In April 2025, the European Commission imposed a €200 million fine on Meta for breaching the Digital Markets Act (DMA). The violation? Meta’s controversial “pay or consent” model, which forces users to choose between surrendering their personal data for targeted advertising or paying a monthly subscription to avoid tracking.
The ruling marks a watershed moment in Europe’s approach to digital rights. Regulators have made it clear: privacy is not a commodity — and coercive consent mechanisms are no longer acceptable from so-called “gatekeeper” platforms under EU law.
The irony? The exact same model is being used by UK media giant Reach plc, owner of The Mirror, Express, Daily Record, and dozens of regional news titles. But in post-Brexit Britain, there’s been no investigation, no penalty, and no public scrutiny from the Information Commissioner’s Office (ICO).
Meta’s €200 million fine is now headline news. But you won’t be able to read it on a Reach website without agreeing to be tracked — or paying £1.99 a month for the privilege of keeping your data private.
Meta’s DMA Breach: What Happened?
Meta’s model, introduced in Europe in late 2023, offered users a stark choice: consent to personalised advertising, or pay up to €12.99/month for an ad-free experience. The company claimed this met the requirements of the GDPR and was a fair trade-off.
The European Commission disagreed.
Under the Digital Markets Act, which came into effect in March 2024, “gatekeepers” like Meta must ensure that users can freely give, refuse, or withdraw consent without being nudged or penalised. In their April 2025 ruling, the Commission found that Meta’s model fails to provide a genuine alternative, and that charging users to retain their privacy undermines the very concept of consent.
“By monetising the refusal of consent, Meta has violated the DMA’s core principle: that users should have real, free control over their personal data.“
— EU Commission Statement, April 2025
The fine is not just punitive — it’s symbolic. It sets a precedent that digital consent must not be transactional.
Meanwhile, in the UK: Business as Usual for Reach plc and other Media giants
The message is loud and clear in Brussels. But in Westminster? Silence.
On Reach plc’s network of UK news sites, users are met with this choice every day:
“By clicking ‘I Accept’ you will agree to your data being used for personalised advertising…
If you click ‘Reject and Pay’, you will need to sign up to our Privacy Plus subscription service for £1.99 per month.”
This model is nearly indistinguishable from Meta’s. In fact, it’s arguably more aggressive — since Reach is not a social platform but a provider of public-interest journalism. Unlike Meta, which offers access to communication tools, Reach is asking readers to either trade their data or pay to access the news.
And yet, despite the legal and ethical questions this raises, the UK’s Information Commissioner’s Office (ICO) has remained conspicuously quiet.
Legal Frameworks: The DMA vs. the UK’s Post-Brexit GDPR
It’s important to understand the legal context.
-
The DMA applies only to designated “gatekeeper” firms operating within the EU, which includes Meta — but not Reach.
-
The UK, post-Brexit, is no longer subject to the DMA.
-
However, the UK GDPR still mirrors many of the same principles from the EU’s GDPR.
Most notably:
-
Article 4(11) of the UK GDPR states that consent must be “freely given, specific, informed, and unambiguous.”
-
Article 7(4) explicitly prohibits making access to a service conditional on consent, unless the data processing is strictly necessary.
-
Recital 43 clarifies that consent is invalid if there is a “clear imbalance between the data subject and the controller.”
Reach plc’s practice of forcing users to pay to opt out of tracking arguably violates all three.
While the European Commission has acted decisively, the UK’s regulator has chosen not to act at all. This marks a growing divergence between EU and UK enforcement — with Britain taking a markedly softer stance on privacy violations in the name of business flexibility.
Consent by Design — or Coercion?
Reach’s consent mechanism also mirrors Meta’s in more subtle ways:
-
It lists 1,496 advertising “partners”, accessed through the IAB’s Transparency and Consent Framework (TCF). This deluge of information overwhelms users rather than informing them.
-
The default design nudges users toward “Accept” with clear, simple buttons — while the alternative requires effort, understanding, or payment.
-
The use of subscription-based privacy turns a right into a product, making it affordable only to those who can pay.
This isn’t informed consent — it’s engineered surrender.
Hypocrisy in Plain Sight
Perhaps most frustrating is the hypocrisy. Reach plc has published multiple articles condemning Meta’s data practices and celebrating the EU’s regulatory efforts — while operating under the very same consent model they claim to oppose.
Media organisations play a crucial role in shaping public understanding of privacy and digital ethics. When they adopt the same questionable practices they report on, they erode trust not only in themselves, but in the idea that user rights can or should be protected at all.
What Should Happen Next?
If the UK is serious about data protection, the ICO must:
-
Investigate the legality of “pay or consent” models under the UK GDPR.
-
Provide clear guidance to publishers on acceptable consent practices.
-
Engage with European enforcement bodies to align the UK with evolving standards.
Until that happens, UK organisations may view the ICO’s inaction as a green light to continue monetising consent — while EU regulators take the lead in defining what digital rights actually look like in practice.
Final Thoughts: Privacy Is Not a Luxury
Meta’s €200 million fine is a turning point. It reaffirms that privacy is not a premium feature, and that real consent cannot come with a price tag attached.
But if the UK fails to respond — and if companies like Reach continue to operate with impunity — it will send a very different message:
That in Britain, your data is for sale.
That privacy is a privilege.
And that consent is just another checkbox — to be nudged, sold, or ignored.
The EU has drawn a line. Now the UK and more specifically our Government, must ask itself: Which side are we on?
Here at Improvementors we are part of the AMVEN group and together with our sister organisation Dategrity, we believe that privacy isn’t a privilege — it’s a fundamental right.
If you’re concerned about how coercive consent models are quietly reshaping digital ethics in the UK, now is the time to act. We help organisations, publishers, and regulators navigate the complex intersection of data compliance, user trust, and ethical design.
If you are concerned about GDPR or Data Privacy, why not set-up a meeting with our Dategrity Team to learn how we can support your organisation in building consent-first digital experiences — the kind that respect users, meet legal standards, and build long-term trust.
📬 Contact us today — because ethical data isn’t just good practice. It’s the future.
