In the digital era, one of the most significant changes in the IoT world is the popularity of digital subscriptions, where service providers upload encrypted service information to the cloud for sharing. In practice, the untrustworthy service providers may intentionally leak their private keys used to encrypt service information (for profits), allowing unauthorized subscribers to enjoy valuable service. The malicious behavior described above has become a severe obstacle to the widespread application of IoT-based digital subscriptions. To address this issue, we propose a fine-grained and sanitizable access control system (FSAC), in which service information could only be accessed by authorized subscribers. To thwart potential threats from malicious service providers, we design a sanitizable mechanism to transform the original ciphertext, ensuring that a subscriber is unable to decrypt the sanitized ciphertext solely using the leaked key of the service provider. For resource-constrained IoT devices, we further extend FSAC with outsourced decryption (FSACO) that relieves subscribers from the burden of decryption. In particular, FSACO allows subscribers to perform two exponentiation operations rather than time-consuming paring operations (as that in FSAC) to decrypt sanitized ciphertext. We conduct rigorous security analysis of our systems and demonstrate their efficient performance through extensive experiments. Specifically, the enhanced system FSACO has a minimum decryption time of approximately 0.08 ms.