A new complaint targets Schibsted’s rollout of “Pay or Okay” across major Nordic news platforms. The model forces users to either accept personalised ad tracking or pay to avoid it. Regulators and consumer advocates argue this collapses meaningful consent into a pricing mechanism rather than a voluntary privacy choice.
What changed in Nordic media and Schibsted’s Pay or Okay model#
Schibsted, one of the largest media groups in the Nordics, has expanded a “Pay or Okay” consent model across its news properties, including major outlets such as Aftenposten, E24, and VG. The mechanism replaces traditional cookie consent banners with a binary choice: accept tracking for personalised advertising or pay a fee to refuse it.
The Norwegian Consumer Council and the privacy organization noyb have filed a complaint arguing that this structure undermines the GDPR requirement for freely given consent. The core claim is simple: if refusal has a price tag, consent stops being neutral.
This model has already been adopted across parts of Europe and by major platforms, but remains controversial in Nordic markets, where it was previously rare. Schibsted’s rollout marks a regional scaling point rather than an isolated experiment.
Why does Pay or Okay matter for privacy risk and consent?#
Pay or Okay converts a legal consent requirement into a pricing constraint. Instead of asking whether a user agrees to behavioral tracking, it asks whether they can afford privacy.
Privacy advocates argue this produces structurally inflated consent rates. Industry data cited in the complaint suggests acceptance rates above 99% when users face a paywall alternative, while independent studies indicate only a small fraction of users actively prefer behavioural advertising. The gap is used to argue that consent becomes procedural rather than genuine.
Finn Myrstad of the Norwegian Consumer Council frames the issue as a rights problem, not an advertising issue: privacy becomes a premium feature rather than a baseline expectation. The implication is systemic: once scaled across major publishers, it normalizes coercive consent design patterns.
Definition capsule: Pay or Okay#
Pay or Okay is a consent mechanism where users must either accept personalised advertising tracking or pay a fee to opt out. It replaces granular consent controls with a binary economic trade-off.
Pay or Okay vs traditional consent banners#
| Model | User choice | Economic pressure | Consent quality claim |
|---|---|---|---|
| Standard GDPR banner | Accept, reject, or configure | Low or none | Variable, depends on design |
| Pay or Okay model | Accept tracking or pay to refuse | High (direct cost to refuse) | Disputed; often argued to be non-freely given |
The key difference is not interface design but incentive structure. Traditional banners rely on opt-in friction. Pay or Okay adds explicit monetary friction to refusal.
What to check before engaging with Pay or Okay systems#
Consent screens under Pay or Okay setups should be evaluated by what they do structurally, not how they are presented. Three operational checks matter:
First, whether refusal is technically possible without payment. If not, consent is structurally constrained.
Second, whether pricing is proportional or punitive. High opt-out costs function as behavioral steering, not cost recovery.
Third, whether tracking is bundled across services. Cross-site profiling increases downstream privacy risk even if the immediate interface looks simple.
These checks matter for understanding how “choice” is implemented in practice, not just in policy text.
What not to overclaim about consent rates#
High acceptance rates in Pay or Okay systems do not automatically prove user preference. They often reflect interface design under constrained alternatives. A 99% acceptance rate can indicate preference, resignation, or cost avoidance simultaneously.
The complaint against Schibsted explicitly argues that such rates cannot be treated as evidence of meaningful consent under GDPR standards. The legal question is not how many people click “accept,” but whether refusal is realistically accessible without distortion.
Operational implications for security and data systems#
Pay or Okay systems increase the scale of behavioural data collection by design. Higher consent rates expand the dataset available for profiling, targeting, and inference models. This increases both commercial value and privacy exposure.
From a security operations perspective, larger behavioural datasets also increase blast radius in the event of a breach or misuse. The risk is not only tracking intensity but dataset centralization.
What not to overinterpret#
This case does not automatically establish illegality. It signals regulatory friction around a design pattern that sits between consent law and business model optimization. Outcomes depend on how data protection authorities interpret “freely given” under economic pressure conditions.
FAQ#
Is Pay or Okay explicitly banned under GDPR?
No. It is not explicitly prohibited. Its legality depends on whether consent is judged to be freely given in context.
Why are media companies adopting it?
It preserves ad revenue while maintaining formal consent flows. It shifts opt-out from a design problem to a pricing problem.
Does high consent rate prove user approval?
No. It may reflect constrained choice rather than preference.
What is the core regulatory concern?
That payment barriers distort consent into a financial decision rather than a privacy decision.