8 min read

Share this Blog

Rate this Post

User Privacy Protection for a Fee: Is the ‘Pay or Okay’ Concept Allowed?

Jelena Đukanović

Senior Associate

02/09/2024

In the dynamic environment of digital business and data protection, the “Pay or Okay” model is increasingly gaining attention as an innovative approach to monetizing online services. If your company provides online services that rely on user data collection, it’s time to seriously consider this model.

What is “Pay or Okay”?

In short, this model offers users a clear alternative: either they consent to their data being processed in exchange for „free“ access to the service, or they pay a fee to use the service without their data being processed for purposes such as personalized advertisement. In light of increasingly stringent data protection regulations, this concept could be a solution that allows your business to continue generating revenue, even in situations where traditional revenue sources like personalized marketing come under legal scrutiny.

Why is “Pay or Okay” Important for Your Business?

If your business depends on revenue from digital marketing or offers online services, “Pay or Okay” allows you to adapt to new regulations without compromising your income. Examples of companies already using this model include social networks like Facebook and Instagram, online newspapers like Spiegel.de, as well as streaming services, and many mobile apps.

However, the implementation of this concept is under watch of data protection advocates and regulatory bodies, so you must be very cautious if you choose to adopt this option.

How Did the “Pay or Okay” Concept Originate?

The “Pay or Okay” model has its roots in legal disputes surrounding data processing practices by Meta (formerly Facebook) and the legal challenges the company faced concerning the processing of personal data. Before 2018, Meta used user consent as the legal basis for processing personal data, including personalized marketing. However, with the introduction of the General Data Protection Regulation (GDPR) in the European Union, the rules changed significantly.

According to the GDPR, consent must be specific, informed, unambiguous, and freely given, which posed a serious challenge for Meta. Meta assessed that giving users a clear choice to say “yes” or “no” would significantly reduce their revenue in the EU, so they changed their approach. They argued that displaying ads was part of the user contract and that data processing was necessary to provide their services.

Regardless, the Court of Justice of the European Union (CJEU) ruled against this approach, emphasizing that data processing for personalized marketing is not necessary to fulfill the contract. Meta was thus forced to revert to consent as the basis for data processing.

However, Meta decided to collect consent with a significant modification – by introducing the “Pay or Okay” model.

This model now gives users the choice: if they do not want to consent to data processing for personalized marketing purposes, they can decline, but they will have to pay a subscription fee to continue using Facebook and Instagram. Meta has thus supposedly aligned its business with the GDPR and the court ruling while preserving part of its revenue through alternative user monetization methods.

For more about the fines Meta has faced due to this approach, as well as the legal bases for personal data processing, you can read our blog: Learning from Meta’s GDPR Mistakes to Process Personal Data Properly.

Is the “Pay or Okay” Concept Allowed?

The opinions of EU authorities on the legality of using the “Pay or OK” concept vary.

In its July 2023 ruling, the CJEU indicated the possibility of using this concept by online platforms when it stated that Meta should introduce an alternative to personalized marketing, “with an appropriate fee if necessary”.[1] Similar views have been adopted by data protection authorities in Europe, including those in Germany and France. This opened the door for Meta to broadly interpret these views and adopt the “Pay or Okay” concept.

However, data protection activists quickly challenged this by filing complaints with regulatory bodies in EU member states regarding Meta’s use of the “Pay or Okay” concept. As a result, the regulatory authorities turned to the European Data Protection Board (EDPB) for its opinion on the contentious issue.

On April 17, 2024, the EDPB issued guidelines explicitly addressing the “Pay or Okay” model used by large online platforms. These guidelines primarily apply to platforms that attract a large number of users, which includes but is not limited to so-called gatekeepers (digital platforms that have (1) a vast number of active users, (2) a significant impact on the internal market, (3) connect a large number of businesses with a large number of consumers).

These guidelines emphasize that the legality of using the “Pay or Okay” model depends on the specific case, but in most cases involving large online platforms, this model does not meet legal standards and is therefore not permitted. The EDPB took this position primarily for the following reasons:

  • Lack of Real Choice: In the context of the “Pay or Okay” model, users often experience an element of coercion, where refusing consent results in either additional costs or restricted access to social networks, leading to potential loss of access to diverse content, as well as professional and social connections.

 

  • Power Imbalance: Large online platforms have significant influence and user bases, creating an inherent imbalance in the relationship between users and platforms. This unequal relationship can compel users to agree to data processing terms they may not fully understand or agree with, further complicating the issue of freely given consent.

 

  • Consent Must Be Granular: The EDPB guidelines stress the importance of granular consent mechanisms, where users can selectively agree to specific uses of their data, such as the use of data for enabling personalized marketing.

 

  • Alternative Approaches: The EDPB believes that if users do not want to give consent for the processing of their data for personalized marketing, platforms should not automatically condition users with the paid version of the product. Large online platforms should develop other options that provide users with an equivalent alternative without the need for payment.

 

  • Adherence to Fundamental Data Processing Principles: Obtaining consent from users does not absolve companies from the obligation to adhere to the principles set forth in the GDPR, which include data minimization, accountability, purpose limitation, and fairness.

 

Although these guidelines from the European Data Protection Board do not create legally binding obligations for large online platforms, it is highly likely that EU member state regulatory authorities will closely follow the EDPB’s positions. This practically means that in cases of examining the legality of the “Pay or OK” concept, regulatory authorities will most likely consider the guidelines issued by the EDPB, regardless of whether it involves large online platforms or ordinary online platforms that do not fall into the “large” category.

Accordingly, all companies subject to the GDPR should act quickly to align their operations with these guidelines.

This regulation certainly applies to entities based in the EU, but it can also apply extraterritorially to businesses outside the EU, such as Serbian companies, which we discussed in more detail in the blog: Territorial Scope of GDPR in Serbia.

Guidelines for Using the “Pay or OK” Model

Although there are no strictly binding rules regarding the general use of “Pay or OK”, there is currently no general prohibition against implementing this business model. However, considering the EDPB guidelines, it is important for companies to be cautious during its implementation. If you decide to use the “Pay or OK” concept, you should pay special attention to several key aspects:

 

  • Transparency – Companies should clearly communicate the conditions under which payments are made and the benefits users can expect. This is crucial to avoid misunderstandings and ensure that users are fully informed about their obligations.

 

  • Freely Given Consent – The consent by which users choose either the “Pay” or “OK” option must be voluntary, informed, and unambiguous. Users should be given a real choice without pressure to pay for the service or accept data collection and advertising.

 

  • Compliance with Applicable Laws – It is necessary to ensure compliance with the applicable laws and regulations, not only in the field of data protection but also in consumer protection, including rules on refunds and complaints.

 

  • Reasonable Fees – The fees associated with the “Pay or OK” model should be proportionate and fair to avoid complaints of unrealistic or disproportionate costs. It is also important to ensure that the user’s consent is freely given in case if they choose the “OK” option.

 

Pros of the “Pay or OK” Concept

Although the “Pay or OK” model presents complex challenges in balancing data protection rights with the operational realities of digital platforms, it offers certain advantages.

Online platform owners see the “Pay or OK” concept as a legitimate means of securing their revenue. In the digital era, where data has become a form of currency, many companies find themselves unable to generate income through data-based methods (such as personalized advertising) due to legal regulations in the field of data protection. As a result, companies are turning to alternative subscription models to maintain their profitability. From their perspective, the “Pay or OK” model meets transparency requirements because it offers users a clear choice to which they voluntarily agree.

Cons of the “Pay or OK” Concept

 

  • Costs for Users

 

Beyond regulatory and legal discussions, the adoption of the “Pay or OK” model introduces practical financial implications for users. While the GDPR requires that consent must be freely given, the application of this principle becomes contentious in the context of the “Pay or OK” model. Users who choose not to compromise their privacy may face significant costs in the form of subscription fees for numerous online platforms, including Facebook and Instagram, but not limited to them.

According to data from the nonprofit organization NOYB from March 2024, 30% of the 100 most visited websites in Germany use the “Pay or OK” concept. If a user in Germany decided to refuse the processing of their personal data by the most popular websites, they would be forced to pay over 1,500 euros annually. Users in other European countries like Spain, France, Italy, Austria, etc., face similar situations.

Given this price of privacy, it could be questioned whether everyone has an equal right to the protection of their personal data, regardless of their economic status.

 

  • Withdrawal of Consent in the Context of the “Pay or OK” Concept

 

One of the central principles of modern privacy regulations is that users are guaranteed the right to withdraw consent for the processing of their data as easily as they gave it (or more easily). However, the implementation of the “Pay or OK” model complicates this principle. Users who initially agreed to the terms of data processing may encounter obstacles when attempting to withdraw their previously given consent without facing negative consequences.

If a user wishes to withdraw their consent for data sharing to enable personalized advertising, they would have two options:

  • Loss of access to the basic functionalities of online platforms; or
  • Incurring additional costs in the form of monthly or annual subscription fees for services that are free from personalized ads.

 

This disparity between the ease of giving and withdrawing consent calls into question the ability to exercise users’ rights in digital environments and the compliance of the “Pay or OK” concept with data protection regulations.

The Future of the “Pay or OK” Concept

It is clear that “Pay or OK” is not just a trend—it is a strategic decision that can redefine how your business earns revenue in a world of increasingly stringent data protection regulations.

The EDPB has announced that it will develop comprehensive guidelines regarding the “Pay or OK” model, which will extend beyond large online platforms and cover a broader spectrum of digital services. The Board will actively collaborate with stakeholders to shape these upcoming guidelines. This initiative promises to provide a clearer picture of the general rules regarding the implementation of this concept.

We expect that the guidelines might be more favorable for smaller platforms since, in their case, the power imbalance, which is evident in large online platforms, will not be as obvious.

Don’t let regulatory changes catch you unprepared—explore all options and make the best decision for your company.

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62021CJ0252

Similar Articles

Latest Articles

Ready to get started?

If you are not sure about what the first step should be, schedule consultations with one of our experts.

techlawafficiendo

privacywhisperer

cryptobuddy

evergreen

Not Just Another Newsletter

Forget boring legal analysis and theory. Receive timely updates,
news and reminders that can actually help your business.