Norway's data protection authority, Datatilsynet, yesterday raised serious concerns about a new practice introduced by Schibsted, the Scandinavian media conglomerate, requiring readers to pay an additional fee of 39 Norwegian kroner per month if they do not want their personal data used for personalised advertising. The announcement, published on 30 April 2026, came after the regulator said it had been contacted by many members of the public who reacted negatively to the change.

The model is straightforward but contentious. Subscribers to Schibsted publications - including Aftenposten, VG, and Bergens Tidende - were informed this week that they can consent to the use of their personal data to receive targeted advertising. Those who decline must pay 39 kroner per month on top of their existing subscription fee. The charge applies solely as a condition for withholding data consent, not for any enhanced level of service.

The luxury problem

Line Coll, Director of the Norwegian Data Protection Authority, did not mince words. According to Datatilsynet, Coll said: "This is not good news for the privacy of most people. Privacy is a human right that should not be paid for. We are concerned that privacy on the internet will be reserved for the rich, that it will become a luxury item." She also noted that other groups could be pressured by this type of arrangement, specifically naming children, young people, and other vulnerable groups who either cannot afford to pay or cannot find privacy-friendly alternatives.

That framing - privacy as something only wealthier users can afford to protect - is significant. It shifts the debate from narrow legal technicalities to a broader question about who bears the practical burden of data protection in a market-driven digital environment. Datatilsynet's position is not that Schibsted has already broken the law, but that the model raises fundamental questions about whether the resulting consent is voluntary in any meaningful sense.

What the GDPR requires

The legal crux of the matter rests on the concept of freely given consent. Under the General Data Protection Regulation, businesses must obtain voluntary consent before using personal data. The requirement is not aspirational - it is the legal foundation for a lawful basis. According to Datatilsynet, the regulator "questions whether consent is actually voluntary if the alternative is to pay. One may feel compelled to consent, especially if one has poor means."

This is not a new tension. The European Data Protection Board (EDPB) addressed the issue directly in April 2024. The EDPB, which comprises the data protection supervisory authorities of the European Economic Area, adopted Opinion 08/2024 on 17 April 2024, determining that most "consent or pay" models implemented by large online platforms would not constitute valid consent under the GDPR in most cases. The central finding was that users presented with only a binary choice - pay or consent - are not exercising a genuinely free decision.

The EDPB's opinion identified four structural problems that recur in such models. First, conditionality: subscription fees for an ad-free experience should not be set at levels that effectively coerce users into consenting. Second, detriment: users must not face negative consequences, such as exclusion from services, for declining consent. Third, imbalance of power: large platforms occupy a position of significant structural dominance, which can compromise the voluntary nature of any agreement. Fourth, granularity: consent must be specific rather than framed as a single all-or-nothing choice.

Tobias Judin, head of the international section at Datatilsynet, was explicit about the enforcement implications. According to Datatilsynet, Judin said: "The Data Protection Council is crystal clear that privacy is a human right for all and not a commodity for sale. One cannot use the threat of fees as a means of pressure to force consent." He added that when supervisory authorities enforce the law, they will use the EDPB's statement as a basis - making it, in his words, "very important."

Schibsted's position in the Norwegian market

The significance of the Schibsted case extends beyond a single company's subscription policy. Schibsted is one of the most dominant media groups in Scandinavia. Aftenposten is Norway's largest broadsheet. VG is among the most-read tabloids in the country. Bergens Tidende holds a strong regional position in western Norway. When a media group of this size and reach introduces a privacy paywall, the consequences are not limited to a small segment of users who might easily switch to an alternative platform.

This is a point Datatilsynet makes explicitly. According to the regulator's statement, in many cases it is not possible to simply switch to an alternative service - for instance, because all friends and contacts are on a given platform, because important information is shared there, or because users have invested significant effort in building up a following and engagement on that platform. The GDPR is clear that users must not risk negative consequences if they refuse consent. The stickiness of media platforms, not unlike social networks, complicates what it means to have a real exit option.

A pre-existing dialogue

The Datatilsynet announcement also revealed that this is not the first time the regulator has engaged with Schibsted on the topic. According to the published statement, Datatilsynet has been in dialogue with Schibsted previously on this matter and asked the company to wait until the work currently under way in the European Union was completed.

That EU-level work refers to the EDPB's ongoing development of more general guidelines on "consent or pay" models - guidelines intended to apply across all types of services, not only large platforms. The EDPB indicated after issuing Opinion 08/2024 that broader guidelines would follow, with stakeholder input. The Norwegian Datatilsynet is a member of the EDPB and participates in shaping that guidance.

Schibsted's decision to proceed with the 39-krone fee despite this ongoing regulatory process, and despite Datatilsynet's earlier request to wait, is the context that makes the regulator's public statement on 30 April 2026 notable. Rather than simply flagging a legal concern, Datatilsynet is signalling that a company it had already engaged with privately has moved ahead with a model the authority considers problematic.

The EDPB opinion and its contested status

The regulatory backdrop matters for understanding the legal weight of Datatilsynet's current concerns. The EDPB's Opinion 08/2024 was adopted following a request from the data protection authorities of Norway, the Netherlands, and Hamburg - an unusual joint request that reflected the scale of the problem across multiple jurisdictions. The Norwegian authority was therefore directly involved in initiating the opinion that now forms the legal framework for evaluating models like Schibsted's.

That opinion has not gone unchallenged. Meta Platforms Ireland filed an action for annulment against Opinion 08/2024 at the General Court of the European Union on 27 June 2024, presenting seven legal pleas alleging that the EDPB had overreached and violated Meta's fundamental rights. The General Court subsequently ruled that the opinion could not be subjected to judicial review - a procedural finding rather than a ruling on the merits. Meta then appealed that ruling, with the appeal published on 25 August 2025. The litigation continues, meaning the legal status of the EDPB's opinion remains subject to ongoing proceedings at EU court level.

In parallel, noyb, the privacy advocacy group, filed a lawsuit in August 2024 against the Hamburg Data Protection Authority after the authority approved a "pay or okay" consent system used by German news magazine DER SPIEGEL. That case highlighted how enforcement of GDPR rules on consent models can vary significantly across member state authorities - a divergence that the forthcoming EDPB general guidelines are intended to address.

What the model looks like technically

From a technical standpoint, the Schibsted model is a variant of what is widely referred to in the digital advertising industry as a consent or pay (CorP) framework. Users are presented with a consent management interface - typically at login or on a dedicated settings page - where they must make an active choice. The two options are: consent to data processing for personalised advertising, or pay a recurring monthly fee to withhold that consent.

In Schibsted's implementation, the fee is 39 kroner per month, charged in addition to the existing subscription. This additive structure is relevant from a GDPR perspective. A user who already pays for a subscription is then asked to pay again, purely for the purpose of exercising a data protection right. The GDPR does not explicitly prohibit this construction, but as Datatilsynet notes, it can create a situation where exercising a legal right carries a direct financial cost - which bears directly on whether the resulting consent meets the "freely given" standard of Article 7 GDPR.

Research cited in the broader context of pay-or-okay systems across European publishers shows that when users face payment as the only alternative to consent, consent rates reach approximately 99 to 99.9 percent. By contrast, academic research suggests that only 0.16 to 7 percent of users genuinely want personalised advertising. This statistical gap is precisely what regulators and privacy advocates argue demonstrates the absence of meaningful choice.

Implications for digital advertising and publishing

The Schibsted case is particularly relevant for digital advertising professionals and publishers operating under the GDPR. It illustrates a model that several European publishers have adopted or considered: using subscription paywalls not to fund content directly, but to monetise the consent choice itself. The 39-krone figure is not arbitrary - it represents a calculation about what the advertising revenue from a consenting user is worth, translated into a fee for users who decline.

European trade associations including IAB Europe and eight other digital advertising bodies submitted feedback to the EDPB in January 2025 defending consent-or-pay models, arguing that market competition naturally incentivises reasonable pricing and that such models offer genuine user autonomy. The associations maintained that between 10 and 50 percent of users leave services without selecting either option - which they interpreted as evidence of real choice. Datatilsynet's response to the Schibsted model suggests Norwegian authorities find that argument insufficient, at least where the user base has limited practical alternatives.

The EDPB's 2024-2025 work programme included development of guidelines specifically on consent-or-pay models, alongside work on anonymisation, children's data, and legitimate interest. Those guidelines, once finalised, will apply across all categories of services - not just large platforms. For publishers of any size operating across the EEA, that guidance will be determinative. In the meantime, the Norwegian case provides a concrete reference point for how national regulators are approaching the issue under existing GDPR standards.

The EDPB's 2025 annual report, published in April 2026, recorded over 1.14 billion euros in GDPR fines issued by national data protection authorities across Europe during 2025. Enforcement intensity is increasing. Against that backdrop, Datatilsynet's public statement about Schibsted is less a warning shot than an opening position in what may become a formal enforcement process.

Children and vulnerable users

One element of Datatilsynet's statement that has received less attention is the specific reference to children and young people. Coll's statement explicitly identified this group as being at heightened risk from the pay-or-okay structure, not only because they are less likely to have the financial means to pay, but because they may lack the capacity to seek or identify privacy-friendly alternatives.

The GDPR affords children enhanced protections in specific contexts - notably, Article 8 sets conditions for processing children's data in relation to information society services. Schibsted's publications are not exclusively or primarily directed at minors, but any general-interest news platform will have some portion of its audience that is young. How a consent-or-pay model operates when the user is under 18, or financially dependent, is a question Datatilsynet has flagged without yet resolving.

Timeline

Summary

Who: Datatilsynet, the Norwegian Data Protection Authority, directed by Line Coll. Schibsted, the Scandinavian media group that publishes Aftenposten, VG, and Bergens Tidende. Tobias Judin, head of Datatilsynet's international section. The European Data Protection Board (EDPB), as the regulatory body whose opinion provides the legal framework.

What: Datatilsynet published a critical statement on 30 April 2026 responding to Schibsted's practice of charging subscribers an additional 39 Norwegian kroner per month if they decline to consent to the use of their personal data for personalised advertising. The regulator raised concerns that the model may not meet the GDPR standard for freely given consent, that it risks making data protection financially inaccessible for lower-income users, and that it could create particular pressure on children, young people, and other vulnerable groups.

When: Schibsted informed subscribers of the new arrangement during the week of 28 April 2026. Datatilsynet published its response on 30 April 2026. The underlying regulatory framework - EDPB Opinion 08/2024 - was adopted on 17 April 2024.

Where: The immediate context is Norway, where Datatilsynet holds supervisory authority under the GDPR as applied in the European Economic Area. The broader regulatory process is EU-wide, managed through the EDPB, which is developing general guidelines on consent-or-pay models applicable across the EEA.

Why: Datatilsynet's concern is that placing a financial cost on declining consent creates conditions under which consent is not genuinely voluntary, particularly for users with limited financial means or no practical alternatives to Schibsted's publications. GDPR Article 7 requires consent to be freely given, and the regulator considers a binary choice between paying and consenting to fall short of that standard in many cases. The statement also reflects a wider regulatory effort, coordinated through the EDPB, to establish consistent enforcement of GDPR consent rules across all types of online services.

Share this article
The link has been copied!