GDPR Consent Compliance in 2024: The End of 'Pay or Okay' and New Data Minimization Rules

The Evolving Landscape of GDPR Consent

Since the General Data Protection Regulation (GDPR) entered into force on 25 May 2018, organizations have navigated the complex requirements for lawful processing of personal data. While consent under Article 6(1)(a) has been a cornerstone for many digital businesses, recent regulatory actions and court decisions are fundamentally reshaping what constitutes valid consent and lawful data processing. In 2024, two pivotal developments have emerged: the European Data Protection Board's (EDPB) prohibition of Meta's 'Pay or Okay' model and the Court of Justice of the European Union's (CJEU) strict interpretation of data minimization in advertising. These decisions signal a new phase of GDPR enforcement where regulators are scrutinizing not just whether consent exists, but whether it is genuinely free, informed, and specific—and whether data processing respects fundamental principles like minimization regardless of legal basis.

This article provides an in-depth analysis of these developments, examines related enforcement actions against companies like Ryanair and Google, and offers practical compliance steps for businesses operating in the EU. As data privacy enforcement intensifies, organizations must understand that compliance is no longer about checking boxes but about embedding privacy-by-design into their operations.

Core GDPR Consent Principles: Beyond the Checkbox

Under GDPR, consent is defined in Article 4(11) as "any freely given, specific, informed and unambiguous indication of the data subject's wishes." This definition encompasses several key requirements that businesses must satisfy:

• Freely Given: Consent cannot be conditional on receiving a service unless the processing is necessary for that service. Users must have a genuine choice without experiencing detriment if they refuse.
• Specific: Consent must be obtained for clearly defined purposes. Blanket consent for undefined processing is invalid.
• Informed: Data subjects must understand what they are consenting to, including the identity of the controller, purposes of processing, and their right to withdraw.
• Unambiguous: Consent requires a clear affirmative action. Pre-ticked boxes or inactivity do not constitute consent.

Additionally, GDPR establishes the principle of data minimization in Article 5(1)(c), requiring that personal data be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." This principle applies regardless of the legal basis for processing—including consent. The recent CJEU ruling has reinforced that even with user consent, organizations cannot collect or retain data beyond what is strictly necessary for specified purposes.

Breaking Down the Key 2024 Decisions

The EDPB's Prohibition of Meta's 'Pay or Okay' Model

In a landmark decision, the European Data Protection Board (EDPB) issued its first opinion prohibiting Meta from using its 'Pay or Okay' model for obtaining consent on platforms like Instagram and Facebook in the EU. This model presented users with a binary choice: either pay a subscription fee (reportedly over €250 per year) or consent to behavioral advertising based on extensive personal data processing.

The EDPB determined this approach violates GDPR's requirement for 'freely given' consent. When large online platforms with significant market power present such a choice, users face coercion rather than genuine freedom. As Max Schrems of noyb noted, consent rates shift from approximately 3% to over 99% under this system, indicating that the financial barrier effectively forces consent rather than enabling voluntary choice.

Key implications of this decision include:

• Power Imbalance Matters: The EDPB specifically highlighted that large platforms cannot leverage their dominant position to extract consent through financial pressure.
• Beyond Large Platforms: While this decision focused on Meta, the EDPB indicated it plans to issue broader guidelines on 'Pay or Okay' models that may affect other organizations.
• Alternative Models: The EDPB suggested exploring third monetization options like contextual advertising that don't rely on extensive personal data processing.

This decision follows previous rulings against Meta's legal bases for data processing and represents a significant escalation in enforcement of GDPR's consent requirements.

The CJEU's Data Minimization Ruling in Schrems v. Meta

In case C-446/21 (Schrems v. Meta), the Court of Justice of the European Union (CJEU) delivered a landmark ruling with far-reaching implications for data-driven businesses. The court determined that Meta must strictly apply GDPR's data minimization principle to its advertising practices, establishing several critical precedents:

• No Indefinite Data Retention: Meta cannot indefinitely use all personal data collected since 2004 for targeted advertising, even with user consent. The company must implement deletion protocols for data that is no longer necessary.
• Minimization Applies Regardless of Legal Basis: The court clarified that data minimization under Article 5(1)(c) applies even when processing is based on consent. Users who consent to personalized advertising cannot have their data used indefinitely or for purposes beyond what is strictly necessary.
• Public Criticism ≠ Consent: The CJEU rejected Meta's argument that publicly criticizing data processing constitutes consent to process sensitive personal data under Article 9(2)(e) GDPR, protecting free speech rights.

This ruling establishes that all online advertising companies operating in the EU must develop data management protocols for gradual deletion of unnecessary data. It represents a fundamental shift from the "collect everything" mentality to a "collect only what's necessary" approach.

Related Enforcement Actions and Context

Ryanair's Facial Recognition Complaint

In a separate enforcement action highlighting tensions between business practices and regulatory compliance, noyb filed a GDPR complaint against Ryanair for alleged violations of EU data protection regulations. The complaint focuses on Ryanair's requirement for customers to create mandatory accounts and undergo verification processes that often involve biometric facial recognition.

Key allegations include:

• Data Minimization Violation (Article 5(1)(c)): The complaint argues that mandatory accounts are unnecessary for flight bookings, collecting excessive personal data beyond what is required for the transaction.
• Purpose Limitation Violation (Article 5(1)(b)): noyb suggests the verification processes appear aimed at blocking travel agencies rather than legitimate security needs, representing a shift from the original purpose.
• Consent Issues (Articles 6 and 9): Customers are allegedly nudged toward biometric processing with burdensome alternatives, raising questions about whether consent is freely given for sensitive biometric data.

The complaint suggests Ryanair's practices prioritize competitive advantage over user privacy, potentially exposing the airline to fines up to €431 million based on its 2023 turnover. This case illustrates how data minimization and consent requirements apply beyond digital advertising to various business models.

Google Tracking and Broader Enforcement Trends

While not detailed in the specific evidence provided, Google has faced multiple GDPR enforcement actions related to consent and data processing practices. These cases typically involve allegations of insufficient transparency, inadequate consent mechanisms, and excessive data collection. The consistent theme across enforcement against Meta, Ryanair, Google, and other companies is that regulators are moving beyond technical compliance to examine the substantive fairness of data practices.

Organizations should note that GDPR penalties can reach up to EUR 20 million or 4% of global annual turnover, making non-compliance financially significant. Each EU member state has a Data Protection Authority (DPA) with enforcement powers, creating a decentralized but coordinated enforcement landscape.

Practical Compliance Steps for Businesses

Based on these developments, businesses processing personal data of EU residents should take the following practical steps to ensure GDPR compliance:

1. Review and Revise Consent Mechanisms

• Avoid Coercive Models: Do not present binary choices that force consent through financial pressure or service denial unless processing is strictly necessary for service delivery.
• Implement Granular Consent: Allow users to consent to specific processing purposes separately rather than through blanket consent.
• Ensure Genuine Choice: Provide equally accessible alternatives to data-intensive processing, such as contextual advertising options.
• Maintain Clear Records: Document when and how consent was obtained, including what information was provided to users.

2. Implement Robust Data Minimization Practices

• Conduct Data Audits: Map all personal data collected, processed, and stored, identifying what is truly necessary for each processing purpose.
• Establish Retention Policies: Implement protocols for deleting data that is no longer necessary, following the CJEU's requirement for gradual deletion rather than indefinite retention.
• Apply Purpose Limitation: Ensure data collected for one purpose is not repurposed without additional legal basis and transparency.
• Consider Privacy-Enhancing Technologies: Explore techniques like anonymization, pseudonymization, and differential privacy to minimize identifiability while maintaining utility.

3. Enhance Transparency and User Control

• Update Privacy Notices: Clearly explain data processing purposes, legal bases, retention periods, and user rights in accessible language.
• Simplify Withdrawal Mechanisms: Make it as easy to withdraw consent as it was to give it, with clear, accessible options.
• Respect All GDPR Rights: Implement processes to handle data subject requests for access, rectification, erasure, portability, objection, and restriction under Articles 15-21.

4. Conduct Regular Assessments and Monitoring

• Perform Data Protection Impact Assessments (DPIAs): Conduct DPIAs for high-risk processing activities as required by Article 35, especially when implementing new technologies or business models.
• Monitor Regulatory Developments: Stay informed about EDPB guidelines, CJEU rulings, and national DPA decisions that may affect your operations.
• Implement Continuous Compliance: GDPR compliance is not a one-time project but requires ongoing monitoring and adaptation as business practices and regulations evolve.

For organizations seeking to streamline their compliance efforts, platforms like AIGovHub offer data privacy monitoring tools that help track regulatory changes, manage consent preferences, and maintain audit trails. When evaluating consent management solutions, businesses should compare vendors like OneTrust and TrustArc based on their specific needs, integration capabilities, and alignment with the latest regulatory requirements.

Future Trends and Enforcement Outlook

The 2024 decisions against Meta and the CJEU's data minimization ruling signal several important trends in GDPR enforcement:

• Substance Over Form: Regulators are looking beyond technical compliance to examine whether data practices are fundamentally fair and respect user autonomy.
• Cross-Border Coordination: The EDPB's involvement in Meta's case demonstrates increased coordination among EU data protection authorities.
• Integration with Other Regulations: GDPR compliance increasingly intersects with other frameworks, including the EU AI Act (which classifies AI systems used in recruitment/HR as HIGH-RISK under Annex III) and cybersecurity requirements like NIS2 Directive.
• Growing Penalties: With potential fines reaching 4% of global turnover, enforcement has significant financial consequences for non-compliant organizations.

As the digital economy evolves, businesses must recognize that GDPR compliance is not just a legal requirement but a competitive advantage. Organizations that prioritize transparent, minimal, and user-centric data practices will build greater trust with customers and avoid the substantial penalties facing companies like Meta and Ryanair.

Key Takeaways

• The EDPB has prohibited Meta's 'Pay or Okay' model, finding that binary choices between paying fees or consenting to data processing violate GDPR's requirement for freely given consent, especially for large platforms.
• The CJEU ruled in Schrems v. Meta that data minimization applies regardless of legal basis, requiring deletion of unnecessary personal data even when users have consented to processing.
• Related enforcement actions against Ryanair for facial recognition practices demonstrate that data minimization and consent requirements apply across various business models.
• Businesses must implement robust consent management systems that provide genuine choice, avoid coercion, and allow granular control over data processing.
• Regular data audits, retention policies, and transparency enhancements are essential for complying with evolving GDPR interpretations.
• GDPR penalties can reach up to EUR 20 million or 4% of global annual turnover, making compliance financially significant.

This content is for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal professionals for specific guidance on GDPR compliance.