Securiti AI Recognized as a Customers’ Choice For DSPM By Gartner Peer Insights


What to Know About the EDPB’s Opinion on Pay-or-Consent Model Approach

Published May 22, 2024

Privacy or convenience? This question seems destined to determine the future of the digital user experience

The aforementioned assertion was further solidified on April 17, when the European Data Protection Board (EDPB) adopted its non-binding opinion on an Article 64(2) request that the German, Dutch, and Norwegian Data Protection Agencies had made.

A press release issued by the EDPB states that the opinion addresses the validity of consent related to behavioral or targeted advertising within the context of the "Pay-or-Consent" models deployed by Large Online Platforms (LOPs).

This opinion's importance lies in its immediate and possible future implications. LOPs that rely so heavily on targeted advertising must now devise a viable alternative that respects the GDPR's consent provisions and ensures they can engage with their consumers in a fair and transparent manner.

Understanding the key points of this opinion should be the first step in that endeavor, as they illustrate the faults the EDPB has identified and how LOPs can best address them.

Read on to learn more.

The Pay-or-Consent model, also known as “Pay-or-Okay,” is a business strategy that has gained popularity online, particularly in the context of personalized advertising. The concept is supposedly fairly simple and straightforward. Users visiting a website are given two options: either pay a fee to continue using the services offered by the website without having their personal data collected for targeted advertising or consent to the data collection and use for targeted advertising in exchange for free access to the website’s services.

However, the reality is more complex. Businesses rely heavily on users’ personal data to inform their decisions and shape product and service development, marketing campaigns, and overall user relationships. Meanwhile, users are increasingly concerned about their online privacy, leading to a decrease in willingness to agree to data processing. This skepticism has made them less likely to agree to data processing.

The Pay-or-Consent model seems like a reasonable alternative for businesses, as it respects users' choices while providing a revenue stream. However, as critics of the model point out, it violates the concept of “freely given consent,” as consent must not be coerced, manipulated, or conditional upon the provision of a service.

The assertion that the model is coercive in nature becomes more compelling if the fee is set high enough to nudge users toward consenting to targeted advertising. This is what makes the EDPB’s opinion so important, as it provides much-needed clarity on this matter.

A Background to this Case

In July 2023, the Court of Justice of the European Union (CJEU) passed a judgment in the case between Meta and the Bundeskartellamt (The Federal Cartel Office). The Bundeskartellamt argued that Meta violated certain GDPR’s consent-related provisions in its data collection and processing activities between 2018 and 2023.

The GDPR consists of six legal bases for businesses to collect personal data, consent being one of them. The Bundeskartellamt alleged that Meta had been trying to circumvent consent requirements for targeted advertisements by insisting that such advertisements were a “service” and hence fall under “contractual necessity,” another of the six legal bases. Hence, Meta was essentially arguing that these advertisements were necessary to fulfill the contractual obligation with users, potentially sidestepping the need for explicit consent.

The CJEU ruling also suggested introducing an alternative to ads "if necessary, for an appropriate fee." This led to the adoption of the Pay-or-Consent model by Meta and other LOPs.

Key Points From the EDPB’s Opinion

The EDPB’s opinion text is extensively thorough and clarifies every critical aspect of the Pay-or-Consent model. The most important takeaways from this opinion include the following:

Freely Given

The EDPB is certain in stressing that per the GDPR’s definition, it is important for any provided consent to be freely given, specific, informed, and unambiguous. However, since the Pay-or-Consent model has a degree of coercion attached to it, any consent gained under it may be invalidated, putting organizations that have relied on such a method in serious violation of the GDPR.


Consent cannot be deemed freely given if the user experiences detriment due to withholding or withdrawing consent. Moreover, detriment may arise if users are denied access to prominent online services for opting not to pay a fee or provide consent for personal data processing in behavioral advertising without being offered a suitable alternative. On a case-by-case basis, the controllers should evaluate whether imposing a fee is justified and, if so, determine a reasonable and appropriate amount in the specific circumstances.


The EDPB stresses that data subjects must be able to provide specific, granular consent when presented with a 'consent or pay' option, allowing them to choose which particular purposes they agree to rather than being forced to accept a broad range of processing purposes as a single bundle.


Where data processing is not necessary to fulfill the contract, users must have the right to decline consent without being forced to discontinue using the service entirely. Additionally, service providers must offer a comparable alternative that does not involve such data processing, ensuring users have a genuine choice.

Equivalent Alternatives

The EDPB recommends developing “equivalent alternatives” that do not require a fee. Though it warns that, in most cases, Pay-or-Consent models will not be able to comply with the consent requirements per the GDPR, they may deploy these models only if they can offer genuine alternatives that do not require a fee or involve processing users’ personal data for targeted advertising e.g. with a form of advertising involving the processing of less (or no) personal data.

The EDPB considers two versions of a service or product equivalent if the only difference is processing for behavioral advertising purposes. Equivalent versions must offer the same elements and functions without significant differences or degradation in quality, even if not identical. This means users who opt out of behavioral advertising should still have access to a comparable version of the service or product.

Imbalance of Power

Consent can not be used as a legal basis when there is a clear power imbalance between the service provider and the user. When assessing the balance of power, the following factors must be considered: the platform's dominant market position, the level of dependence of the user on the service, and the targeted primary audience. If a power imbalance exists, consent cannot be considered freely given.

LOPs must also think beyond their consent-related obligations under GDPR. The EDPB's opinion stresses adherence to vital GDPR principles such as purpose limitation, data minimization, and fairness. Each of these is important for LOPs to demonstrate their data processing practices as being responsible and proportional.

Potential Business Implications

Naturally, the EDPB’s opinion will have lasting business implications. Most LOPs place a tremendous degree of importance on their digital marketing efforts, where users’ personal data forms the core of their digital operations. Hence, these LOPs must now rethink their digital marketing strategies that rely on targeted advertising. This means a greater degree of expenditure in researching alternative strategies incorporating contextual advertising while adhering to the definition of valid consent and other principles of the GDPR.

How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Numerous highly respectable global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

With the DCC, organizations gain access to several modules and solutions designed specifically to ensure compliance with various obligations and requirements that data regulations place on organizations.

One of these modules is the consent management solution. It comes with a fully personalized preference center that can be tailored to an organization’s specific needs, along with a centralized repository of consent records for auditing and reporting purposes. Additionally, it can be deployed simultaneously at multiple collection endpoints based on branding, functionality, and regulatory requirements.

Moreover, the centralized dashboard provides a comprehensive overview of all important consent-related information, allowing for proactive action whenever necessary.

Request a demo today and learn more about how Securiti can help you comply with the consent-related obligations per the GDPR as well as any other major data regulations globally.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You