Consent or Pay (original) (raw)

Consent or pay is a business model where websites give users a choice between paying for a service, consenting to share personal data, or not using the service at all. The legality of this is in question, as most privacy laws require users to provide freely-given consent to sharing their data. When the alternative to sharing data is payment, this consent may no longer be free.

The UK Information Commissioner's Office (ICO) released guidance on this issue, explaining that businesses can use a "consent or pay" model if they can justify that users can freely give their consent.

However, Meta, the company behind Facebook, was also recently fined €200 million under the Digital Markets Act (DMA) by the European Commission for the same model. Before you use a consent or pay model for your business, you need to be clear about what the law says, and how to use a consent or pay model compliantly.

This article explains what consent or pay is, goes through the ICO's guidance, and examines both the GDPR, UK, and US laws, as well as European regulator guidelines. Finally, this article explains whether consent or pay is legal, and provides tips to help you keep your business compliant.

On this page

Consent or pay is a business model where your website or app users can choose between consenting to sharing their personal data, paying for your website or app, or declining to use it altogether.

For businesses, this means a consent or pay model is only viable if you can show regulators that users have a genuine, low‑pressure choice and that your fee and service design are fair.

Consent or pay has arisen mostly because of increasing strictness in consent laws around advertising and cookies. As cookie consent laws become more common, more users are declining the use of cookies. As a result, businesses are looking for other options to encourage users to allow personalised advertising.

Usually, websites or services have a pop-up that appears so that users can select which option they prefer, before they are able to continue to use the service.

Here's an example of a "consent or pay" pop-up from The Guardian. In this example you can see that the user has two options: to accept personalised advertising and cookies, or to reject cookies but subscribe to The Guardian. Alternatively, they can close the website.

The Guardian consent or pay pop-up showing advertising options

Here's another example from the Daily Mail, also offering a consent or pay model. In this example you can also see that users need to choose between purchasing a Daily Mail subscription, allowing personalised ads, or closing the website.

Daily Mail consent or pay model with subscription and advertising options

The ICO released guidance in January 2025 to explain to businesses how they can use a consent or pay model in a compliant way.

However, in April 2025, Meta was fined by the European Commission for breaching the Digital Markets Act (DMA). Under the DMA, companies are required to give consumers a choice of a service that uses less of their personal data, such as a third option allowing free use of the website with non-personalised ads.

The question of consent or pay is a controversial one, as it is still somewhat unclear whether consent can be "freely given" when the alternative costs money. According to regulators, the legality of a consent or pay model will often be decided on a case-by-case basis, depending on a number of factors which this article will discuss below. However, you should be careful if you adopt this approach for your business.

If you use pop‑ups like the Guardian or Daily Mail examples, you should assume regulators will scrutinise whether your pricing, design and alternatives really allow users to say no to tracking without unreasonable cost or friction.

The UK GDPR contains sections that say consent must be "freely given" when personal data is collected and processed. Under the UK Privacy and Electronic Communications Regulations (PECR), consent also needs to be freely given when you use cookies.

However, guidance from the Information Commissioner's Office (ICO), the UK data protection regulator, also establishes that consent or pay is a potentially-lawful approach in the UK. In particular, it can be compliant with the UK GDPR when certain conditions are met.

The UK GDPR doesn't explicitly mention consent or pay models, but contains sections outlining that consent must be "freely given". This is the key issue that affects whether the consent or pay approach is legal.

If you are collecting the personal data of someone, under the UK GDPR you need to obtain their consent or have another lawful ground for processing.

Under Article 4 of the UK GDPR, consent is defined as a "freely given, specific, informed and unambiguous indication of the data subject's wishes". You can see this in the section below:

GDPR definition of consent as freely given and specific

Article 7 of the UK GDPR also further explains the conditions for consent.

One of the key parts of the section, as you can see below, is that "when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

GDPR requirements for consent including clear language and withdrawal rights

This means that consent is only freely given if the use of the service isn't conditional on extra information being provided beyond what is necessary. When websites ask for users to provide personal data for advertising, this advertising data is not necessary for the website to offer the service. As a result, the legality of the consent or pay model is questionable.

In addition, Recital 43 states that if there is a clear imbalance between the data subject and the controller, consent is not a valid legal ground for processing personal data. This is particularly the case if the controller is a public authority.

GDPR freely given consent conditions and legal grounds

In addition, you can see that consent is not freely given if separate consent cannot be provided for different data processing options.

Despite these sections of the UK GDPR, the Information Commissioner's Office (ICO) in the UK has released guidelines that explain that consent or pay can be legal in some circumstances. It's important to remember that these ICO guidelines are not legislation. This means it's the ICO's interpretation of the UK GDPR and PECR. It can be changed and updated at any time, so make sure you keep track of whether the guidelines are still current.

UK Privacy and Electronic Communications Regulations (PECR)

Under the UK Privacy and Electronic Communications Regulations (PECR) consent also needs to be freely-given when you want to use cookies or similar technologies. PECR works alongside the UK GDPR to regulate privacy online.

Consent in the PECR is defined as corresponding to the definition of consent in the UK GDPR. This means consent must be freely given, specific and informed.

You also have to provide "clear and comprehensive information" about the purposes of cookies when you obtain consent. This should be part of your disclosure when you inform users of your consent or pay model.

Basically, the same rules that apply under the UK GDPR to consent or pay models, also apply under the PECR.

This means if users feel like they have to consent to cookies because the alternative fee is unreasonable, this would violate both PECR and UK GDPR requirements. Alternatively, if your approach is sufficient to meet the GDPR (and ICO) guidelines, it's likely lawful under both the GDPR and PECR.

Information Commissioner's Office (ICO) Guidelines

The Information Commissioner's Office (ICO) released guidelines on consent or pay in January 2025.

These guidelines explained that "if you are implementing a "consent or pay" model, you must make sure that you are able to demonstrate people have freely given their consent for personalised advertising under the "consent or pay" model."

Factors You Must Take Into Account

The ICO will look at whether your business has real power over users, whether your fee is reasonable, whether your paid and free options are genuinely comparable, and whether your design makes all choices equally visible and understandable.

The ICO guidelines also set out four factors that you need to take into account, when you are considering whether the standard of freely-given consent will be met. These four factors include:

You can see the ICO's explanation of these factors in the image below:

ICO guidelines on power imbalance and appropriate fee in consent

In addition, you need to be able to demonstrate that users have given their consent freely. According to the ICO, you can demonstrate this by taking into account all four of the factors explained above, and documenting an assessment of your process.

For example, if you can show the following factors, it's more likely that consent is freely given:

On the other hand, freely-given consent is unlikely if:

You should take these factors into account, and then "identify additional steps ... to ensure that people are freely giving their consent." You should be able to provide documentation for your assessment, as well as the process you have taken to ensure consent is freely-given.

If you find during your assessment that your measures are not sufficient, you'll need to take steps to change your consent or pay approach.

This guidance leaves this primarily open to businesses to figure out how they should demonstrate consent.

ICO Case Study Examples

The ICO guidelines also provide two case studies to help you to understand whether your consent or pay model will be lawful. These case studies also include practical, alternative steps to consent or pay, and ways to make your model more compliant. You can see an excerpt of one of the case studies below:

ICO Guidelines: Organisation A concerns about market position and consent freedom

You can see that in this case study example, Organisation A considers that their market position could create a power imbalance. As a result, Organisation A may struggle to demonstrate freely-given consent.

Data Protection Impact Assessment (DPIA)

Finally, when you consider using a consent or pay model, you'll need to carry out a data protection impact assessment (DPIA).

DPIAs are required under Article 35 of the UK GDPR. A DPIA is required if your processing is likely to result in a high risk to people's rights and freedoms. You can see this in the ICO's guidelines below:

UK GDPR DPIA requirement for high-risk data processing compliance

In its January 2025 material, the ICO signals that personalised advertising under a consent or pay model will usually be "high risk", so you should treat a DPIA as mandatory in practice, not optional.

As you can see, the ICO considers personalised advertising to be a type of processing that is likely to result in a high risk. As a result, you should carry out a DPIA if you use personalised advertising or consent or pay models.

Compared to the UK ICO, EU regulators, laws and cases have a different perspective on consent or pay.

For example, the European Data Protection Board has explicitly stated that consent or pay should not be the default way forward for controllers, and that data controllers should ideally offer users a "further alternative free of charge". In addition, as mentioned above, Meta has already received fines under the DMA for using such a model.

For the GDPR and DMA below it's important to note that the EU has recently released a proposal called the Digital Omnibus Regulation Proposal. This is a proposal to clarify and simplify many EU online and digital laws. This includes the GDPR.

Some civil society groups have problems with the Digital Omnibus and think it weakens privacy rules. Business and industry groups think the Digital Omnibus doesn't go far enough to support innovation. Nonetheless, changes to the EU privacy law landscape are likely to come over the next years, and you need to ensure you keep track of these changes.

The General Data Protection Regulation (GDPR), like the UK GDPR, states that consent must be "freely given" when personal data is collected and processed.

Article 4(11) of the GDPR defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes." You can see this in the section below:

GDPR consent defined as freely given and specific statement

In addition, Article 7(4) of the GDPR uses the same wording as the UK GDPR, and explains that when deciding whether consent is freely given, "utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

You can see this wording below:

GDPR conditional consent assessment for service contracts

This means that if your users can only access your service if they consent to the processing of their personal data for personalised advertising (which is not necessary), this may be a sign that consent is not freely given.

Like the UK GDPR, Recital 43 of the GDPR also states that consent is presumed not to be freely given if there is a "clear imbalance" between the data subject and the controller. You can see in the Recital below that separate consent for different data processing operations is another important point:

GDPR text highlighted on freely given consent and authority imbalance

Like under the UK GDPR, the most important question for consent or pay models under the GDPR is whether consent is freely-given.

Digital Markets Act (DMA)

The Digital Markets Act (DMA) is an EU regulation that came into force in 2022 and applies to large online platforms designated as "gatekeepers."

The DMA is supposed to ensure free and fair competition in the digital market, i.e., online. The DMA also includes provisions about data processing and consent.

Gatekeepers are companies that meet specific criteria, including providing a "core platform service" with an annual EU turnover of at least €7.5 billion and more than 45 million monthly active users in the EU. This is companies like Meta, Google, or Amazon. You can see this definition in Article 3 of the DMA below:

Digital Markets Act criteria for gatekeeper designation and thresholds

Under Article 5(2) of the DMA, gatekeepers cannot combine personal data from different services or use personal data from one service in another service without obtaining specific consent from users.

Digital Markets Act obligations for gatekeepers on data processing

You can see that gatekeepers have to obtain consent "within the meaning of Article 4, point (11), and Article 7 of Regulation (EU) 2016/679". This refers to Article 4 and Article 7 of the GDPR.

Importantly, gatekeepers have to provide equivalent alternatives of the same quality without making features conditional on user consent.

This is set out in Recital 36, which states "gatekeepers should enable end users to freely choose to opt-in to such data processing and sign-in practices by offering a less personalised but equivalent alternative, and without making the use of the core platform service or certain functionalities thereof conditional upon the end user's consent."

What Happened in the Meta Case?

In November 2024, Meta introduced a "consent or pay" model for EU users of Facebook and Instagram, where users had a choice between consenting to personal data for advertising, or paying a monthly subscription for an ad-free service. However, their model was found to be unlawful.

The DMA applied to Meta, and the company was designated as a gatekeeper in September 2023. Under Article 5(2) of the DMA, if users do not consent to data combination, they must be offered a less-personalised but equivalent alternative service.

In April 2025, the European Commission found that Meta breached the DMA. This was because Meta's consent or pay model did not give users a choice to use a service that used less of their personal data but was otherwise equivalent. Meta did not offer a third option of a free service with less intrusive data collection or advertising. As a result, they were fined €200 million.

For gatekeepers like Meta, the Commission stressed that Meta did not offer a third option of a free service with less intrusive data collection or advertising.

The Meta case shows how the DMA applies to consent or pay models in practice, and potentially indicates that the EU may take a more restrictive approach than the UK.

European Data Protection Board (EDPB) Guidelines

In late 2024 the European Data Protection Board (EDPB) issued guidelines on consent or pay models for large online platforms when data is processed for behavioural advertising purposes.

At the time of writing, no more recent guidance from the EDPB has been released. This guidance was in relation to specific questions that the EDPB had been asked, only relating to these large online platforms. This means that the EDPB's guidance is somewhat restricted in scope.

Nonetheless, businesses of all sizes should consider these principles when setting up consent or pay models.

The EDPB concluded that in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if users only have a choice between consenting to processing of personal data, or paying a fee.

You can see this in the EDPB opinion below:

EDPB Opinion: Consent or pay model unworkable for valid consent with binary choice

In particular, the EDPB also stated that consent or pay models "should not be the default way forward for controllers."

The EDPB recommended in its guidance that large online platforms should offer a third option other than just consent or pay. This third option should be a free alternative without personalised advertising.

The EDPB stated that the following criteria should be taken into account when deciding whether consent is free: "conditionality, detriment, imbalance of power and granularity". In addition, the EDPB found that individual consent or pay models will have to be assessed on a case-by-case basis.

This approach is very similar to what the ICO has suggested, with similar factors applying to the consideration of whether consent is freely given.

Additional guidelines will be released by the EDPB on this issue.

Under US law, consent or pay models are subject to different laws, as US data privacy laws tend to use an opt-out approach rather than an opt-in one like the UK and EU.

This means that under US law, businesses usually don't need to gain explicit consent before collecting and processing personal data. Instead, they have to provide consumers with the ability to opt out of certain data collection or sharing practices.

CCPA

The California Consumer Privacy Act (CCPA), and California Privacy Rights Act (CPRA), are California's privacy laws. Unlike the GDPR and UK GDPR, the CCPA doesn't require explicit consent for data collection and processing, except in certain circumstances.

However, the CCPA does have sections about "financial incentive programs". These are programs that pay users for data. In addition, the CCPA can provide better or different services to users who pay. You can see the definition of financial incentives in the CCPA below:

CCPA Financial incentive definition related to data retention and sharing

Basically, the CCPA allows businesses to offer financial incentives for the collection, sale, or deletion of personal information. However, the incentive has to be reasonably related to the value provided to the business by the consumer's data.

These approaches require opt-in consent, and users have to understand the terms of the financial service. This is done through a "Notice of Financial Incentive".

This notice has to contain the following information, as you can see in section 7016 of the CCPA Regulations below:

CCPA Financial incentive notice requirements including opt-in and withdrawal rights

As you can see, this model is fundamentally different than in Europe and in the UK. Consent is still relevant in the CCPA/CPRA, but financial incentives and payments are explicitly allowed. The CCPA also doesn't require businesses to obtain consent before collecting data for most purposes.

Several newer US state privacy laws include similar concepts around non-discriminatory pricing and data-driven incentives, so if you roll out a consent or pay style offer in the US you should map it against the specific statutes in every state where you operate, not just California.

In addition, the CCPA/CPRA model supports paying users for data, not users paying to avoid data collection like in the consent or pay model discussed by UK and EU regulators.

Consent or pay can be legal, if the right pre-conditions are met. It depends on specific circumstances such as your jurisdiction, the power relationship between you and your customers, whether you offer equivalent services under both paid and unpaid options, and whether you provide information clearly and understandably.

In the UK, regulators accept consent or pay in principle but only where you can clearly show that consent is freely given under ICO guidance, UK GDPR and PECR.

In the EU, large "gatekeeper" platforms face much stricter constraints under the DMA and EDPB Opinion 08/2024 and usually cannot rely on a simple pay-or-OK choice. The EDPB hasn't released guidance yet for smaller businesses. It's likely however that similar rules will apply as in the UK.

In the US, most states still allow data-driven pricing and financial incentives so long as you provide clear notice and comply with any non-discrimination rules

If you are a large platform, you should offer a third option to customers that allows them to use the service with less intrusive (not personalised) advertising.

Jurisdiction High-level position on consent or pay
UK (ICO, UK GDPR, PECR) Potentially lawful if you can evidence freely-given consent using the ICO's four factors (power imbalance, appropriate fee, equivalence, privacy by design) and usually after a DPIA.
EU (GDPR, DMA, EDPB) For "normal" controllers, GDPR still focuses on freely-given consent; for DMA gatekeepers, a binary pay-or-OK model without a free, less-personalised alternative has already led to enforcement against Meta.
US (CCPA/CPRA and state laws) Generally allows financial incentives and price differences tied to data, subject to clear Notice of Financial Incentive and reasonable value assessments, and does not require opt-in consent for most tracking

There are a number of steps you can take to implement a consent or pay approach legally.

From a business perspective, most compliance failures in consent or pay models come from pricing and design choices (fees that are too high, options that are nudged or hidden, or missing third alternatives), not from the legal wording alone.

Based on the ICO and EDPB guidelines, these include steps such as conducting a DPIA, assessing your market position, calculating an appropriate fee, assessing your services, designing fair consent with a third option, and setting up a documentation process.

You should:

  1. Conduct a DPIA: A Data Protection Impact Assessment (DPIA) is a process used to identify and reduce data protection risks, when there's a "high risk" to the rights of individuals.
    The ICO thinks that the processing involved with consent or pay models is likely to be high risk processing. Carrying out a DPIA can help you to identify any particular issues to your users with this model, and help you to meet your legal obligations.
    Treat the DPIA as your primary defence document if the ICO or an EU authority questions your model.
  2. Assess your market position and position of power: Consider whether your business is in a dominant market position and whether users can easily switch to alternatives. If you find you are in a dominant position, particularly if your business provides public services, you'll be unlikely to be able to use this model.
  3. Calculate an appropriate fee: A high fee is likely to make consent invalid, as users are unlikely to pay a high fee and might instead feel pressured to give their consent to data collection.
    Look at other similar businesses and what they charge for their consent or pay subscription models. For example, if you're a media company, look at other media companies and choose something at market rates.
    In practice, if your fee is far above comparable subscription offers in your sector, regulators are likely to view consent as coerced.
  4. Assess your service equivalence: Make sure you offer the same (but not necessarily identical) core service, of the same quality, under your "pay" option and your "consent" option.
  5. Design fair consent: Make sure users are fully informed of their choices, and that they can withdraw consent easily.
    Consent and pay buttons and website interfaces should present options equally, and not obscure or hide options open to users, or present one option as more appealing than another.
    Avoid dark patterns: make sure the "pay", "consent" and any third option are equally prominent and easy to select or reject.
  6. Provide a third option: Provide your users with a third alternative that does not require them to pay a fee, such as a free alternative that includes advertising, but not targeted advertising.
    This mirrors the EDPB's and EU Commission's expectation that users should have a free, less-personalised alternative that does not turn data protection into a paid feature.
  7. Set up a documentation process: Under a consent or pay model, you need to be able to demonstrate that users have freely given their consent. Document your DPIA, your processes of establishing fees, website design processes, and legal advice you have received.
  8. Regular monitoring: Monitor your approach regularly and reassess your consent or pay model if there are any significant changes to how you process personal data, how you design your website, or what services you offer.

With these steps, you're highly likely to determine whether your consent or pay model is a compliant one. If any aspects are, in your assessment, not sufficient, you'll need to make changes to bring your model into compliance.

Importantly, be transparent with your users and offer them fair choices. It's easier and less risky to start with a range of user options that are certainly compliant, than to implement strict consent or pay choices and risk liability.

Summary

Consent or pay is a model where you can offer your users a choice between consenting to share personal data for personalised advertising, paying for access, or not using the service. The legality of this approach depends on whether consent is "freely given".

In the UK, consent or pay can be legal if properly implemented, and the ICO has provided a number of guidelines for businesses. The EU takes a stricter stance, especially for large platforms like Meta. The US approach is more permissive, as it explicitly allows for different pricing based on data collection, and uses an opt-out model in most cases.

If you're considering a consent or pay model, make sure you carry out a DPIA, assess your market position, set reasonable fees for any payment model, and make sure your services are equivalent. Importantly, you need to make sure that users have access to transparent information and can clearly understand their options. You also need to document your assessment process, and be able to clearly demonstrate why your users can freely consent to sharing data with you. If you follow these steps, your business is more likely to be compliant with the UK GDPR and GDPR rules.