“Consent or Pay” – does Meta’s EU fine create a crack in the wall?

Landmark enforcement action has been taken against Meta in the first penalty enforced under the Digital Markets Act (DMA) by the European Commission (the Commission), with a €200 million fine imposed on the company. The Commission’s view is that the “consent or pay” model which Meta offered to users breached the DMA.

“Consent or pay” models have become increasingly prevalent in recent years. These are business models for online products and services which give a user the choice between consenting to the use of personal data for personalised advertising, paying a fee to avoid personalised advertising, or opting not to use the product or service. In this case, between November 2023 and November 2024, Meta presented EU, EEA and Swiss users with the binary choice to either consent to personalised advertising through combining personal data, or to pay a monthly subscription fee to receive no adverts.

Meta is designated as a gatekeeper under the DMA. This is a status designated to digital platforms which provide an important gateway between businesses and consumers, with additional obligations placed on these organisations. Failure to comply with these obligations can have significant implications: non-compliant gatekeepers can be fined up to 10% of their global annual turnover for regulatory infringements.

In this instance, the non-compliance decision issued against Meta was published alongside a decision against fellow gatekeeper Apple (in Apple’s case, the company received a €500 million fine for a breach of its anti-steering obligation under the DMA).  Together, the decisions mark the first non-compliance action taken by the Commission since the introduction of the DMA.

The Commission’s decision

Under Article 5(2) of the DMA, gatekeepers that combine personal data between their core platform services (in Meta’s case, Instagram and Facebook), or process data from other core platform services for online advertising services, must obtain users’ consent before doing so. If users do not consent, they must have access to a less personalised but “equivalent” alternative. The definition of consent for these purposes aligns to the definition of consent within the EU GDPR.

In its decision, the Commission concluded that the model operated by Meta between November 2023 and November 2024 did not give users the choice to opt for a service that was equivalent to the service that Meta provided when a user consented to targeted adverts, while using less of the users’ personal data.

The Commission therefore imposed a penalty for the period of non-compliance with the DMA, which spans from March 2024, when the DMA obligations upon gatekeepers became legally binding, to November 2024, which is when Meta’s new “consent or pay” model was introduced (and which is still currently in place). Meta’s new model was implemented following exchanges with the Commission and is intended to result in lower volumes of personal data being processed. It remains under review by the Commission, which is still considering the impact of the updated model in practice.

Following publication of the Commission’s decision to issue a fine of €200 million, Meta immediately stated (in robust terms) its intention to appeal.  The appeal is likely to focus on the potential impact of the decision on both Meta’s business model and user experience across its digital services.

What does this mean for businesses?

Digital businesses in the UK and across Europe are facing an increasingly complex regulatory landscape, with overlapping rules and – due to the rafts of new regulation which are being enforced for the first time - a lack of clarity as to where regulatory expectation lies in practice. As businesses seek to find compliant and pragmatic solutions, decisions in this space are likely to send signals to all organisations, including those which haven’t been designated as gatekeepers by the Commission under the DMA.

One area of particular concern will be if regulatory expectations shift towards expecting a cost-free alternative to a “consent or pay” model in other businesses, including those beyond the reach of the DMA – e.g. does this decision mark the “thin end of the wedge”, will similar obligations spread to other sectors and organisations in the future? Any such concern could be amplified if/when there is further enforcement action and/or additional regulatory guidance on the position under the DMA, or through any enforcement on the meaning of consent for “consent or pay” models under the EU GDPR.

That is not to say that there is no guidance already in place for businesses to consider.  Indeed, the decision against Meta follows the European Data Protection Board (EDPB)’s Opinion 08/2024 on “consent or pay” models.  Within the Opinion, the EDPB states that “consent or pay” models will in most cases not comply with consent requirements under the GDPR if a binary choice (between consenting to behavioural advertising or paying a fee) is presented to a user.

Otherwise, the Commission has sought through this first enforcement action to show that the DMA has teeth. The amount of the penalty is of some interest, as the Commission noted that the fact this decision was the first non-compliance decision adopted under the DMA has influenced the level of the fine imposed upon Meta. We are therefore likely to see that future actions impose more severe fines, in particular for longer periods of non-compliance or where the Commission wants to take more robust action to have an even greater dissuasive effect on regulated entities.

UK perspective and possible implications

From a UK perspective, the ICO published its guidance on “consent or pay” models in January 2025, following an increase in the prevalence of these models in all sectors across the UK. Whilst the core thrust of the ICO’s guidance is consistent with the EDPB Opinion, it is certainly the case that the UK position is more positive and supportive of the use of “consent or pay” models than the EU equivalent.  In particular, the ICO provides guidance as to how “consent or pay” models could be deployed in a manner which is consistent with the UK GDPR and related legislation.

With this in mind, UK businesses are currently asking themselves: could the Commission’s decision have further implications for organisations (beyond only gatekeepers) operating consent or pay models under UK law?  Could the ICO (and/or the CMA) now be persuaded to take a more interventionist line where these models are deployed?

The ICO and the CMA will be keeping a watchful eye on European developments in this space. Meta is already in discussions with the ICO about how a “consent or pay” model would operate in the UK – so we’re likely to hear more on this complex area over the course of this year.

Please do get in touch if you would like to further discuss the above, or developments in AdTech generally.

We will continue to monitor further regulatory action in this space and provide further updates in due course.

Gareth Oldale, partner and head of Data Privacy and Cybersecurity at TLT said: 

"This case illustrates perfectly the increasing complexity of the digital regulation landscape facing organisations in the UK and across Europe.  Whilst the fine issued to Meta relates to a DMA infringement, the shockwaves resulting from this case are likely to have a significant impact on data protection and privacy practices too. 

Perhaps of most concern to businesses operating across borders is the potential divergence between the enforcement approaches of regulators in the UK and EU when it comes to “consent or pay” models. Operating a harmonised approach to digital regulation compliance across the continent may just have got a little bit riskier and even harder to manage”.