Personalized advertising is a key driver of the digital economy, but it also sits at the center of regulatory debates across Europe. At Empowering Privacy Germany, a panel of experts explored how changing rules on consent are reshaping business models, as organizations balance data protection, user experience, and commercial realities.
The discussion brought together voices from across the industry, including representatives from technology, publishing, and regulatory authorities. Together they examined the current state of “pay or consent” models, the challenges of regulatory fragmentation, and what a workable future for advertising-funded services might look like. The insights from this conversation result in concrete next steps you can bring back to your team and apply in your compliance program.
The panel featured:
- David Pfau, Converi Digital Development, Managing Director at conreri digital development
- Julia Kühne, Director Data Privacy & Tech, AI Governance & Management at Axel Springer
- Carolin Loy, Head of Division, Digital Economy & AI at BayLDA
- Simon Weidler, EMEA Policy Manager, Privacy & Data Regulation at Meta
From a German debate to a global question
The panel began with a look back at the origins of the “pay or consent” debate. David Pfau explained that in Germany, strong regulatory pressure around personalized advertising led to a binary model: either accept ads or pay for an ad-free subscription.
What began as a national response has since spread internationally, with ad-free access increasingly becoming a standard product feature on global platforms such as Netflix.
A third model, referred to as “no money, no data use,” was highlighted by Pfau as a legal gray area, lacking a solid legal foundation, yet still influencing broader discussions about the role of consent. He noted that its significance could extend beyond advertising, influencing how future digital business models, including AI training, are funded.
Consent in practice: Transparency, choice, and limitations
While consent is a central aspect of this regulatory debate, its practical application isn’t always straightforward. Subscription models aren’t feasible for everyone, and users want free access to content. Carolin Loy stressed that this makes the question of “free choice” particularly difficult, especially when it comes to minors.
Additionally, the discussion highlighted that transparency (in this case: informed consent) is just as critical as freely given consent.
Users need to clearly understand what they are consenting to, including how their data will be used and shared, and for how long. Ideas like a “content pass”—enabling unified consent across multiple websites—could offer more consistency for both users and businesses.
The publisher’s perspective: Between necessity and uncertainty
For publishers, personalized advertising remains essential. Julia Kühne stressed that without it, funding high-quality content at scale is nearly impossible. From her perspective, users also prefer ad-supported content, as long as it is relevant and free to access— relevance that can only be achieved through data.
At the same time, Kühne noted that publishers are operating without planning certainty.
Enforcement and interpretation of the rules vary across German states, with some authorities seeking balanced solutions and others taking a stricter line. According to Kühne, this fragmentation makes it difficult to commit to long-term strategies and highlights the urgent need for regulatory consistency.
Competition and the role of smaller players
The panel also touched on competitiveness. Free digital services are built on advertising, and Simon Weidler argued that without personalized targeting, smaller companies with limited marketing budgets are at a disadvantage. He says larger platforms can afford broad campaigns, but smaller businesses depend on precision to reach their audiences effectively.
He linked this to broader regulatory debates, pointing to the European Data Protection Board (EDPB). According to Weidler, some of its opinions extend too far and risk undermining the GDPR’s principle of free movement of personal data within the EU.
Regulators and the need for clear rules
From the authority side, the challenges are equally clear. As Carolin Loy pointed out, GDPR was not designed specifically for today’s online advertising environment, and the long-delayed ePrivacy Regulation could have provided more tailored guidance. She added that strict interpretations of consent raise doubts over whether “consent or pay” models can work at all, yet there are few alternatives that secure funding for free digital content.
This is where nuance comes in.
Regulators are not only focused on the element of freely given consent but also on ensuring that consent is truly informed. Pragmatic solutions are possible—such as limits on data transfer or stronger withdrawal rights—but they depend on legal clarity.
Loy emphasized that it is not the authorities’ role to design business models, but to enforce laws. For sustainable solutions, lawmakers need to step in with clearer regulations that reconcile data protection with the realities of digital business.
Looking ahead: What needs to change
When asked about their outlook, panelists identified different areas for improvement. From Simon Weidler, there was a call for the EDPB to act more responsibly and avoid overregulation, and for lawmakers to provide clearer, more practical rules to guide companies and regulators alike.
On the publishers’ side, Julia Kühne stressed the need for “legitimate interest” to be recognized as a stronger legal basis in certain contexts, enabling a balance between consumer protection and industry needs. From the regulatory perspective, Carolin Loy’s message was that such adjustments cannot come from authorities alone. The law itself must evolve to define how digital business models can coexist with strong data protection.
In the meantime, David Pfau encouraged companies not to wait for perfect clarity but to take initiative, test solutions, and adapt as the legal framework develops. Boldness in experimentation, combined with safeguards for users, could pave the way for workable models in the absence of immediate regulatory certainty.
5 actions to put into practice now
Here are five practical steps you can take now to stay compliant and strengthen customer trust while keeping your business needs in balance:
- Prioritize informed consent: Ensure users clearly understand what they agree to, provide simple options, and make withdrawal as easy as consent
- Centralize consent records: Collect and store consent consistently across all channels to create a single, audit-ready source of truth
- Enable preference management: Allow users to set and update their communication preferences and adapt interactions accordingly
- Monitor consent trends: Track opt-in rates and user behavior over time to spot patterns, improve usability, and address gaps
- Maintain a clear audit trail: Keep detailed records of the entire consent lifecycle to demonstrate compliance and respond quickly to requests
Future-proof your consent models
The discussion highlighted that advertising and consent are part of the same equation. Free digital content relies on personalized ads, but evolving regulations demand higher standards of transparency and user control.
For organizations, the way forward is clear: embed consent into business strategy, design processes that are transparent and user-friendly, and build trust as a measurable outcome. Companies that see consent as a foundation for trust, rather than just a legal obligation, will be the ones to build sustainable digital business models.
Looking for more insights like these into the latest challenges and opportunities in privacy and compliance? Subscribe to our newsletter and receive updates straight to your inbox.
.jpg?width=250&height=130&name=DataGuard%20epp%20event-27%20(1).jpg)
.jpg?width=250&height=130&name=DataGuard%20epp%20event-78%20(1).jpg)
_EasiestSetup_EaseOfSetup.svg?width=200&height=200&name=ConsentManagementPlatform(CMP)_EasiestSetup_EaseOfSetup.svg)