If companies become limited in generating revenue via one channel, they need to optimize others. This is what consent or pay addresses for publishers that may be seeing declining rates of advertising revenue. (The model is also called pay or consent.)
The consent or pay concept has been controversial at times in recent years, but has been gaining traction since about 2023. The Information Commissioner’s Office (ICO) in the United Kingdom has included guidelines for consent or pay implementation in its 2025 strategy aimed at improving tracking practices online. So it’s clearly on regulators’ radar.
We explore what consent or pay means in practice, the monetization challenges that digital publishers are facing, what privacy regulations allow or prohibit, and much more.
What is consent or pay?
In a nutshell, with a consent or pay model the users of websites, social platforms, and other properties have the option to consent to the collection and use of their personal data, often for personalized advertising.
If the user does not consent, their other option is to pay to access the site or platform’s content and features.
Companies operating these sites or platforms make money from advertising, so if users don’t consent and companies can’t collect and use their personal data, e.g. for personalized ads, revenue decreases.
To offset that loss of ad revenue, nonconsenting users are required to pay in order to access those platforms or services, usually by subscription. Those fees then mitigate advertising revenue loss.
When implementing this model, it’s generally expected that a small percentage of users will leave the site or platform, so will not consent to data usage or pay for access. A small percentage will choose to pay to maintain access. And a large percentage will choose to consent to data use to maintain access while avoiding having to pay.
The company then maintains monetization via multiple channels.
Why is consent necessary for ad monetization?
A decline in access to personal data on websites, social platforms, and other digital properties really started with the implementation of the European Union’s General Data Protection Regulation (GDPR) in 2018.
Since then, many more countries have adopted data privacy laws, and many of them follow a similar model that requires prior consent before personal data can be collected or used.
In the United States, under most circumstances, recent state privacy laws do not explicitly require prior consent for data collection or use, but individuals can opt out for specific purposes like data sale or targeted advertising.
While companies can still run ads, without personal data users can’t be targeted, so the ads may be less effective. Advertisers are also only willing to pay lower prices for these kinds of ads, which results in further loss of ad revenue.
Personal data is needed for a variety of other marketing functions, too, like improving websites and products and enhancing customer experience.
Digital advertising, particularly, relies heavily on user identifiers (UID) to track users and compile data about demographics, activities, and interests specifically linked to an individual. UIDs are categorized as personal information under multiple privacy laws, thus requiring prior consent.
Without being able to use these UIDs, monetization is more challenging. These are some key advertising functions that require UIDs.
- Frequency capping: limiting how often a user sees an ad
- Conversion tracking: measuring ad performance
- Personalized targeting: interest-based, demographic-based, and remarketing
How does consent or lack of it affect ad monetization?
A lack of consent affects collection and use of personal data, which affects advertising operations, and thus revenue from ads. The impact can be significant. From Usercentrics’ own research and conversations with partners and publishers, without consent, on average advertising revenue drops 50 percent.
Additionally, increasing consent rates, even by what may seem a modest amount, can make a considerable difference. Our internal research has also shown that if a company has a consent rate of 70 percent, if they can increase that to ~95 percent they can recover 10–15 percent of total ad revenue.
Is consent or pay legal?
The short answer is: it depends.
In November 2023, Meta introduced what they called their “pay or ok” model in the EU for use of the company’s Facebook and Instagram platforms. This was a response to strengthened requirements regarding collection of users personal data for targeted advertising.
Users could give consent for processing of their personal data, which included being used for targeted ads, or they could pay to access the platforms and not be tracked. The subscription price was EUR 12.99/month, or EUR 9.99/month for access in the browser only.
This model resulted in a fair bit of criticism and raised questions about whether it contravened EU regulations with regards to consumer law, competitive practices, data protection and personal privacy per the GDPR and ePrivacy, and provisions of the Digital Markets Act.
In April 2024, the European Data Protection Board (EDPB) issued its first ruling on the matter, prohibiting Meta’s “pay or ok” model as it was initially proposed, as the consent request was deemed unlawful. Meta did make changes to their model as a result.
Under the GDPR, consent has to be freely given, specific, informed and unambiguous. Under a number of data privacy regulations, it’s also prohibited to discriminate against users who choose to exercise their rights, including preventing their access to sites or services if they decline to provide consent for personal data use.
How is consent or pay viewed today?
It’s important to note that EU authorities have not issued blanket prohibitions on consent or pay models. And indeed, consent or pay has become commonly used by publishers in Germany, Spain, Denmark, and the UK.
Data protection authorities in various EU Member States commonly require the first layer of consent banners to display a “Deny All” button. Including the pay information and signup option if people choose that option goes hand in hand with that requirement and provides a viable alternative.
Even before Meta rolled out their model, consent or pay had been reviewed by EU Data protection authorities.
France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), found consent or pay to be admissible under certain circumstances in May 2022. This was endorsed by Spain’s Agencia Española de Protección de Datos (AEPD) in July 2023.
The German Data Protection Conference (DSK) issued a joint resolution in March 2023, also finding consent or pay can be acceptable.
In July 2023, the European Court of Justice (ECJ) found that users “can be offered an equivalent alternative that does not involve such data processing operations for an appropriate fee.”
So the landscape is, indeed, evolving. Solutions are being developed to employ consent or pay in a more sophisticated and compliant way on a broader scale.
For example, users can subscribe to one service and pay one monthly fee, which gives them access to all of the websites within a network, e.g. news, sports, weather, and more. The sites and platforms that are members of the network split the subscription fees to offset lost advertising revenue.
This approach could be more appealing to individuals than paying for access to only one platform where they are also providing the content, as on social media platforms, or paying multiple subscription fees to access multiple sites or platforms. Divided among many sites, the subscription fee per site could seem like a smaller investment.
Website or platform owners that participate in such a setup could also take advantage of privacy-centric tools as a group. For example, functionality to scan all sites in the network to detect cookies and other trackers in use — including those from third parties — to ensure they do not collect data if subscribers have not consented.
The EDPB published its opinion in April 2024, providing EU data protection authorities with binding internal guidelines on valid consent in the context of consent or pay models.
However, it’s focused on very large online platforms and represents a legal opinion rather than an obligation. However, this publication has also garnered criticism and detractors.
What are the UK ICO’s guidelines for consent or pay?
The UK’s ICO issued its guidance on consent or pay in early 2025 to provide clarity on the legalities of the model and how it can be compliantly implemented. It was also in response to many complaints about online tracking.
In 2024, almost 60 percent of the complaints relating to cookie and tracker use that the ICO received were about the inability to reject tracking for non-essential purposes.
The ICO outlines four key requirements for consent or pay to be legally compliant:
- Power imbalance: Users must have a genuine choice (“take it or leave it” is not legal)
- Appropriate fee: The fee must be reasonable and proportionate to the content or services that the user can access
- Equivalence: The core service must remain the same for both the consent and pay options
- Privacy by design: The user’s choices must be clear and presented fairly and equally
There is not one specific implementation method that companies can use that will guarantee privacy compliance and a valid consent or pay model. That will depend on each specific implementation.
How Usercentrics supports publishers with a consent or pay model
Transparency is a requirement of pretty much all data privacy and consumer protection laws. So for consent or pay models, it’s imperative to provide clear information about the data collected, the purposes it will be used for, and individuals’ rights to consent or decline.
Consumers cannot be misled or left in the dark about their options.
Additionally, if users do decline consent for data use, it needs to be equally clear that the paid model is the alternative, along with what it includes, what it costs (no hidden add-on fees), what the payment frequency is, and conditions for cancelling.
Usercentrics CMP supports publishers by enabling them to implement their own consent or pay designs, and integrate it with the functionality of the Usercentrics CMP.
We also support publishers that choose the solution from our partner Content Pass, which includes a subscription model and simple implementation. Website visitors see a consent banner with both options: consent for personal data use, commonly including targeted advertising, or the paid subscription without ads.
The CMP records the details of users’ consent choice, and they can also change their preferences or revoke consent in the future. Both of these functions are also legal requirements under most data privacy laws.
If users choose the paid model, then they proceed with that integrated customer journey from the same banner.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.