Get in Touch
September 24, 2025

Consent-Or-Pay Model: Choice Or Coercion?

Introduction

In recent years, a new monetization strategy has emerged in digital services: the “consent-or-pay” model. Under this approach, users of a platform are given a binary choice: either agree to pervasive data collection and personalized advertising (consent) or pay a fee for an ad-free experience.

One recent example of this model is Meta’s “pay-or-consent” scheme launched in the European Union (hereafter referred to as “EU”) in 2023 presented users with the option to keep using the apps like Instagram or Facebook, for free with ads, although requiring consent to behavioral advertising, or pay a monthly fee to remove ads. This model has gained prominence due to its approach of forcing a choice.

Companies seek either user permission for data use or an alternate revenue stream. The “consent-or-pay” model forces users to choose between accepting targeted advertising and paying for privacy.

Meta’s Strategy and EU Enforcement

Meta was the most high-profile adopter of the consent-or-pay model. In late 2023, seeking the General Data Protection Regulation (hereafter referred to as “GDPR”) compliant basis to resume targeted advertising in Europe, Meta proposed charging EU users a monthly “Ad-Free Subscription” which went up to €10 per month, in lieu of consent to data-driven ads. This meant that if users did not consent to processing their data for advertising, they would be cut off from the service unless they paid.

In March 2024, the European Commission under its new Digital Markets Act (hereinafter referred to as “DMA”) ruled that Meta’s offer violated the EU rules. Gatekeepers under the DMA must provide a genuine alternative if users withhold consent. The Commission found Meta’s paid option was not truly equivalent to the ad-supported service as the paid version still collected extensive data and lacked a non-monetary free alternative. Meta was fined €200 million for non-compliance which it appealed.

Behind these disputes is Meta’s history with the EU data law. In November 2023, the EU’s data regulators had imposed all over the European Economic Area (“EEA”) a wide ban on Meta’s use of certain ad-related data for targeted ads.

The Irish Data Protection Commission (“DPC”) found Meta’s processing could not be justified under contract or legitimate interest, and the European Data Protection Board (hereinafter referred to as “EDPB”) confirmed the ban. That urgent binding decision forced Meta to stop its existing ad targeting or find a different legal basis. In response, Meta turned to consent. But this provoked a referral to the EDPB and the data protection authorities of Germany specifically Hamburg, the Netherlands, and Norway asked the EDPB to clarify whether consent-or-pay can yield valid consent under the statute.

GDPR’s Provisions

Under the EU’s GDPR, consent must be given by a “freely given, specific, informed and unambiguous” act. Crucially, Article 7(4) of the GDPR states that consent is not “freely given” if obtaining it is conditional on “the performance of a contract… on processing personal data that is not necessary for the performance of that contract”.  In plain terms, if a service requires a user to allow processing of unrelated personal data in order to use it, that consent is automatically invalid.

In addition to consent, the GDPR includes important general principles of data protection. Regardless of consent, controllers have to comply with Article 5 which states that data must be processed fairly, collected for limited purposes, minimized, and kept secure.

The EDPB has noted that just because consent is obtained, even if valid, does not relieve a controller of the obligation to comply with these principles.

The EDPB’s opinion from April 2024 addressed pay-or-consent schemes for large platforms directly. They have confirmed that consent cannot be valid where users are only offered the binary choice of payment or accept advertising in “most cases.” According to the Board, consent must clearly entail an actual alternative. The EDPB highlights specific concerns, one being that consent cannot involve “negative consequences” or “detriment” for refusal. If declining to consent effectively means losing access to essential services, the imbalance of power between user and platform vitiates consent.

The EU’s new DMA has added another layer. As a designated gatekeeper, Meta is subject to DMA Article 5(2) which states that it must obtain consent before combining user data from different services, and if consent is withheld, it must offer a “less personalized” but equivalent service. The Commission found Meta’s 2023 opt-in did not satisfy this, the ad-free option still processed enough data that the Commission deemed it not truly “equivalent” or less intrusive.

Is it a Choice or Coercion?

Critics of the model argue that in practice “consent-or-pay” creates a coercive consent trap. When users desperately want a service like social media, search, news content, etc., asking them to pay to avoid tracking can effectively force most to surrender privacy. In Meta’s case, surveys showed only a small fraction of users approximately 3% chose to pay, the rest opted for or rather had no option but to opt for tracking, suggesting the choice was anything but voluntary.

Privacy advocates warn this unfair dynamic puts low-income users at a disadvantage. They either pay for something as significant as their privacy, that others get “free,” or they must give up their privacy to access knowledge and services. From a legal viewpoint, the key issue is whether consent remains voluntary and informed. If a user must “pay” (in money or access) as the only way to avoid data profiling, the GDPR’s free-consent standard is arguably violated. Large-platform models must be accompanied by real alternatives (e.g. content-based advertising, minimal data processing) so that refusal of tracking does not come with a penalty.

Other than consent, the model raises fairness and competition questions. Some argue that tying privacy to payment gives platforms an unfair advantage. They can monetize user data one way or another, ignoring privacy rights and possibly harming digital markets by locking users into specific ecosystems. While others counter that offering a paid option respects consumer freedom.

Regardless, regulators are clear that any consent-based scheme must truly leave users free to refuse. The EDPB and Data Protection Authority (DPA) have suggested adding a third option like allowing non-personalized, contextual ads or an equivalent free service so that users unwilling or unable to pay still have meaningful access to service.

The Model’s Context in India’s DPDP Act

India’s new Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDP” Act) was enacted amid growing global attention to privacy. Although its regulatory machinery such as Data Protection Board (“DPB”) has yet to be set up, the Act’s text contains familiar consent parameters. As per Section 6 of the said Act, consent should be “free, specific, informed, unconditional, and unambiguous”.

In a 2025 white paper on cookies, Advertising Standards Council of India (“ASCI”) warned that consent-or-pay “cookie walls” effectively hold content hostage and violate the DPDP Act’s demand that consent be free and revocable. ASCI o that anything less than a real option to refuse would be a direct assault on user autonomy. Conclusively, if an Indian company tried to roll out a consent-or-pay scheme, regulators would likely deem the consent invalid under the law, since users are being coerced by having to either pay or surrender privacy.

However, enforcement gaps remain. The DPDP Act’s DPB is not yet operational, and until rules are implemented, there is uncertainty about how strictly these provisions will be applied. Unlike the EU DMA, India has no separate gatekeeper regime addressing data‐funded platforms. Indian law does not explicitly mandate an alternative free service under a consent-or-pay scheme.

AMLEGALS Remarks

The ‘consent-or-pay’ model sits at the intersection of privacy law, digital business models, and user rights. Meta’s case has shown that in the EU, regulators demand more than a binary choice that any consent be voluntary and uncoerced. As regulators in the EU have highlighted, consent cannot be considered freely given, if refusal is tied to either financial burden or loss of access.

In Indian context, where DPDP Act is yet to be implemented, India’s regulatory authorities will need to ensure that data privacy rights are not reduced to a transactional commodity. If companies attempt to replicate the EU model here, it will be crucial for regulators to give clear guidelines to establish that data privacy is a right, not a paid feature. If companies attempt to replicate the EU model here, it will be crucial for regulators to give clear guidelines to establish that data privacy is a right, not a purchasable feature.

 

For any queries or feedback, feel free to connect with mridusha.guha@amlegals.com 

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Disclaimer & Confirmation

As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:

    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.

However, the user is advised to confirm the veracity of the same from independent and expert sources.

I Agree I Disagree