Ruling on "Pay or Okay" models: Genuine freedom of choice is mandatory

August 19, 2025

Categories:

Article by Aristotelis Zervos, Data protection in Europe, Consent

Aristotelis Zervos

Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.

Cookie banners have long been part of everyday life, but their legal admissibility remains controversial. Particularly controversial is the question of whether so-called "pay or okay" models are compatible with the GDPR are compatible. This involves the choice between Consent in extensive data processing or a paid subscription. In its ruling of 13.08.2025, the Austrian Federal Administrative Court (BVwG) drew a clear line in this regard for the first time. The decision affects not only media companies, but all companies that rely on digital advertising financing.

Background to the procedure

The proceedings began in a from noyb - European Center for Digital Rights brought in Complaint on behalf of an affected user. Object of the Complaint was the question of whether the derStandard.at practiced combination of cookie banner and PUR subscription model ("Pay or Okay") is a valid legal basis for the Processing of personal data.

Noyb's accusation: "Instead of giving users a real choice, they can either take out a monthly subscription at a current price of €9.90 or agree to online tracking by hundreds of third-party providers."

The Data Protection Authority (DPA) had accepted some of the objections in the first instance proceedings, but at the same time made key requests, in particular regarding the ban on the Processingnot treated or only treated to a limited extent. This led to a Complaint to the BVwG, which was to comprehensively examine the factual and legal situation.

The Federal Administrative Court not only had to deal with the admissibility of Cookies and tracking technologies, but also with the fundamental issues of the voluntary nature of consent and the legitimacy of "consent or pay" or "pay or okay" models. The proceedings were therefore at the interface between media financing, the digital advertising industry and European data protection law.

Inadmissibility of cookie processing

In its decision, the BVwG dealt in detail with the issues raised by derStandard.at set Cookies and the associated data processing. It clarified that even the mere storage or reading of Cookies personal data such as IP address, browser information or unique identifiers and therefore meets the requirements of the GDPR is subject to.

In particular, the court criticized the fact that these processing operations were carried out without an effective and specific Consent of the users. Mere consent via the initial cookie banner was not sufficient because neither a informed Decision another purpose-differentiated choice was given. In the opinion of the BVwG, this constitutes a clear Infringement against Art. 6 para. 1 lit. a GDPR.

As a result, the court followed the DSB, which had already come to the conclusion that no valid Consent was available. It rejected the Complaint of the media owner, insofar as the latter had claimed that the processing was lawful. In particular, it was emphasized that "technically unnecessary" Cookiesfor example for Tracking or advertising purposes, may under no circumstances be used without express consent.

In addition, the BVwG emphasized the obligation to provide comprehensive information: users must be able to clearly see which data is processed for which purposes, which third-party providers are involved and what the consequences of a refusal are. A blanket reference to "improving the user experience" or similar formulas is not sufficient.

The court's findings show that it is not just a question of the formal submission of a Consent but rather the quality and effectiveness of this consent. The ruling is thus in line with previous ECJ case law (e.g. Planet49) and specifies the requirements in the Austrian context.

Consent requirement

The BVwG worked out in great detail what the GDPR and the case law of the European Court of Justice to a valid Consent to set. It is not enough for users to agree to all possible purposes with a single click. Rather, the Consent informed, specific, voluntary and unambiguous.

The court emphasized in particular:

Separation of purpose: For each processing purpose - such as web analysis, personalized Advertisingsocial media plug-ins - a separate opt-in is required. A "general consent" contradicts Art. 6 and 7 GDPR.
Transparency: Users must be informed in advance in clear, understandable language about what data is being processed, by what means, by whom and for what purpose. Vague formulas such as "improving the user experience" are not enough.
Revocability: One Consent must be revocable at any time as easily as it was granted.
Documentation obligation: The Responsible persons bears the burden of proof that an effective Consent is available.

In this context, the BVwG referred to the ECJ rulings Planet49 (C-673/17) and TC-String (C-604/22). Both rulings make it clear that an "all-or-nothing" model does not meet the requirements of voluntariness and granularity. Austrian case law adopts these standards and requires that users have genuine freedom of choice over the individual data processing operations.

Reading tip: Does the cookie banner also have to include a "reject all" option?

"Pay or Okay": Inadmissibility of cookie processing

Evaluation of the "Pay or Okay" model

The BVwG clarifies: "Pay or Okay" is not a carte blanche for comprehensive Tracking. The voluntary nature of the Consent must be examined on a case-by-case basis (Art. 4 No. 11, Art. 7 GDPR; recitals 32, 42, 43). The decisive factor is whether users have a real, non-pressure alternative to data processing and whether the Consent is specifically designed for each purpose.

Standard of review of the court:

Genuine freedom of choice instead of de facto coercion
No design that actually forces users to click "Agree" (e.g. excessive friction/time expenditure, hidden rejection paths, visual nudging). Reject and consent options must be equally accessible (UI symmetry, no misleading).
Purpose granularity also with Pay-Alternative
A subscription pathway does not replace the obligation to provide purpose-related Consent. It remains inadmissible to bundle several purposes ("general consent").
Transparency and informedness
Clear, comprehensible information on data categories, recipients/third-party providers, purposes, storage duration and consequences of refusal.
Fairness of the alternative performance ("pay")
The payment option must be serious and reasonable (no prohibitive pricing, no hidden "lock-in", no functional degradation).
Data economy & Earmarking
Even if granted Consent only data required for the intended purpose may be processed. Any further Tracking is inadmissible.

Application to the PUR/"Pay or Okay" model of derStandard.at:

The court recognizes the fundamental permissibility of pay alternatives, but criticizes the specific implementation:

The Consent was not granular; several purposes were effectively combined.
The Rejection was associated with significantly higher friction than the consent (UI/flow asymmetry), whereby pressure for Consent was created.
The Iinformation situation in the banner/flow was insufficient. Users could not recognize the range and consequences of the Processing not have a sufficient overview.
The Payment alternative was not as a fully-fledged, fair option (partly due to the design of the order path and the link to flat-rate purpose packages).

Legal consequence:

In the absence of voluntary and purpose-related Consent applies the Processing for non-essential purposes is unlawful. The BVwG confirms: "Pay or Okay" remains possible, but requires a high level of protection. In particular, genuine freedom of choice, finely granular opt-ins, transparent information and a reasonable, equivalent payment alternative.

Rights of the data subjects

The BVwG clarified that affected Persons after the GDPR have a wide range of rights that extend beyond individual complaints. They can not only provide information, Correction, Deletion or restriction of the Processing demand. Based on Art. 80 GDPR they can also make use of representation by institutions such as NGOs.

In the present proceedings, the court confirmed that noyb had the Complaint effectively on behalf of the person concerned. The objection of the opposing party that this constituted an abuse of rights was expressly rejected. The BVwG thus strengthened the role of civil society organizations in the enforcement of data protection claims.

The ruling makes it clear that Affected parties are not solely dependent on their individual resources, but can use the support of specialized institutions. This should ensure that even complex or structural data protection violations can be effectively prosecuted.

Final clarification of "Pay or Okay" before the ECJ?

An appeal has been lodged against the judgment. Appeal to the Administrative Court (VwGH) possible In addition, a Submission to the ECJ cannot be ruled out. This means that the classification under EU law, in particular with regard to the requirements of voluntariness and granularity of purpose in the case of "pay or okay", remains potentially open to further clarification.

Significance for practice and companies

The ruling goes far beyond the individual case and has a signal effect for a large number of industries that rely on online advertising, Tracking and subscription models. It makes it clear that purely formal consent without genuine freedom of choice is no longer viable and that supervisory authorities and courts are intensively examining the quality of consent processes.

For Media company This means that they must not only review and redesign their cookie banners, but also all hybrid financing models. In future, PUR or "consent or pay" offers must be designed in such a way that they offer a fair, reasonable alternative to data processing without de facto coercion to consent.

Consent management platforms are faced with the task of providing differentiated, purpose-related opt-in options in a technical and user-friendly manner. They must develop interfaces that present refusal and consent equally and make the granularity of consent transparent.

Supervisory authorities This ruling provides a clear guideline: complaints must be comprehensively examined, applications for processing bans must be seriously assessed and the requirements of the ECJ must be consistently implemented in national proceedings.

Finally, the judgment also shows for the Compliance practice in companiesthat data protection-compliant business models will focus even more strongly on genuine freedom of choice in future, Transparency and verifiability. This not only affects media companies, but also e-commerce, platform operators and app developers who use comparable models.

We support the implementation of legally compliant consent strategies

Overall, the ruling puts a stop to legal gray areas and provides a clear direction for future business models in the digital space. Companies should take this trend seriously and invest in data protection-compliant solutions at an early stage.

Source: Judgment of the Austrian Federal Administrative Court of 13.08.2025 (W 291 2272970 1/30E)

If you need support in implementing legally compliant consent strategies and "pay or okay" models, please contact us. With Ailance® we offer the perfect solution that combines user-friendliness and legal security.

Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.