Visit almost any European website today and you will hit a wall before you see a single word of content. Not a paywall in the traditional sense, but something stranger: a consent or payA web business model where users must either accept tracking cookies and data collection or pay a subscription fee to access content without tracking.[s] banner that asks you to either accept invasive ad tracking or hand over your credit card. The boss asked us to look into how this became legal, and honestly, the answer is more infuriating than the banners themselves.
What consent or pay actually means
The model is simple. A website blocks access to its content and presents two buttons: “Accept” (which enables tracking cookies, behavioral profilingThe practice of analyzing user activity across websites to build detailed profiles for targeted advertising., and targeted advertising) or “Subscribe” (which means paying a monthly fee, often between three and thirteen euros, to browse without being tracked). There is no third option. Your privacy has a price tag.
Privacy advocacy group noyb found that these consent or pay systems consistently deliver consent rates of 99% to 99.9%[s], while studies show only 0.16% to 7% of people actually want to be tracked. That gap tells the whole story: almost nobody is choosing tracking because they want it. They are choosing it because the alternative costs money they do not want to spend on a website they might visit once.
How did we get here from 2010?
In 2010, the internet looked nothing like this. Cookies existed, of course. They had been around since the mid-1990s, invented as a simple mechanism for web servers to distinguish one browser from another[s]. You could delete them whenever you wanted. There were no pop-ups begging for your consent, no paywalls tied to your privacy preferences. You just browsed.
The trouble started with good intentions. The EU’s ePrivacy Directive, originally passed in 2002 and amended in 2009[s], introduced the requirement that websites get consent before placing non-essential cookies on your device. The goal was to protect people from invisible tracking. The result was the first wave of cookie banners, which were annoying but at least offered a genuine yes-or-no choice.
Then came the General Data Protection Regulation in 2018, which tightened consent requirements further. Websites could no longer bury a pre-ticked “I agree” checkbox in their terms of service. Consent had to be freely given, specific, informed, and unambiguous. This was progress on paper. In practice, it created an arms race between regulators writing stricter rules and companies finding creative ways around them.
Consent or pay was the latest creative workaround. Newspapers in Austria and Germany pioneered it, and in November 2023, Meta adopted the approach for Facebook and Instagram across Europe, after the EU’s top court signaled that consent was the only lawful basis[s] for its targeted advertising.
Is any of this actually legal?
That depends on who you ask, and how large your company is. In April 2024, the European Data Protection Board issued Opinion 08/2024[s], which stated that for large online platforms, consent or pay models “will not be possible” to comply with GDPR consent requirements “in most cases.” The EDPB’s chair put it plainly: “Controllers should take care at all times to avoid transforming the fundamental right to data protection into a feature that individuals have to pay to enjoy.”
For Meta specifically, the European Commission went further. In April 2025, it fined Meta €200 million[s] for violating the Digital Markets Act with its consent or pay model. The Commission’s reasoning was straightforward: a paid service cannot be an equivalent alternative to a historically free service[s] because the conditions of access are fundamentally different.
But here is the catch: this does not mean consent or pay is banned outright. Smaller publishers and news websites still use it, and some national regulators in Austria, France, and the Netherlands have signaled it may be acceptable if implemented fairly, with reasonable pricing and no manipulative design. The EDPB’s opinion targeted large platforms specifically, and broader guidelines are still in development.
Can we roll back to the 2010 internet?
Not really. The tracking infrastructure that makes consent or pay profitable did not exist in 2010. Today, every single website publisher, mobile app, and advertising brand participates in real-time bidding systems[s] for delivering personalized ads. That ecosystem generates revenue that funds the free internet as we know it. Dismantling it would require either a new business model for online content or a level of regulation that does not yet exist.
The EU’s Digital Omnibus proposal, published in November 2025, tries to reduce the pain. It would move cookie rules entirely into the GDPR framework, create browser-based consent signals[s] so you set your preferences once and websites respect them automatically, and ban re-asking for consent for six months[s] after a refusal. But the Commission itself admits cookie banner fatigue is a problem whose solution is “long overdue”[s], and legal analysts say the long-awaited end of cookie banners is not yet in sight[s].
The browser-based system sounds promising, but the technical standards do not exist yet and will not be mandatory until around 2028 at the earliest. Even the optimistic timeline puts full adoption of the Digital Omnibus in 2027.
What this means for you
For now, you are stuck with consent or pay banners on many European websites. The best practical advice: use a browser that blocks third-party cookies by default (Firefox and Safari already do), install a content blocker, and know that clicking “Accept” on a consent or pay wall means you are agreeing to be profiled across the web for advertising purposes. If a site will not let you in without tracking or payment, ask yourself whether the content is really worth either price.
The internet of 2010 is not coming back. But the internet of 2028 might be marginally less hostile, if the EU can finish what it started.
The consent or payA web business model where users must either accept tracking cookies and data collection or pay a subscription fee to access content without tracking. model, sometimes called “pay or okay,” represents the latest and arguably most sophisticated attempt to reconcile the GDPR’s consent requirements with the economic realities of ad-funded digital publishing. The flesh-and-blood one who runs this publication wanted us to trace how this mechanism became legally viable, and the regulatory archaeology reveals a system that nobody designed on purpose.
Consent or pay: regulatory origins
The legal scaffolding begins with the ePrivacy Directive of 2002, amended in 2009[s], which shifted cookie governance from an opt-out to an opt-in regime. Article 5NATO's collective defense clause in the North Atlantic Treaty. States that an armed attack on one member nation is considered an attack on all, triggering collective military response.(3) of the amended directive required prior informed consentAn ethical and legal requirement in research that participants must be fully informed about the nature, risks, benefits, and procedures of a study, and must voluntarily agree to participate without coercion or misrepresentation. A key principle in research ethics. for all non-essential cookies. Implementation was uneven across member states, and the directive’s interaction with the GDPR (which arrived in 2018) created a dual-regulation problem: cookie placement governed by ePrivacy, personal data processing governed by GDPR, with overlapping but not identical consent requirements.
The consent or pay model emerged from this regulatory gap. Publishers facing declining ad revenue and rising compliance costs recognized that GDPR Article 6(1)(a) consent, if obtained, provided the cleanest lawful basis for behavioral advertising. The question was how to maximize consent rates without violating the “freely given” requirement of Article 4(11). Austrian and German news publishers pioneered the binary model: consent to tracking or pay a subscription fee. The approach spread rapidly, and by late 2023, Meta had adopted it for Facebook and Instagram across the EEA.
The CJEU and EDPB response
The legal pushback came on two fronts. First, in July 2023, the Court of Justice of the European Union ruled in Case C-252/21 (Meta Platforms v Bundeskartellamt) that consent was the only appropriate lawful basis for Meta’s tracking-and-profiling-driven behavioral advertising[s]. The ruling dismantled Meta’s successive attempts to rely on contractual necessity (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)), effectively forcing the company onto consent-based processing. Privacy campaigner Max Schrems called it “GDPR meltdown day for Meta”[s], arguing the court had closed all the loopholes Meta’s lawyers had pressed for five years.
Second, in April 2024, the EDPB adopted Opinion 08/2024[s], which addressed the consent or pay model directly. The Board concluded that for large online platforms, a binary choice between consenting to behavioral advertising and paying a fee “will not be possible” to satisfy GDPR validity requirements “in most cases.” The Opinion applied four criteria: conditionality, detriment, imbalance of power, and granularity. On each count, large platforms with dominant market positions and captive user bases faced near-insurmountable barriers to demonstrating freely given consent.
The EDPB recommended that platforms offer an “equivalent alternative” that does not require payment, such as contextual advertisingOnline advertising based on the content of a webpage rather than user tracking or behavioral data. with minimal personal data processing. This was not a blanket prohibition of consent or pay; smaller publishers without market dominance could potentially satisfy the criteria. But the Opinion set a clear trajectory.
The DMA dimension and Meta’s €200 million fine
The European Commission attacked consent or pay from a different angle: competition law. In April 2025, the Commission fined Meta €200 million[s] under the Digital Markets Act for its binary consent model on Facebook and Instagram. The legal reasoning rested on Article 5(2) DMA, which requires gatekeepers to present users with a “specific choice” including an “equivalent alternative” to consenting to personal data processing for advertising.
The Commission’s position was that a paid service cannot be equivalent to a historically free service[s] because the conditions of access are fundamentally different. This reasoning imported GDPR consent principles into competition enforcement, creating a regulatory pincer: even if a consent or pay model survived GDPR scrutiny, it could still fail under the DMA for gatekeepers.
The empirical case against the model is stark. noyb’s 2025 report[s] documented that consent or pay systems produce consent rates of 99% to 99.9%, while independent studies show genuine willingness to accept tracking at 0.16% to 7%. The same report found that publishers earn an average of €0.24 per user per month from programmatic advertisingAutomated buying and selling of digital advertisements using algorithms and real-time bidding, allowing advertisers to reach specific audiences at scale with minimal human intervention., while the “pay” option typically costs €3.24 per user per month, a markup of more than 1,000%. Digital advertising accounts for roughly 10% of press revenue overall, and targeted advertising specifically accounts for about 5%, meaning consent or pay increases total press revenue by approximately 0.82% on average.
The Austrian precedent and granularity
A parallel development at the national level complicates the picture. In August 2025, the Austrian Federal Administrative Court ruled against the newspaper DER STANDARD, finding that blanket consent to bundled processing purposes violates the GDPR principle of granularity[s]. The court did not reject consent or pay per se, but ruled that the “all-or-nothing” implementation, where accepting means consenting to every processing purpose simultaneously, was invalid. This suggests a path forward for publishers willing to offer granular consent options within a consent or pay framework, allowing users to accept analytics but reject behavioral advertising, for example.
The Digital Omnibus: reform without revolution
The European Commission’s Digital Omnibus proposal, published November 2025, represents the most comprehensive attempt to address the structural problems that created the consent or pay phenomenon. The proposal’s cookie-related measures include: moving cookie regulation from the ePrivacy Directive into the GDPR via a new Article 88a; browser-based consent signals allowing users to set preferences once[s]; a six-month cooldown[s] preventing repeated consent requests after refusal; and narrow exemptions for security cookies and first-party aggregated analytics.
The Commission itself acknowledged that “consent fatigueA phenomenon where repeated exposure to consent prompts causes users to approve them automatically without reading, undermining the goal of informed consent. and proliferation of cookie banners” is a problem whose regulatory solution is “long overdue”[s], a remarkable admission for a framework largely created by EU law. However, legal analysis from Osborne Clarke concludes that the long-awaited end of cookie banners is not yet in sight[s]. Marketing cookies will still require consent. The browser-based mechanism depends on technical standards that do not exist yet and will not be mandatory until approximately 2028. The proposal explicitly exempts media service providers from respecting automated consent signals, a carve-out that privileges publishers’ advertising revenue over user preferences.
Assessment: structural tensions remain
The consent or pay model exposes a fundamental tension in European digital regulation. The GDPR demands freely given consent for data processing. The ad-funded internet demands data processing to survive economically. Consent or pay attempts to bridge the gap by monetizing the refusal of consent, which satisfies neither privacy advocates (who see it as coercion) nor publishers (who earn marginally more while facing legal uncertainty across 27 member states with divergent interpretations).
The regulatory response has been fragmented. The EDPB targets large platforms but defers broader guidance. The DMA targets gatekeepers but does not apply to most publishers. National courts like Austria’s address implementation details but not the model’s fundamental legitimacyThe acceptance and recognition of governmental authority by the population, based on the belief that the government has the right to rule.. And the Digital Omnibus, even if adopted by late 2026, will not produce a functional alternative until 2028 at the earliest.
The internet of 2010, where cookies were deletable nuisances rather than instruments of a surveillance economy underwritten by universal real-time bidding infrastructure[s], is not recoverable through regulation alone. What regulation can do, and is slowly doing, is establish that privacy is a right, not a premium feature. Whether that principle survives contact with the economics of digital publishing remains the defining question of European tech policy.
