Meta's Consent Shift & GDPR Enforcement: The End of 'Pay or Okay'?

Introduction: A Watershed Moment for GDPR Consent

In late 2024, Meta announced it would switch from relying on 'legitimate interest' to obtaining user 'consent' as the legal basis for processing personal data for behavioral advertising in the European Union and Switzerland. This pivot, coming after over five years of litigation and regulatory pressure, represents a significant inflection point in the enforcement of the General Data Protection Regulation (GDPR). The move underscores a broader trend: data protection authorities (DPAs) across Europe are moving from guidance to formal enforcement, with a particular focus on the quality of consent mechanisms. This article examines Meta's 'Pay or Okay' model as a case study, analyzes recent enforcement actions, and outlines what businesses must do to ensure their consent practices meet the stringent requirements of GDPR and evolving state privacy laws in the US.

The 'Pay or Okay' Model: A Legal Minefield

Meta's attempted solution to the consent requirement was the introduction of a subscription model, often termed 'Pay or Okay'. For an annual fee of €251.88, users of Facebook and Instagram in Europe could opt out of tracking for targeted advertising. Otherwise, consent to such tracking was implied. This model has sparked intense legal scrutiny and public backlash.

Why 'Pay or Okay' Faces Rejection

GDPR Article 4(11) defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes." The 'freely given' element is the core issue with 'Pay or Okay'. A coalition of 28 NGOs, including Wikimedia Europe and Bits of Freedom, has urged the European Data Protection Board (EDPB) to reject this model, arguing it creates an unfair condition where users must pay to protect their fundamental right to privacy. They contend it undermines the very essence of GDPR by making data protection a luxury good. Studies in Germany, where similar models have proliferated, show consent rates soar when a fee is attached, directly contradicting user preferences against tracking—clear evidence that such consent is not freely given.

Meta's Strategic Retreat

Meta's shift to a consent-based model was not voluntary. It followed a binding decision by the EDPB and a ruling from the Court of Justice of the EU (CJEU) which prohibited Meta from using personal data beyond what is strictly necessary for its core services under the 'legitimate interest' justification. The Irish Data Protection Commission's (DPC) delayed enforcement highlighted the patchwork nature of GDPR application, but the legal pressure ultimately proved insurmountable. Privacy advocacy group noyb, led by Max Schrems, has signaled it will continue litigation if Meta's implementation of consent does not apply to all personal data processing for ads, not just "certain data," as Meta's announcement vaguely stated.

The Enforcement Landscape: DPAs Move from Talk to Action

The regulatory environment surrounding consent is hardening. Data Protection Authorities are transitioning from issuing guidance to wielding their enforcement powers, as evidenced by several key developments.

Cookie Banner Crackdowns

In a landmark move, the Belgian Data Protection Authority issued formal legal orders against four major Belgian news websites operated by Mediahuis (including De Standaard and Het Nieuwsblad). Following complaints by noyb, the DPA mandated that the sites implement a clearly visible 'reject' button on the first layer of their cookie banners, ensure button colors are not misleading (e.g., using a grayed-out reject button), and obtain explicit consent for analytical cookies, which are not considered 'strictly necessary'. Non-compliance could result in penalties of up to €50,000 per day per website. This represents a decisive shift from the DPA's previous practice of settling cases without requiring substantive compliance changes.

Accountability of DPAs Themselves

Enforcement gaps remain, however. noyb has filed a legal appeal against the Swedish DPA (IMY) for allegedly failing to properly investigate GDPR complaints by routinely forwarding them to the accused companies and closing cases without action. This case, citing precedents from the European Court of Justice, challenges whether national authorities are fulfilling their duty to "handle [complaints] with due diligence" under GDPR. It underscores that effective enforcement relies on vigilant DPAs.

Proactive Guidance for the Future

Looking ahead, DPAs are focusing on providing practical compliance tools. The French authority, CNIL, has outlined a 2026 work program that includes developing guidance on cross-domain consent mechanisms for online marketing. This aims to reduce the burden of multiple consent requests on users while ensuring privacy is protected. Furthermore, as the designated market surveillance authority under the EU AI Act, CNIL will also clarify how GDPR applies to AI systems and the responsibilities across the AI value chain.

Compliance Implications: What Valid Consent Really Means

For any company operating a 'freemium' model funded by behavioral advertising, Meta's saga is a cautionary tale. GDPR sets a high bar for consent, which must be:

• Freely Given: There must be a genuine choice, without detriment for refusing. 'Pay or Okay' models and dark patterns that manipulate choice likely fail this test.
• Specific: Consent must be obtained for distinct purposes. A blanket "accept all" for undefined processing is non-compliant.
• Informed: Users must be clearly told who is processing their data, for what purpose, and how they can withdraw consent.
• Unambiguous: Requires a clear affirmative action. Pre-ticked boxes or continued use of a service do not constitute consent.

In the US, while there is no federal equivalent to GDPR, state laws like the California Consumer Privacy Act (as amended by CPRA) also grant rights to opt-out of the "sale" or "sharing" of personal data, and the CPRA includes a right to opt-out of automated decision-making. The Federal Trade Commission (FTC) actively enforces against deceptive practices and dark patterns under Section 5 of the FTC Act.

Actionable Steps: Building a Compliant Consent Framework

Businesses must proactively audit and upgrade their consent mechanisms. Here is a practical checklist:

1. Conduct a Consent Audit: Map all data collection points (websites, apps, forms) and identify the legal basis for each processing activity. Scrutinize any reliance on 'legitimate interest' for advertising.
2. Eliminate Dark Patterns: Review user interfaces for manipulative designs. Ensure 'Accept' and 'Reject' options are equally prominent, use clear language, and avoid pre-selected choices.
3. Implement a Robust CMP: Use a dedicated Consent Management Platform (CMP) that supports granular consent, easy withdrawal, and maintains detailed records. Solutions like Cookiebot, OneTrust, and Transcend are market leaders, but due diligence is essential. Platforms like AIGovHub offer vendor assessment tools to help evaluate and compare CMPs based on features, compliance certifications, and integration capabilities.
4. Ensure Transparency: Update privacy notices to clearly explain data uses for behavioral advertising in plain language.
5. Prepare for Cross-Border Data Flow Challenges: Stay informed on developments regarding EU-US data transfers. An Advocate General opinion for the CJEU has raised serious doubts about the validity of the Privacy Shield framework and emphasized DPAs' duty to suspend transfers when fundamental rights are violated.

Future Outlook and Key Takeaways

The convergence of stricter DPA enforcement, activist litigation, and evolving regulations like the EU AI Act (which classifies AI in recruitment as high-risk) means consent compliance will only grow more critical. The 'Pay or Okay' model faces an uphill battle for legitimacy, and businesses should view it as a high-risk strategy.

Key Takeaways:

• Meta's consent shift is a direct result of sustained legal and regulatory pressure, signaling the end of 'legitimate interest' as a viable basis for behavioral ads in the EU.
• The 'Pay or Okay' model is under severe scrutiny and may be deemed non-compliant for violating the 'freely given' requirement of GDPR consent.
• DPAs are escalating enforcement, moving from warnings to fines and formal orders, as seen in Belgium.
• Valid consent requires clear, affirmative, granular, and reversible user action, free from manipulative design.
• Companies must invest in compliant consent management platforms and continuous monitoring to avoid significant penalties.

For organizations navigating this complex landscape, leveraging specialized tools is crucial. AIGovHub's Data Privacy module and vendor assessment tools can help automate compliance checks, manage vendor risk for CMPs, and stay updated on regulatory changes across both EU and US jurisdictions.

This content is for informational purposes only and does not constitute legal advice.