Back to Resources
Privacy & Compliance 6 min read

How to Set Up a Pay-or-Consent Model Without Violating EU Privacy Laws

Wali Nori
Wali Nori
28 February 2024

What is the Pay-or-Consent Model?

A pay-or-consent model (also called a "consent or pay wall") offers users a binary choice: either consent to personalized advertising and tracking, or pay a fee to access content without it. This approach gained mainstream visibility when Meta rolled it out for Facebook and Instagram in the EU in late 2023, charging approximately €9.99/month for an ad-free, tracking-free subscription. The underlying legal rationale is that consent given to avoid a fee may still constitute "freely given" consent under GDPR, provided certain conditions are met.

The EDPB's Position: It's Not a Free Pass

The European Data Protection Board (EDPB) issued guidance in April 2024 that significantly constrains how pay-or-consent can be implemented. The core requirement: the paid alternative must be a "genuine alternative", meaning the fee must be reasonable and proportionate to the nature of the service. If the paid tier is priced specifically to coerce consent (e.g., €50/month for a free news site), regulators will view the consent as involuntary and therefore invalid. The EDPB also emphasized that controllers should prioritize offering a "free tier with less invasive processing" before resorting to a binary pay-or-consent model.

Additionally, the EDPB clarified that this model is only viable for "large online platforms", publishers and media companies. For standard B2B SaaS tools or service providers who don't rely on advertising revenue as their primary business model, the justification for a consent wall is significantly harder to establish.

Implementation Requirements for a Legally Sound Model

If you determine a pay-or-consent model is appropriate for your business, five conditions must be met simultaneously: (1) The price must be proportionate to the service value and market norms; (2) Both tiers must provide equivalent core functionality; (3) Users must not face dark patterns or misleading design in the consent flow; (4) The consent mechanism must meet all standard GDPR consent requirements, granular, specific, informed, and revocable at any time; (5) You must maintain detailed records of how consent was obtained and be able to demonstrate it was freely given.

The Safer Alternative for Most B2B Businesses

For most SMEs and B2B businesses, a pay-or-consent wall introduces more legal and reputational risk than it resolves. A simpler and more defensible approach is a well-designed CMP with clear value exchange messaging, combined with server-side tracking that reduces your reliance on broad consent. When users understand what data you collect and why, and see that declining tracking doesn't degrade their experience, consent rates typically improve by 15–25% compared to opaque consent banners.

Practical Recommendations

Before implementing any consent wall, conduct a Data Protection Impact Assessment (DPIA) and engage your legal counsel. If you operate in Germany specifically, note that German DPAs have been the most aggressive in Europe in challenging cookie walls, the Hamburg DPA ruled in 2022 that even "technically necessary" consent walls require additional scrutiny. For most B2B businesses, the energy is better spent on implementing proper Consent Mode v2 and server-side tracking infrastructure. Contact Excel to assess whether your current consent architecture is defensible.

Wali Nori
Wali Nori
Founder of Excel Consultancy. Digital marketing and marketing operations specialist with 3 years building automation systems and tracking infrastructure for SMEs across Australia and Europe.
Connect on LinkedIn
Previous
Client-Side vs. Server-Side Tracking: What's the Difference for GDPR Compliance?
Next
Does Server-Side GTM Improve Website Load Speed and Data Accuracy?