The European Commission's decision against Meta's ‘pay or OK’ model illustrates the unintended challenges of having to comply with multiple pieces of digital legislation.
What is ‘pay or ok’?
The ‘pay or OK’ model (also known as the less catchy but frequently used ‘consent or pay’ model), refers to the business model introduced by several online businesses, notably Meta, to help satisfy GDPR lawful basis requirements. Following ECJ rulings that effectively determined the only lawful basis available to Meta for targeted advertising was consent, Meta among others switched to this model which initially gave EU users the choice between an ad-free subscription model and agreeing to the use of their personal data for targeted advertising purposes in exchange for a free service.
The 'pay or ok' model has come under the scrutiny of data protection regulators in both the EU and UK, and in the EU was also the subject of consumer complaints and enforcement action under the EU's Digital Markets Act (DMA).
Meta's DMA conflict
In a significant decision on 23 April 2025 (Case DMA.100055), the European Commission found that Meta's ‘consent or pay’ model, as implemented in the period from November 2023 to November 2024, on its Facebook and Instagram platforms, was not compliant with the Digital Markets Act (DMA) and fined Meta EUR200m (although the sanctioned non-compliance period only comprises the period from March 2024).
The main thrust of the reasoning was that Meta offered no "equivalent alternative" free service to the paid-for service and therefore effectively coerced consent for personal data processing. In addition, the fees charged for the subscription model were held to be sufficiently high as to give users no meaningful choice about which option to select.
This decision explicitly assesses only the binary choice between a paid subscription and consent to personalised advertising. Meta's newer model, announced on 12 November 2024, which introduced a third option of less intrusive advertising for a free service, as well as lower prices for its subscription model, was expressly not evaluated and could still be the subject of a future investigation.
While Meta is challenging this decision in the courts, related rulings and the complex legal landscape shed light on how the same rules can produce unexpected outcomes in different contexts.
The Commission's legal reasoning in detail
The Commission's decision rests on a strict interpretation Article 5(2) DMA, which it deemed unfulfilled. This prohibits gatekeepers from combining personal data for advertising unless the user has been presented with a specific choice and has given valid consent as defined by the GDPR.
DMA and lack of an "equivalent alternative"
The Commission argued that the "specific choice" required by Article 5(2) DMA presupposes more than just any alternative; the options must be "equivalent". However, a paid service cannot be an equivalent alternative to a historically free service because the conditions of access are fundamentally different. The shift from a model financed by attention/data to a monetary payment model constitutes a fundamental change. The Commission suggested that a truly equivalent alternative would be a free version with less data-intensive advertising (eg contextual instead of behavioural advertising). This would maintain the ad-supported business model while avoiding problematic data processing.
Imported GDPR principles: lack of "valid consent"
Even had the Commission considered there to be a valid equivalent choice in DMA terms, it argued the resulting consent would not be "freely given" under the strict standards of the GDPR (Articles 4(11) and 7) for two main reasons:
- Imbalance of power: for gatekeepers like Meta, a structural power imbalance is virtually presumed. Users are dependent on its services for their social and often professional participation, which deprives them of any real bargaining power
- Detriment: refusing consent could lead to significant detriment. This consisted not only of having to pay a fee but of the potential exclusion from leading communication platforms, which could result in social isolation.
The Commission’s position is fully aligned with the stance of the European Data Protection Board in its Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms (LOPs).
GDPR rulings as an indicator for the broader market
While the DMA case directly affects Meta, a parallel ruling from Austria shows how the underlying GDPR principles are also applied to non-gatekeepers. An August 2025 ruling by the Austrian Federal Administrative Court (BVwG) against the newspaper DER STANDARD provides important clues as to how the debate is evolving beyond DMA gatekeepers.
The court ruled that blanket consent to bundled processing purposes violates the GDPR principle of granularity (Recitals 32 and 43 GDPR). This ruling does not question the ‘pay or OK’ model itself, but rather its implementation. It is a strong signal to all market participants that ‘all-or-nothing' consent is not tenable in this context.
Meta's counter-offensive and reactions
In response to increasing regulatory pressure relating to the ‘pay or OK’ model in the EU, Meta has initiated several legal challenges.
Appeal of the DMA decision
Meta has challenged the Commission's decision and the EUR200 million fine before the EU's General Court. The company argues the decision is unlawful and forces an "unviable business model" on Meta.
Challenge to the EDPB opinion
In parallel, Meta is challenging the EDPB's Opinion 08/2024, appealing the dismissal of its original lawsuit (case C-454/25 P).
Reactions from the market and civil society
The DMA decision triggered a wide range of responses. Data protection organisations like NOYB celebrated it as a major victory for user choice and a confirmation that fundamental rights cannot be for sale. They claim that ‘pay or OK’ models generate consent rates of over 99%, which they label as "fake consent". The decision was less well received by the advertising industry and publishers, some of whom, including IAB Europe, expressed concerns. They argue ‘pay or OK’ is a legitimate model for financing content and services in a digital economy.
An unexpected side effect: victory for Meta in the AI context
Paradoxically, the Commission's strict interpretation of the DMA in the ‘pay or OK’ decision helped Meta in another, equally important case. In May 2025, the consumer protection association of North Rhine-Westphalia (Verbraucherzentrale NRW) sought an injunction to prohibit Meta from using user data to train its AI models. A key argument was that combining data from Facebook and Instagram into a single AI training dataset would violate Art. 5(2)(b) DMA.
However, the Higher Regional Court of Cologne rejected the application. The court, relying on an excerpt from the ‘pay or OK’ Meta decision said that the term "combining" requires a targeted linking of data of the same user for profiling purposes. Merely feeding partially de-identified data into a large, unstructured AI training dataset does not constitute such a "combination" under the DMA. Although this interpretation has been criticised, the case demonstrates how the Commission's specific reasoning can bring about both positive and negative outcomes for a business depending on which EU digital law is concerned.
Similarities and differences in regulatory and judicial approaches
Whether in the context of the GDPR or the DMA, the decisions around the ‘pay or OK’ model share a common basis: the GDPR principles for valid consent. All three bodies - the EU Commission, the EDPB, and the Austrian BVwG - question whether consent can be genuinely voluntary (freely given) when the choice between a paid for ad-free service or a service which process personal data to target advertising is binary and non-granular. They all reject an ‘all-or-nothing' approach and emphasise that refusing consent must not lead to a significant detriment.
The Commission and the EDPBs' views were underlined in their joint Guidelines on the Interplay between the Digital Markets Act and the General Data Protection Regulation published for consultation on 9 October 2025.
- Section 2.1 stresses that to fulfil the Article 5(2) DMA requirement for specific choice, gatekeepers need to offer an equivalent less personalised service rather than presenting a choice between consenting or not receiving the service. The less personalised service should not be different or of degraded quality compared to the service offered to consenting end users.
- Section 2.2 discusses GDPR consent in the context of the DMA, again emphasising the need for granularity of consent with clearly specified processing purposes, saying: "where gatekeepers seek consent for processing personal data covered by Article 5(2) DMA for various purposes, they should provide a separate opt-in for each purpose to allow users to give specific consent for specific purposes. Purposes such as personalisation of content, personalisation of advertisements, and services development, are distinct purposes for which separate consents should be obtained if the gatekeeper wishes to combine or cross-use personal data in the manner described in Article 5(2) points (b) to (d) DMA".
- Among other points relating to consent, the guidelines also stress that a decision not to consent which causes detriment will make the consent options invalid, and that an imbalance of power that may exist between controllers who are gatekeepers, including where the controller's position in the market means there is no realistic alternative to the service, will also affect the validity of the consent.
Interestingly in the UK, where data protection law is largely derived from EU law, the ICO has taken a similar but slightly more flexible approach to the EDPB on the question of 'pay or OK'. In guidance relevant to all businesses, not just LOPs, it emphasises the need for a "broadly equivalent" core service, appropriate fee setting, privacy by design, and an absence of a power imbalance, to establish freely given consent and also warns against bundled consent as a condition for accessing a product or service. On 26 September 2025, Meta announced it will introduce a chargeable ad-free service on its Facebook and Instagram platforms in the UK using a binary consent model approved (with caveats) by the ICO. Of course, in the UK, the DMA does not apply. While the Digital Markets Competition and Consumers Act introduces the concept of Significant Market Status and may impose similar (but not identical) obligations to the DMA, there has, as yet, been no competition law decision on 'pay or OK' in the UK.
Key differences and hope for smaller businesses:
While the various cases and arguments around the ‘pay or OK’ model in the EU consider overlapping (or in some cases identical) concepts, there are crucial differences depending on whether the model is being assessed in the context of the DMA or the GDPR:
- Legal basis: the DMA decision is based on specific competition law for gatekeepers, whereas the BVwG decision and EDPB Opinion exclusively consider application of the GDPR.
- Scope: DMA rules apply only to gatekeepers. The GDPR applies to all organisations processing personal data.
- Central argument: for the Commission, the 'killer' argument is the lack of a free "equivalent alternative". For the BVwG, it is the lack of "granular consent" - ie the inability to consent to individual processing purposes separately.
What does this mean for the EU market?
What do the Meta DMA decision, the EDPB Opinion and the Austrian ruling mean for DMA gatekeepers and for other organisations in scope of the GDPR?
Differences - the DMA effect
The Commission decision is specific to Meta as a gatekeeper. The obligation under Art. 5(2) DMA to provide an "equivalent" (and thus potentially free) alternative service as well as the assumption of an automatic "imbalance of power" where powerful gatekeeper services are concerned do not apply to businesses which lack the reach and significance of Meta. Smaller businesses can argue that their users have genuine alternatives and that payment (with money or data) constitutes a fair choice.
Similarities - the GDPR foundation
The common foundation for everyone using personal data to target advertising in the EEA is the GDPR. Any controller relying on consent must ensure its validity. The Austrian ruling shows a way forward for smaller organisations, suggesting there will only be a problem with the model where it is not properly implemented. The ‘OK’ option can be fixed by enabling granular consent, allowing users to agree or disagree with specific purposes (eg web analytics vs. personalised advertising).
Separately, It’s worth noting that the EDPB is planning to develop guidelines on ‘pay or OK’ with broader scope than its existing Opinion which is aimed solely at LOPs, and these may eventually prove helpful for smaller businesses looking to apply the model.
The Austrian ruling does not, however, necessarily help LOPs at whom the EDPB Opinion was directed – whether or not they are gatekeepers for DMA purposes. The EDPB stops short of suggesting that ‘pay or OK’ can never be a valid model, but says “in most cases it will not be possible for [LOPs] to comply with the requirements for valid consent, if they confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee”, but argues that there must be a genuine choice, entailing options which provide equivalent services, and which do not charge prohibitive subscription rates. The outcome of the ongoing Meta litigation on ‘pay or OK’ against a backdrop of pushback against EU digital laws from the Trump administration, will be keenly awaited and may prove decisive.
