You don't know that because no one is given a clear choice like you present (and even saying "data" is opaque to joe average user). And this is what regulations like EU's and CA's should be enforcing. Imagine if the choice was: We have this data about you (a comprehensive list of all the fruits of our creepy stalking: a,b,c,d, etc...), if you let us violate your privacy in a myriad of ways, we will let you have this little trinket for free. Otherwise, it will cost you x. How many people would select privacy violation?

>Most people don't expect to get things for free in the real world, why should the internet be any different? Why does everyone (myself included) always look for free stuff on the internet?

Most of the internet is communication in some form or another. I get a lot of communication for free in the real world. My question is: why does everyone assume that the purpose of the internet is their platform to get rich selling trinkets to clueless natives? Maybe some things are better off run as a non-profit?

Unfortunately under the GDPR we are not going to find out how many people would choose this option. It isn't legal, in the EU, to refuse someone access if they say no to your data collection.

Especially because I bet so many of those sites would set X to be much higher than the value of the data.

From your link, almost at the top: "The cookie wall is a mechanism where the user has only one option to access the website: accept the processing of the cookies. The cookie wall is prohibited.". So no, requiring users to agree to data collection, per your article, is prohibited.

The article makes a distinction between cookie wall (accept or no access) and paywall[1] (accept or pay). The former is prohibited, the latter has been okay'd by several national DPAs.

> The Austrian, French and Danish DPAs have already indicated that the paywall system is a valid solution as long as the subscription to the site has a modest and fair cost so that it does not constrain the user’s free choice.

> The Spanish DPA indirectly shared its position implying that cookie walls can be used as long as the user has been clearly informed of the two available options for accessing the service: 1. accepting the use of cookies; or 2. another alternative, “not necessarily free of charge“, that doesn’t require giving consent to cookies.

[1] Not to be confused with the "hard" paywall (pay or no access) we see on some publications. They've just called it like that for lack of a better term.

Have some trusted organization or group (like Google or Mozilla themselves) who run audits on extensions to "certify" they don't have any malware. Additionally, the extensions are all 100% open-source, so if the "trusted organization" is compromised (or just bad at their job), they'll get caught and people will stop using them.

This isn't foolproof. Adware can be hidden from even the auditor or the auditor can be compromised but nobody finds out. It's also expensive and time-consuming, especially for extensions with a lot of complex code, so many popular extensions which perfectly-fine are still not certified. Updates are delayed and discouraged because the diff always has to be audited as well. Lastly (and something which can easily be overlooked), the auditors can be biased towards approving some extensions (like those who pay them) while not approving others: extensions code won't be approved if their code is too hard to read or they are later in the review queue, but the line at which code is considered "too hard to read" and their position in the queue could easily be influenced by cash.

Nonetheless, web extensions are a good type of software to audit, compared to other software like apps. They're often much smaller and simpler, users need much less, and they operate in a very-trusted domain (all web browing, including in banks and other confidential sites. Compare this to apps on a sandboxed phone, or programs running in user mode on a computer, the damage is still there but it's much less)

And it works. At least to keep the worst off Apples App Store. Mostly. Googles play store is apparently much more linient. And contains lots of horrible apps.

But the costs, as you mention, are real too. So much, that many, including myself, simply forego Apple as target at first. Sure, it's the more popular platform and it has more people willing to pay. But the review hurdles aren't worth it in the beginning.

In order for me to pay you, I at a minimum have to do some amount of mental gymnastics to convince myself that it's worth it for me to pay you. This has a perceived cost even if the money spent is trivial. This is why people who take money in small increments - i.e. mobile games, arcade operators, casinos, and so on[0] have you buy a large amount of some scrip that they control, and then make it so easy to spend it that you might accidentally do so.

Nobody is thinking "I'd buy this, but only if I can leave no record of ownership[1]", they're thinking, "is it actually worth buying". Identity and privacy isn't a thing that people actually account for when making purchases - mostly because it's never actually mentioned[2] in the terms of purchase. It's snuck in. So the choice is just "the free one" and "the $2 one", where the value of the $2 extension can never hope to overcome the mental transaction costs.

[0] Nintendo and Microsoft used to do this around the Wii and 360 eras. While on the Wii it was 1 point equals 1 penny/yen, Xbox did something nasty and made it 80 points equals 1 dollar.

[1] That would mean that setting up a new computer or browser profile loses you all your existing extensions that you paid for.

[2] I do not consider legal disclaimers to be adequate notice, and neither should you. Dropping a clause in a EULA is the equivalent of dropping rohypnol in your drink.

And also unlike cash a service can keep billing you.

And, for better or worse, the risk is partially put on the business in the form of increased cost (or payment service denial) when a credit card transaction is considered too risky (charge backs).

Also there is a fair amount of friction to giving payment info than say pulling out your wallet or phone (but this is improving with “digital wallets”).

Even though many people assume it's this way, this choice hardly ever happens in practice. You allude to this yourself. In reality, the choices are usually between paying for something and they still sell your data, and getting it free and they really sell your data.

The majority of paid services have privacy policies, terms of service and user agreements that spell out how they sell data just as much. At best, you might expect that they are a bit more selective in who they sell to, since they're not as desperate for cash flow. However the impact to you is greater - they now have your credit card, address, full name, phone number (all vulnerable to hacks and leaks) and it's harder to lie about these things than with a free account. So the data they collect is more valuable, hence the temptation is higher as well.

Moreover, the paid services have consumer-hostile subscription systems rife with dark patterns. It's needlessly tedious to cancel a service if you decide you don't like it, and even free trials demand a credit card.

Transparency is very low about what is actually done with your money as well. Many services operate at a loss, and the customer charge is just a fig leaf while the real money comes from investors. Arguably, the paid model is a sham for some companies and their real exit is to collect data for a years and then get bought by some data aggregator. On the other end of the spectrum you have people fishing for suckers with ridiculously inflated prices.

For these reasons the choice of paying money is tainted by lack of trust, it is not just consumers being stingy and entitled. Lack of trust can quickly bog down any market.

I don't really blame the industry here, though. It's a bit like California in 1848 - you can hardly blame people for picking up the gold that's just lying around. The real problem is that we don't have the tools, infrastructure and regulatory frameworks that let users see and control how their data is used. If people really want to sell their data in lieu of payment, then let them. But currently, most users are not aware exactly what data gets collected and how much it is worth - they're not able to rationally decide that paying $5 for an app is better than being mined for $20 worth of your data.

When it comes to what people chose to do with their own data though I don't feel a moral obligation to push my views though. If they truly want to opt in and save the $20 (or however much the data is worth in the app) then taking that choice away because I disagree with how they should treat their privacy information is hardly much better than forcing them to because of the same reason. The main difference for me being whether or not I profit off it but, given choice in each case, that really doesn't matter to how the user weighs the situation.

+ track change of ownership

+ some distributed review system

+ better sandboxing

+ no forced autoupdates

+ A few other things

World of Warcraft has an in game ui addon modding system built in that ends up suffering from these same problems. It’s so damn frustrating to see addon developers sell out their fans to a super shady spyware company for like $3/month (and the alternative is $0)

I could understand betraying people for a life-changing amount of money, but £20 is 5-20 minutes’ worth of pay for a competent SWE…

From all the data I have, people will definitely pay for extension functionality, though lots of people will write negative reviews unfortunately.

I also use ExtensionPay myself in my own extensions and have found this to be true. I try to get the people who pay and have a good experience to write reviews since they’re so underrepresented in written reviews.