Why Current Pay-or-Okay Models Violate the GDPR by Design
In the last couple of months, you may have visited a website or platform where you were given the choice to accept cookies or become a paid subscriber. This so-called “pay-or-okay” business model allows users to either pay for content or services upfront, or agree to provide value in another way, typically by sharing personal data for advertising purposes.
As the pay-or-okay model seems to offer a balance between user control and revenue, it has been adopted by quite a number of EU publishers and platforms, especially in digital media. But is this model compliant with EU (e-)privacy regulations?
In this mini essay, written together with the leading Dutch law firm De Roos, we answer that question. We explain why these models fall short of (e-)privacy standards and what publishers can do for a more compliant path forward.
How Pay-or-Okay Models Work
Pay-or-okay models have been widely adopted by several major publishers across the EU and UK, including Der Spiegel, El Pais, and La Repubblica. Users are given the option to either pay a subscription fee or to ‘consent’ to tracking cookies and personalised ads, in cooperation with a large number of advertising partners – which, depending on the publisher, can range from hundreds to thousands.
In theory, these models give users a choice between privacy and free access. However, research shows that only around 1% of users opt to ‘pay’ – while the overwhelming majority accept the ‘okay’ option and “allow” their online behaviour to be tracked for ad personalisation. But is this truly a free choice?
Why Pay-or-Okay Models Violate the GDPR
With RTB systems operating behind the ‘okay’ option, publishers are able to sell their advertising space in the most effective way possible. However, this practice is currently facing scrutiny to meet key GDPR requirements, such as obtaining valid consent and ensuring transparency. RTB is currently under fire by several regulators, consumer groups, and NGOs, one example being the Belgian data protection authority’s case against IAB Europe.
While the pay-or-okay model seemingly gives users a choice about how they access content, the reality is that it pushes them towards the ‘okay’ option. GDPR mandates that consent must be “freely given,” meaning that users should not be pressured to agree to data collection. Since 99% of users ‘agree’ to share their data rather than pay for content, it is clear that consent is not truly voluntary, especially when faced with high subscription fees.
GDPR is also built upon several principles applied for data processing, including transparency, purpose limitation, fairness, and accountability. Pay-or-okay models, especially when equipped with RTB systems, fall short of these requirements. Our mini essay goes into further detail on this.
Alternatives to Pay-or-Okay Models
As privacy concerns grow, alternative advertising models that do not rely on personal data are becoming increasingly necessary. One effective model is consentless advertising, which removes the need for cookies, personal identifiers, and behavioural profiling.
Instead, this model uses contextual targeting, where ads are matched to the content of the page or other non-personal characteristics. This approach ensures that publishers can monetise their content while remaining fully GDPR-compliant.
Opt Out Advertising’s unique, consentless ad server allows publishers to generate revenue without tracking users. Publishers can drive substantial revenue growth by monetising consentless inventory – ad space where visitors decline tracking. By tapping into this under-utilised inventory, the Opt Out ad server can help publishers reach their entire audience and boost overall revenue by up to 20%, matching the average percentage of users who opt out of tracking. This enables them to capture valuable revenue opportunities while prioritising user privacy.
Large publishers like Immediate Media, The Guardian, and The Dutch Public Broadcast (NPO) already use consentless advertising models, offering competitive and valuable ad spaces without the need for tracking cookies or identifiers. Smaller publishers also have the ability to serve ads without relying on personal data, cookies, or identifiers, with many utilising privacy-enhancing technologies (PETs) such as the Opt Out ad server to deliver ads without collecting personal data.
The Path Forward
As demonstrated by pioneers in the field, there is a clear path forward. The Opt Out platform allows advertisers to buy media in a privacy-first manner, optimising ad campaigns without the use of personal data while achieving similar performance metrics as data-driven campaigns.
The European Data Protection Board (EDPB), which unites all 27 national data protection authorities, has initiated an industry stakeholder consultation on pay-or-okay models to take place on November 18. As privacy awareness grows and the scrutiny of RTB intensifies, this event signals an important shift and a need for the advertising industry to adapt to more privacy-friendly alternatives.
If you would like to understand more about a better way forward, simply download our mini essay from the link below, in which you will discover:
- Why pay-or-okay in itself does not violate the law.
- That RTB operates behind the 'okay' option and why this isn't complying with e-privacy rules and GDPR principles.
- That pay-or-okay models provide no solution for this violation.
- Proven alternatives to personalised advertising.
To read our mini essay in full, with all its recommendations from leading law firm De Roos, please download it here.