and user control.
Behavioural Advertising: Where Legal Risk Increases
Consent or Pay models are particularly sensitive, when they involve behavioural advertising. These advertisements are designed to observe the user behaviour, inferred interests, cross-site activity, device identifiers, and the creation of user profiles. The more extensive the profiling, the harder it becomes for the company to justify that the user’s consent was freely obtained, informed, and fair. This concern is highlighted Schrems v Meta (2024), the court held that an online social network cannot use personal data for targeted advertising without limits as to time and without distinction by type of data. It highlighted that even though the advertising might be central to a platform’s business model, the use of behavioural data must remain proportionate and compliant with GDPR.
DMA: Additional Rules for Gatekeepers
The Digital Markets Act , does not apply to every consent or pay service, but it is important for large platforms that are designated as gatekeepers. In April 2025, the European Commission found that Meta’s consent or pay model breached the DMA because users were not offered the required choice of a service using less personal data. The commission fined Meta 200 million dollars. Although this was not a GDPR judgment, it is relevant because it shows that large platforms may face stricter obligations beyond data protection law, particularly around user choice, data combination, and behavioural advertising.
Compliance Checklist for Organisations
When deploying a consent or pay model, an organisation can take the following steps:
-
Carry out a DPIA before launch
A consent or pay model should be assessed before it is deployed on the digital service. A company must conduct a DPIA as personalised advertising, behavioural tracking, and profiling may involve high-risk processing. The DPIA should identify the categories of data collected, tracking technologies used, advertising partners involved, the nature of any profiling activities, the potential risks to users and measures adopted to mitigate that risk.
-
Power imbalance
Companies must assess whether there is a power imbalance between the digital service they provide and the user. If the user is dependent on the service, faces high switching costs, or has no realistic alternative, then it would be difficult to prove that the consent is given freely. This is particularly relevant in the case of large platforms, social networks or essential information services.
-
Fee must be appropriate to the service provided
Companies must ensure that if they opt to introduce a paid service option, it must not be priced in such a way that users are effectively pushed into accepting tracking. The companies should be able to justify the fee by reference to the value of the service, the loss of advertising revenue, and the need to preserve genuine user choice.
-
Provide an equivalent core service
Users who refuse tracking should not receive a materially inferior version of the service. While some differences can exist between the consent based and paid alternatives, but those differences should not operate as a penalty for refusing personalised advertising. Therefore, companies should ensure that the paid alternative provides broadly the same core product or service as the version funded through consent-based advertising.
-
Providing granular Consent
Consent should be granular and separated by purpose. It should not be bundled with analytics, content personalisation, email marketing or third-party sharing. A company should clearly explain what data is collected, for what purposes, whether third parties are involved, and how consent can be withdrawn. Companies should ensure that they do not provide the option to accept tracking prominently or make that option easier to choose, than the option to pay, reject or manage preferences.
-
Offer a contextual advertising route where risk is high
In higher-risk cases, especially for large platforms, organisations should consider offering contextual advertising. A user could be given free access with contextual advertising rather than behavioural advertising. This is EDPB’s preferred position, but it can be opted for by companies to reduce the risk that the model is seen as forcing users to choose between privacy and payment.
Conclusion
Consent or pay models are not unlawful under the EU/ UK GDPR, but they are also not valid simply because a company offers a payment option to deny advertising, profiling or tracking. Their legality depends on whether the user is given a genuine, fair, and informed choice. Companies must ensure that users are not pressured into accepting tracking through excessive fees, inferior alternatives, confusing interfaces, or bundled consent requests. These consent and pay models must be assessed before deployment to ensure that they are compliant with the GDPR and supplementary regulations, and companies must be able to demonstrate that the users retain control over their data.
We at Data Secure (Data Privacy Automation Solution) DATA SECURE - Data Privacy Automation Solution can help you to understand Privacy and Trust while lawfully processing the personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.
We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to GDPR, UK DPA 2018, CCPA, India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO Partner in 2025 (dpo-india.com).
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or India DPDP Act 2023 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com.
For downloading the various Global Privacy Laws kindly visit the Resources page of DPO India - Your Outsourced DPO Partner in 2025
We serve as a comprehensive resource on the Digital Personal Data Protection Act, 2023 (Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025), India's landmark legislation on digital personal data protection. It provides access to the full text of the Act, the Draft DPDP Rules 2025, and detailed breakdowns of each chapter, covering topics such as data fiduciary obligations, rights of data principals, and the establishment of the Data Protection Board of India. For more details, kindly visit DPDP Act 2023 – Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025
We provide in-depth solutions and content on AI Risk Assessment and compliance, privacy regulations, and emerging industry trends. Our goal is to establish a credible platform that keeps businesses and professionals informed while also paving the way for future services in AI and privacy assessments. To Know More, Kindly Visit – Your Trusted Partner in AI Risk Assessment and Privacy Compliance | AI-Nexus