IP, ICT & Data publication | The Price of Privacy: Navigating Pay-or-Consent Models in the EU Digital Economy

In this publication, Andersen’s IP, ICT, and Data european Service Line analyses the growing use of pay-or-consent models in the EU digital economy and explores the key legal and business risks under the GDPR, as well as consumer, competition and DMA-related considerations. It also provides practical recommendations for businesses navigating this evolving landscape.

Turning Privacy into Value: The Rise of Pay-or-Consent in the Digital Economy

In the digital economy, personal data has become a key economic asset, often replacing money as the true “price” of supposedly free online services. In response to stricter EU data protection rules, many companies have adopted pay-or-consent models, offering users a choice between consenting to personal data processing for advertising purposes or paying a fee to access services without tracking. While this approach makes the data-for-access exchange more transparent, it raises concerns about whether user consent can be considered genuinely free, especially when digital services are essential to everyday life. There is also a risk that privacy becomes a premium feature, creating a two-tier digital ecosystem and challenging the notion of privacy as a fundamental right. As these models spread, they pose significant legal, ethical, and strategic questions for businesses operating in the EU.

The EU Rules Businesses Can’t Ignore

In the EU, pay-or-consent models are subject to strict regulatory scrutiny, as payment may undermine the requirement that consent be freely given under data protection law. Authorities have emphasized that consent loses validity when users are effectively penalized for refusing data processing, especially where such processing is not necessary for providing the service. Regulatory obligations are even stricter for large platforms designated as gatekeepers under the Digital Markets Act, which may be required to offer equivalent services without coercive data practices. Additional risks arise under consumer protection law, particularly where interfaces or pricing are misleading or manipulative, and under competition law, where dominant firms may face scrutiny for exploitative practices under Article 102 TFEU. As a result, pay-or-consent models must be carefully tailored to a company’s market position, user dependency, and design choices, as monetization cannot come at the expense of genuine user choice.

Key Business Risks of Pay-or-Consent Models under EU Privacy and Competition Law

The adoption of pay-or-consent models entails high risks for companies in several respects. Under the GDPR, consent obtained under economic pressure can hardly be considered “freely given.” This would make data processing unlawful, exposing organizations to fines of up to 4% of their global annual turnover. For companies classified as gatekeepers under the DMA, the risks are even greater. Non-compliance can result in fines of up to 10% of global turnover.The perception that privacy is becoming a paid privilege also undermines companies’ reputations and consumer trust. Companies therefore risk being perceived as commodifying people’s fundamental rights. Moreover, a monetization model perceived as discriminatory can erode investor confidence and put pressure on relationships with strategic partners. This reputational risk then translates into concrete consequences for companies, including reduced access to capital and fewer partnership opportunities. In the marketplace, consumers may migrate to more privacy-friendly services, reducing market share and revenues. Defending against data protection and consumer law claims comes at a cost. For organizations with international operations, ensuring compliance across multiple jurisdictions further increases complexity and costs.

Turning Privacy Challenges into Opportunities: Business Tips for the EU Digital Economy

To reduce risk, companies should make privacy part of their business strategy instead of just seeing it as a compliance issue. Pay-or-consent models must also be evaluated in light of antitrust regulations. By designing alternatives, ensuring transparency, integrating compliance into product development, respecting competition law, and promoting privacy as a distinctive feature, companies can mitigate legal and reputational risks while strengthening their market position.

Final Thoughts

The evolution of monetisation models, particularly pay-or-consent frameworks, demands heightened scrutiny from businesses. Moreover, prioritising privacy within monetisation strategies is not only a safeguard against legal and reputational risks, but also a catalyst for long-term trust.