Six years since GDPR came into force, the promise of stronger data protection is being undermined by the rise of “pay or consent” models. These business practices offer users a stark choice: pay a fee to safeguard their privacy or consent to intrusive data tracking for targeted advertising. This approach challenges the essence of GDPR, which requires consent to be freely given and informed.

Meta rolled out its “pay or consent” model in October 2023, and is not the only offender; these models are widespread and almost standard practice for thousands of companies. Whilst the EU has started to address the issue, there remains no clear and comprehensive stance on the incompatibility of such models with human rights. The recent Meta announcement of a new version of “pay or consent” illustrates that by only addressing the symptoms of “pay or consent”, the core issues underpinning the model will never be rectified. As stated in the report, offering a reduced price and a third option with less personalised advertisement does not fix the problem.

The Emergence of “Pay or Consent”

Under these models, companies commoditise privacy, turning it from a universal right into a luxury product. Users unable to afford the cost are coerced into agreeing to invasive tracking practices, allowing companies to harvest vast amounts of personal data. While this may benefit businesses, it undermines individual autonomy, widens social inequality, and erodes public trust in digital services.

The European Data Protection Board (EDPB) and other regulatory authorities have criticised these models, emphasising that genuine consent must be free of coercion or detriment. Yet inconsistent enforcement has enabled companies to exploit legal grey areas, bypassing GDPR’s requirements.

Privacy as a Human Right

The commoditisation of privacy has significant consequences. It creates a two-tiered digital society where only the financially privileged can protect their data. This deepens the digital divide and perpetuates social inequality. Moreover, behavioural advertising which is central to these models, raises concerns about discrimination, manipulation, and heightened security risks.

The European Charter of Fundamental Rights affirms that privacy is inalienable and cannot be treated as a commodity. However, gaps in enforcement have allowed corporations to place profit over people’s rights, jeopardising both individuals and communities.

The Need for Stronger Enforcement

To address these challenges, regulators must prohibit “pay or consent” practices. Clearer guidelines are necessary to close existing loopholes and ensure consistent enforcement across EU member states. Additionally, fostering privacy-friendly business models, such as contextual advertising, can balance user rights with sustainable revenue streams.

A Call to Action

As GDPR reaches a pivotal moment, the future of data protection depends on the EU’s resolve to uphold its principles. Will privacy remain a fundamental right, or will it become a privilege for the few? Ensuring a fair digital future means reaffirming privacy as a universal right, demanding transparency, and fostering innovations that respect individual freedoms.

At GDPR Register, we empower businesses to navigate the complexities of GDPR compliance with ease.

Our platform streamlines data protection processes, offering tools for automated assessments, risk management, and consent tracking. With our innovative solutions, companies can maintain compliance while fostering trust with their customers.

By leveraging AI-powered insights, we help organisations identify and address privacy risks proactively. Whether you’re a small business or a large enterprise, GDPR Register ensures that compliance is both efficient and cost-effective, enabling you to focus on growth while upholding the highest standards of data protection.

Curious to learn more?

REQUEST A DEMO

Source:
This blog post is based on insights from “Six Years of the GDPR: Priced Out of Privacy?”, published by Access Now in November 2024.

Image by Megan Rexazin Cond

PREVIOUS

Staying Ahead of GDPR Compliance: Lessons from LinkedIn's €310 Million Fine

NEXT

How to Avoid ICO Fines: Lessons from Recent GDPR Spam Text Penalties