EU data protection authorities have yet to decide how the "pay or OK" user consent model fits under the EU General Data Protection Regulation. The debate stems from Meta's move to charge for ad-free Facebook and Instagram services in the EU, a practice that raises questions around informed consent and a clear opt-out option.

"Within this particular context, and if we are looking at consent under the GDPR, are people really being given a free choice?" Norway data protection authority, Datatilsynet, Head of International Tobias Judin said during a recent IAPP LinkedIn Live. "People are contacting us at the Norwegian DPA because they feel that they are not being given a free choice. Maybe they cannot afford to pay a fee and so probably in some cases, they feel that the 'no way option,' leaving the platform, is also not a realistic option, whereby they may feel coerced to consent."

Norway has been out in front of the Meta's targeted advertising issues and the "pay or OK" debate since last year. Datatilsynet placed an interim ban on Meta's data processing for behavioral advertising in July 2023 before petitioning to the European Data Protection Board for a ban across the European Economic Area. The EDPB sided with Norway, issuing a binding decision to ban Meta's practices 1 Nov. 2023.

Days before the EDPB ban became public, Meta rolled out its "pay or OK" system, which immediately drew criticism from the Datatilsynet and fellow EDPB board members. Since the decision, the EDPB has used plenary meetings to debate its position and potential guidelines on "pay or OK" while consumer organizations have also begun asking the board to clarify whether Meta's system is GDPR compliant.

"If we now say 'OK, this business model is perfectly valid,' then this is what the internet is going to look at, and it could happen that you are faced with 'pay or OK' choices for every service you potentially use," Judin said. "Therefore, it's quite urgent for data protection authorities to have a harmonized approach to this because essentially it is now or never."

Consumers and consent

The heart of the issue for businesses is the dwindling number of legal bases for processing under the GDPR. User consent as a legal basis is the go-to option for advertising technology businesses for years, particularly as it relates to applying third-party cookies and other user tracking.

Monetization of services is important to every business and some advertisers argue that paying to access services is a standard business model. 

"A big stakeholder is the user, of course, who wants to benefit from free information and content," Criteo Vice-President of Government Affairs and Public Policy Nathalie Laneret, CIPP/E, CIPM, said during the LinkedIn Live. "When he or she consents, they receive ads that are relevant to their preferences."

Laneret also said it is important to "take a balanced approach" to analyzing data processing practices and see who is affected, including the company, advertisers, publishers, the data subject, etc. Every "stakeholder" will face implications surrounding a solution to data processing monetization.

In terms of consumer impact, EU citizens are protected from an imbalance of power within the GDPR that states citizens have the right to refuse to allow companies to process personal data. University of Surrey associate professor in Law and University of Oxford Research Associate Mikołaj Barczentewicz said the "scale" of impact or invasiveness of the data processed could be subjective.

In a recent letter urging the EDPB to take a stance on the model, 28 consumer advocacy groups wrote regarding how "pay or OK" is likely to proliferate across industries if it goes unaddressed.

"We believe that Meta, and other companies likely to follow suit, are cognizant of the fact that a majority of users will neither be able nor willing to pay a fee," the groups wrote, also noting widespread adoption of the model would "wash away all realistic protections against surveillance capitalism."

Potential solutions

The Digital Services Act aims to create transparency between consumers and online platforms, and it may offer partial guardrails against "pay or OK." Laneret indicated sensitive data processing that could potentially be looped in with "pay or OK" consent is unlawful with the DSA, which has been enacted.

"With the Digital Services Act and its Article 26 … it will be prohibited to profile users on the basis of sensitive personal data," Laneret said. "So, I think I would somehow say this issue (of sensitive personal data processing concerns) is actually solved."

Alternatives to the "pay or OK" model do exist, according to Barczentewicz. Contextual advertising that allows companies to provide services through funding presents a solution for consumers who want to protect their data without paying a fee. However, social media platforms may not be able to secure contextual advertising with advertisers looking to market to a specific audience that could be found through targeted ads.

An EDPB position that does not balance user and business interests has risks to all, Barczentewicz said. He indicated the best way to avoid those risks is for all parties to speak their minds regarding potential impacts and hardships.

"My recommendation for businesses, the ones that rely on online advertising, or targeted advertising, is to make their voices known publicly," Barczentewicz said. "For example, if they can show that moving from personalized advertising to contextual advertising would make it impossible to serve some cohorts of users, well, that would be the kind of data that would be very helpful at this stage in the public conversation."