The Dutch privacy and data protection authority (DPA) considers pay-or-okay policies “undesirable.” However, websites aren’t prohibited from implementing such business models.

In the past, the Dutch DPA has always been vague about whether it’s okay to implement a consent-or-pay model.

The General Data Protection Regulation (GDPR), Europe’s most important privacy legislation, doesn’t explicitly prohibit this kind of business practice. However, privacy experts, data protection authorities, and advocacy groups have always frowned upon it.

That didn’t stop Meta from implementing a pay-or-okay model in November 2023. Facebook and Instagram users were offered two options: either pay a monthly subscription fee to remove ads on their timeline, or opt for a free account, meaning that Meta can collect user data to offer personalized ads.

For the first time, the data protection authority from the Netherlands has explicitly stated its position on the subject. The privacy regulator states that pay-or-okay policies are “undesirable, but not forbidden.”

“Privacy is a fundamental right, and this protection should not depend on whether someone can or wants to pay. However, consent-or-pay models are not prohibited by definition,” the supervisor explains on a recently launched page.

If people have to pay to protect their privacy, it will no longer be a fundamental right, the DPA argues. Only a handful of users will pay because they have the financial resources. On the other hand, people with limited money are more likely to consent to user data collection, even though they may not want to.

This may not be what the European lawmakers intended when they drafted the GDPR, but this doesn’t mean that pay-or-okay models are illegal.

Europe’s privacy laws only state that consent to collect user data must be given “freely, specifically, informed, and unambiguously.” This means that users must be properly informed about what data is being collected, for what purposes the data is collected, and whether the collected data is shared or sold to data brokers, advertisers, or other third parties.

If a website meets these requirements, and visitors consent to these conditions, then it’s okay for a site to implement a pay-or-okay model. Users must always have the option to reject these conditions or retract their previously given consent.

Besides paying for privacy protection or consenting to user data collection, the Dutch DPA feels that very large online platforms (VLOPs), such as specific social media platforms, must offer a third option: an option to visit and use a website for free, and little or no personal user data is collected and processed.

---

Unlock more exclusive Cybernews content on YouTube.