A Two-Tier Internet?- The Data Dilemma No One Saw Coming

Imagine casually browsing for the latest news articles or general information on the internet, and you get the generic "Accept Cookies" prompt, but this time with a mandate that reads "Accept or Pay to Reject". This digital dilemma is becoming increasingly prevalent across Europe and globally as publishers reassess how to strike a balance between privacy, revenue, and user experience.

European data protection laws permit websites to request consent for cookies on the basis that the consent is genuinely voluntary or if a reasonable alternative is offered. This raises a critical question: Are these practices truly respecting user autonomy, or are they merely rebranding the concept of consent to make it more favourable for publishers? (European Commission, 2024; Veale & Borgesius, 2021)

What does this mean for everyday internet users, and why is it important? In simple terms, it means that what we once enjoyed as "free access" to information may now come at a much higher price than we realise. This fast-emerging trend, known as the "consent or pay" model, is altering how we engage with digital content while also raising critical legal, ethical, and privacy concerns (Korcova, 2025). As technology and the digital economy evolves, user data has emerged as a key asset, prompting us to reconsider what our personal information is truly worth (Wang et al., 2023).

The pending question is whether trading our privacy for convenience and information is ideal or whether it's time to advocate for more transparent options. The conversation surrounding privacy, consent, and user autonomy is only beginning, and it is expensive to ignore, considering its dire implications. However, this also presents an opportunity for us, as users, to demand more from the digital platforms we engage with and to shape a future where our privacy is not a commodity.

What Are Cookies?

Internet cookies have become a staple of our online experience. In a 7-year-old language, cookies are text files stored on your device that play a crucial role in how websites interact with users. They record user activities and remember preferences, for example, chosen language or login details. In addition, they can enable targeted advertising by tracking user browsing patterns. However, as convenient as they might be, cookies pose data privacy and security issues.

Recent studies highlight the dual-edged nature of cookies. The convenience of having cookies for users is marred by a dark side, which is unpopular and unknown to many users. They can collect and share sensitive personal information with third parties, leading to concerns over pervasive user profiling and potential security risks, according to experts like Johansen (2023) and Roberts (2024). The ability for cookies to collect personal data creates vulnerabilities users may not fully understand or anticipate.

Due to the increasing awareness of these privacy issues, organisations have had to make adjustments to how they track users online. In response to evolving privacy regulations and users' declining acceptance of cookies, a sophisticated array of alternative tracking methods has emerged. Techniques such as fingerprinting and tracking pixels now enable publishers to identify and monitor users without relying solely on traditional cookies. This shift allows them to maintain access to essential user data using cookies while navigating the complex landscape of privacy laws (EDPB, 2021; Libert, 2015).

These innovative tracking systems represent a new era in online advertising and data collection. However, they also raise significant ethical considerations. As technology continues to advance, the balance between enhancing user experience and protecting privacy will remain at the forefront of discussions about the future of digital interaction. Being proactive about privacy can lead to a more secure and enjoyable online journey for everyone.

How Cookies Work Diagram

A simple view of how internet cookies work

The "Consent or Pay" Model

The "consent or pay" presents users with a choice: either consent to having their online activities tracked through cookies or pay a subscription fee to browse without being monitored. Regulatory bodies and digital rights advocates argue that this model could lead users to feel coerced into giving consent, undermining the principle of freely given and informed consent outlined in the General Data Protection Regulation (GDPR). The European Digital Rights Initiative (EDRi) highlights that requiring users to pay for privacy might exacerbate digital inequality, creating a divide between those who can afford to pay and those who cannot.

This trend is particularly noticeable among ad-driven publishers with large readerships. In the UK, several major news websites have begun implementing this model. Notable examples include The Times, The Sun, The Independent, Mail Online, The Mirror, and The Express—all of which now require users to make a payment to opt out of being tracked. This puts readers in a position where they must weigh the value of their privacy against the cost of accessing news and information.

Across Europe, similar frameworks are on the rise, with prominent news outlets such as Le Monde and Le Figaro in France, alongside Der Spiegel, Die Zeit, and Frankfurter Allgemeine Zeitung (FAZ) in Germany, adopting similar models that request data consent while simultaneously offering subscription-based alternatives. These approaches aim to strike a balance between sustained revenue streams and adhering to stringent privacy regulations.

As the battle between privacy and accessibility unfolds, there are implications for users. The choice between allowing intrusive tracking or paying for privacy may not only reshape our online experiences but also reinforce existing inequalities. However, as regulators, advocates, and publishers navigate these complexities, the future of online privacy remains uncertain. This uncertainty underscores the importance of user awareness and engagement in the evolving digital privacy landscape.

Article content

Legal Validity Under GDPR

Let's delve into the specifics: How does this model comply with European data protection laws, particularly under the General Data Protection Regulation (GDPR)? GDPR has a commitment that ensures user consent is both genuinely informed and freely given. The European Data Protection Board (EDPB) emphasises that consent cannot be deemed valid if a significant power imbalance exists between the user and the data controller. This means that if users feel pressured into consenting to unnecessary data processing in exchange for access to a service, the legitimacy of that consent can be called into question.

However, recent legal insights are beginning to reshape our understanding of this model. The EDPB's guidance suggests that offering users a reasonable alternative, like a paid, ad-free subscription, can fulfil the requirement for free choice. This alternative must be a viable option that users can realistically consider without feeling coerced.

The implications of this are significant. It means that while the "consent or pay" model may appear to be in compliance with GDPR on the surface, its practical application must be examined closely.

Article content

The European Pushback

There have been accounts of European regulatory authorities expressing concerns about the so-called "consent or pay" model that many digital platforms employ. The European Data Protection Board (EDPB) has been at the forefront of this critique of the validity of consent obtained under such pressure, highlighting the disproportionality of the model as it affects financially vulnerable individuals, who often have few options but to comply with the demands set forth by these platforms. They highlight the problematic nature of this situation, asserting that when users are presented with such stark choices, the essence of genuine consent is fundamentally compromised.

To address these concerns, the EDPB is advocating for a more equitable landscape. They argue that platforms should provide an alternative—a free, non-tracking version of their services. This would not only uphold the digital rights of users but also ensure that consent is obtained under fair conditions, devoid of economic pressure or coercion.

The UK's Approach

In contrast, the UK Information Commissioner's Office (ICO) has adopted a forward-thinking approach to data privacy. In January 2025, the ICO introduced groundbreaking guidelines for what's termed "consent or pay" frameworks, offering a new avenue for balancing user choice with user protection. The essence of the "consent or pay" model is simple: users can now choose between consenting to their data being tracked or opting to pay a fee to maintain their privacy. This could reshape how businesses approach data collection, but it is not without its stringent requirements aimed at safeguarding user rights.

They laid out several vital criteria that must be met for this framework to be implemented successfully:

Free and Genuine Choice – Users are not required to give consent.

Reasonable Fee – Payments for rejecting tracking must be realistic and not exploitative.

Service Equivalence – Paid and free services must be made to be significantly alike.

Clear Transparency – There must be a detailed explanation to users about what information is being collected and for what purpose.

No Manipulation – Interfaces should avoid "dark patterns" or deceptive design.

Protection for Vulnerable Users – Special care must be taken to cater for children and financially vulnerable users.

A Growing Digital Divide?

The implications of "consent or pay" extend beyond compliance. This model risks creating a two-tiered internet, where privacy becomes a luxury available only to the privileged. As platforms monetise consent and charge for privacy, younger users with fewer financial resources are pushed into surrendering their data, creating an imbalance in privacy rights (ICO, 2024). Notably, Facebook and Instagram have implemented similar consent-or-pay frameworks in Europe only, reflecting a broader trend of regional experimentation with user data models (Meta, 2024).

In conclusion, the "consent or pay" practice sits at the intersection of business sustainability and digital rights. While it offers publishers a way to remain financially viable in a privacy-conscious world, its long-term consequences for user autonomy and consent integrity must be prioritised. It is pertinent for regulators to continuously monitor and assess the implementation of consent or pay models to prevent abuse and ensure sustained compliance with data protection laws. The burning question is not "Are users allowed to choose?"—but "Are the options fair?"

Author: Nnanyere Ekenna, GRC Analyst, Cybervists.

Follow us on;

YouTube: Cybervists_community

LinkedIn: Cybervists on LinkedIn

REFERENCES

Barbora Korcova, February 11, 2025. Compliance Data Protection Law.

https://emlaw.co.uk/paying-for-privacy-understanding-the-icos-consent-or-pay-rules/

Cornia, A., Sehl, A., & Nielsen, R. K. (2020). Private sector news, social media distribution, and algorithm change: Strategies and dilemmas. Reuters Institute for the Study of Journalism. https://reutersinstitute.politics.ox.ac.uk/our-research/private-sector-news-social-media-distribution-and-algorithm-change-strategies-and

European Digital Rights (EDRi). (2024, March 7). Open letter: Digital rights advocates unite against Meta's "Pay or Okay" – Privacy and data protection are NOT for sale. EDRi. (https://edri.org/our-work/open-letter-digital-rights-advocates-unite-against-metas-pay-or-okay-privacy-and-data-protection-are-not-for-sale/)

European Commission. (2024). Guidance on consent under Regulation (EU) 2016/679. https://ec.europa.eu/info/law/law-topic/data-protection_en

European Data Protection Board (EDPB). (2021). Guidelines 05/2020 on consent under Regulation 2016/679. https://edpb.europa.eu/our-work-tools/our-documents_en

Information Commissioner's Office. (2024). DLG response on call for views on "consent or pay" business models. ICO. 20240417-corp-cfv-reply-dlg.pdf

Information Commissioner's Office. (2025). Consent or pay: About this guidance. ICO. (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/online-tracking/consent-or-pay/about-this-guidance/#what)

Information Commissioner's Office (ICO). (2025). Consent or pay: About this guidance. ICO. [https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/online-tracking/consent-or-pay/about-this-guidance/#what] (https://ico.org.uk/media2/d5bn5kj1/consent-or-pay-summary-of-call-for-views.pdf)

Johansen, A. G. (2023, June 14). Should you accept cookies? 5 times you definitely shouldn't. Norton. Retrieved from (https://us.norton.com/blog/privacy/should-i-accept-cookies)

Libert, T. (2015). Exposing the invisible web: An analysis of third-party HTTP requests on 1 million websites. International Journal of Communication, 9, 3544–3561. https://ijoc.org/index.php/ijoc/article/view/3157

Meta. (2024, November 12). Facebook and Instagram to Offer Subscription for No Ads in Europe. https://about.fb.com/news/2024/11/facebook-and-instagram-to-offer-subscription-for-no-ads-in-europe/

Osborne Clarke. (2025, February 6). ICO delivers its verdict on "consent or pay" in the UK. Osborne Clarke. Retrieved from (https://www.osborneclarke.com/insights/ico-delivers-its-verdict-consent-or-pay-uk)

Roberts, J. (2024, November 18). 20 pros and cons of cookies. ProsPlusCons.com. (https://prospluscons.com/pros-and-cons-of-cookies/)

The Audiencers. (2024). With tightening regulations, these publishers are already using cookie walls to increase consent rates. https://theaudiencers.com/with-tightening-regulations-these-publishers-are-already-using-cookie-walls-to-increase-consent-rates

Tobitt, C. (2024, September 12). 'Consent or pay': Why UK news websites are getting tough with readers over data. Press Gazette. (https://pressgazette.co.uk/marketing/consent-or-pay-news-websites-uk/)

UniConsent. (2025, February 6). UK ICO "Consent or Pay" Guidance 2025: Compliance and Best Practices. UniConsent. Retrieved from (https://www.uniconsent.com/blog/uk-ico-consent-or-pay-guidance-2025)

Veale, M., & Borgesius, F. Z. (2021). Adtech and real-time bidding under European data protection law. German Law Journal, 21(1), 13–38. https://doi.org/10.1017/glj.2020.82

Wang, P., Jiang, L., & Yang, J. (2023). The early impact of GDPR compliance on display advertising: The case of an ad publisher [Working paper]. (https://pep.gmu.edu/wp-content/uploads/sites/28/2023/05/Li-Jiang_GDPR_updated-paper_2023.pdf)