Norway’s Consumer Council and privacy nonprofit NOYB have filed a complaint against Schibsted Media over the company’s “Pay or Okay” consent model, escalating the European fight over whether companies can charge users to avoid behavioral advertising and tracking.
The complaint targets Schibsted’s system, which requires users to either consent to personalized advertising based on their data or pay a fee to avoid that data use. Schibsted is one of the largest media groups in the Nordics and owns major brands including VG, Aftenposten, E24 and TV4.
NOYB and the Norwegian Consumer Council argue the model does not provide meaningful consent because users are effectively forced to choose between giving up personal data for targeted advertising or paying for privacy. NOYB Data Protection Lawyer Joakim Söderberg criticized the model sharply, saying that “profiteering from fundamental rights is not a legitimate business model in Europe.”
Why Pay-or-Consent Models Are Under Pressure
The case adds to growing scrutiny of “pay-or-consent” and “pay-or-okay” models across Europe. These systems generally offer users a choice: accept tracking for personalized advertising or pay for access without that tracking. Publishers and platforms argue the model gives users a choice while preserving ad-supported business models.
Privacy advocates argue the opposite. They say consent is not freely given when the alternative is a monetary penalty for exercising privacy rights. Under the GDPR, consent must be freely given, specific, informed and unambiguous. If a user agrees to tracking only because the alternative is paying extra, regulators may question whether that consent is valid.
The European Data Protection Board has already warned that companies using consent-or-pay systems must provide a real choice. In the context of behavioral advertising, regulators are increasingly focused on whether users have a genuine option to refuse tracking without being excluded, penalized or pushed into consent through economic pressure.
The Schibsted Complaint Could Matter Beyond Media Companies
Although the complaint focuses on a media publisher, the implications extend well beyond newspapers and digital subscriptions. Any company that conditions access, pricing or service quality on consent to tracking should pay attention.
The same logic could apply to cookie walls, consent banners, app permissions, premium privacy settings, loyalty programs and data-driven advertising models. If privacy becomes something users must pay extra to receive, regulators may view the model as coercive or incompatible with GDPR consent standards.
For publishers, the issue is particularly difficult. Digital media depends heavily on advertising revenue, and personalized advertising is often more valuable than contextual advertising. But European regulators and advocacy groups are drawing a sharper line between monetizing content and monetizing consent.
Compliance Takeaways for Businesses
The Schibsted complaint is another reminder that consent design is now an enforcement and litigation risk area. Companies should not treat consent banners as cosmetic website features. They should evaluate whether users can reject tracking as easily as they can accept it, whether paid alternatives are fair and proportionate, and whether the business is relying too heavily on consent for behavioral advertising.
Companies should review whether their websites and apps:
- Set non-essential cookies before consent.
- Make “accept” easier than “reject.”
- Use paywalls or pricing structures that pressure users into tracking.
- Bundle necessary service access with advertising consent.
- Fail to provide a meaningful non-tracking alternative.
- Rely on vague disclosures about personalized ads or data sharing.
For U.S. companies, the lesson is also relevant. Even though the GDPR standard is European, regulators and plaintiffs in the United States are increasingly scrutinizing dark patterns, opt-out friction, cookie practices, tracking pixels, and consent flows. A consent system that looks manipulative in Europe may also create risk under state privacy laws, consumer protection laws and website tracking litigation theories.
What Happens Next
The complaint now puts pressure on Norway’s data protection authority to decide whether Schibsted’s model gives users a genuine choice or unlawfully conditions privacy on payment. A decision against Schibsted could further constrain pay-or-consent models across Europe and push publishers toward less intrusive advertising alternatives.
The broader trend is clear: regulators and privacy advocates are no longer looking only at whether a consent banner exists. They are looking at how it works, what it costs the user, whether refusal is realistic, and whether the company’s business model depends on pushing users into surveillance-based advertising.
Captain Compliance helps businesses evaluate consent flows, cookie practices, privacy notices and website tracking risks so companies can avoid relying on consent mechanisms that may not withstand regulatory scrutiny.
