'Pay or OK' – 'Consent or Pay' resources
members
–
5 min read
Meta to launch new model in Jan | ICO shares guidance for the public
Norway DPA fines Grindr NOK 65 million for invalid consent
members
–
3 min read
🔥 25 Nov: Grindr won't appeal after the Borgarting Court of Appeal upheld the record NOK 65m (~€5.5m) fine against them for disclosing users' special category personal data to third parties for behavioural advertising without a valid consent.
CJEU C-654/23 Inteligo Media 13 Nov 2025
members
–
7 min read
If a user creates a free account and gets access to articles, newsletters and the option to pay for further content, this falls under Art. 13(1) and (2) ePD as 'sale of a service' and 'direct marketing', and you don't need a legal basis under Art. 6 GDPR, in line with Art. 95 GDPR.
CJEU C-40/17 Fashion ID 29 Jul 2019
members
–
4 min read
You’re a (joint) controller if you use third-party tools on your website that share personal data with the provider – but only for parts where you (jointly) determine purposes and means. If you collect the data, you must inform and get consent, and each controller must pursue a legitimate interest.
Lawfulness: Consent
members
–
6 min read
Latest update: Luxembourg DPA with updated guidance. Start here for all things consent: when to rely on and not, practical tips and key resources (GDPR, DPD, CFR, OECD, CJEU rulings and EDPB guidance).
My Meta Pay or Okay experience - now they're cutting the price with 40%
members
–
5 min read
Latest: Meta reduces sub prices and offers new free choice with less personalised ads, claiming it "goes beyond what is required in the law". 💸 And gets huge fines: €797.72m from the 🇪🇺 EC for antitrust violations and $25.4m from 🇮🇳 India's competition authority for 2021 privacy notice failures.
CJEU C-252/21 Meta Platforms and Others (General terms of use of a social network) 'Bundeskartellamt' 4 Jul 2023
members
–
6 min read
The 'Bundeskartellamt' ruling, where the CJEU applies 'strictly' to the legal bases necessity test for the first time. 🔥 You might rely on legitimate interest for direct marketing, network security or product improvement, but the processing must now meet this higher threshold.
Dutch DPA on education sector social media marketing
members
–
4 min read
The DPA stresses that their advice applies generally to all social media and "of great importance" to all educational institutions and similar organisations in 🇳🇱.
CJEU C-129/21 Proximus (subscribers' consent) 27 Oct 2022
members
–
3 min read
Consent is required to list subscribers' details in publicly available directories. If obtained, including on behalf of other controllers, a data subject can withdraw it (= an erasure request) from any of them, and each controller may need to inform the others.
EDPB's controversial ‘Consent or Pay’ Opinion is here
members
–
2 min read
[Updated 24 April with highlighted file + 🎙️] Is the EDPB trying to "rewrite the entire economic model of Big Tech and the adtech industry in the EU"? 🤔 Controversial Opinion just published!
Denmark DPA says cookie walls are legal - and not
members
–
2 min read
Update 26 Mar 2024: the DPA rejects reopening the cases, upholding that analytics/statistics aren't a necessary part of the alternative to paid access.
EDPB Guidelines 5/2020 on consent
members
–
6 min read
A 1-page summary of the EDPB's Guidelines: structure of valid consent, when is it invalid, what to do when it's withdrawn, key highlights and resources.