You may have recently encountered websites, most frequently news websites, that present you with a pop-up message before you can read what is on it. This pop-up message will ask you to ‘pay to remove ads’ or ‘read for free with ads’ (or otherwise state that if you want to read the content you need to accept personalised advertising).
The Information Commissioner’s Office (ICO) has recently issued guidance on this ‘consent or pay’ model, addressing concerns that some businesses may be forcing their website users to choose between sharing their personal data or paying a fee in order to access its online services.
This guidance aims to help businesses that currently use – or are considering adopting – this model to ensure compliance with UK data protection laws.
In this blog, we will break down the ICO’s guidance and what it means for businesses.
What is ‘consent or pay’?
Simply put, the ‘consent or pay’ is a business model that offers website visitors a choice: they can either access online services for free by agreeing to the use of their personal data for personalised advertising or opt out of having their data used for personalised advertising by paying a fee to access these services.
Personalised advertising relies on collecting user data – such as browsing history, location and interests – to deliver targeted adverts. This data is often gathered through cookies: small text files that are downloaded onto a user’s device when they visit a website.
Many online businesses depend on this model for revenue. However, if users decline tracking, businesses lose valuable data, which can potentially impact their advertising revenue. To mitigate this, some businesses have introduced the ‘consent or pay’ model as a way to balance user privacy preferences with their revenue needs.
Is ‘consent or pay’ legal?
Potentially, yes.
While UK data protection laws do not explicitly prohibit the ‘consent or pay’ model, businesses must ensure their approach aligns with legal requirements, particularly UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR). Under these regulations, businesses implementing a ‘consent or pay’ model must adhere to key data protection principles discussed further below.
Legal background
Freely given consent: Why does it matter?
Business can process personal data if they have one of the legal bases for such processing. If a business chooses to rely on consent as the lawful basis for processing personal data, it must meet the requirements set out in Article 7 and Recital 32 of the UK GDPR.
Under UK GDPR, for consent to be valid, it must be:
- Freely given.
- Specific and informed.
- Unambiguous.
A key requirement is that consent must be freely given – it cannot be forced, manipulated or obtained through undue pressure. This principle ensures that individuals have genuine control over their personal data and can make informed decisions without feeling forced to consent to their personal data being processed.
The rise of the ‘consent or pay’ model has sparked significant debate over whether users truly have a genuine choice in these scenarios.
While in theory, users can either consent to personalised advertising (and therefore processing of their personal data for the purposes of personalised advertising) or pay for access to the service (without the processing), the reality may be more complex.
If the paid alternative is unreasonably expensive or if there are no real alternatives to the service, users may feel they have no practical option but to consent – raising concerns whether that consent (to have their personal data used for personalised advertising) is truly voluntary.
If business’ approach is found to pressure users into consenting, it may not meet the standard of a freely given consent. This is one of the key points the ICO’s guidance is trying to address (see below).
How does PECR apply?
PECR regulates the use of cookies and similar tracking technologies. Under PECR, all businesses must obtain valid user consent before setting non-essential cookies. Users must actively agree to tracking before any personalised advertising cookies are placed on their device. Pre-ticked boxes or providing information about cookies in a privacy policy that is rarely read do not meet this standard.
Whether such consent is valid under PECR in respect of the ‘consent or pay’ model is equally the subject of the ICO’s guidance.
Key takeaways from the ICO’s guidance
The guidance sets out what businesses must, should and could do to comply with data protection laws when using the ‘consent or pay’ model.
‘Must’ refers to a legal requirement, ‘should’ is what ICO would expect but different approaches are welcome as long as the business can still demonstrate compliance with the laws and ‘could’ refers to good practice that could help businesses comply with the laws.
The guidance is built around 4 key factors:
- POWER IMBALANCE
This factor refers to the relationship between a business and the individuals whose personal data is being processed. Elements such as reliance on the service can create situations where users feel they have no real choice but to consent to personalised advertising in order to access the service. This dynamic makes it challenging to prove that consent is freely given and voluntary.
To address this, businesses should consider offering alternative access options, such as contextual advertising, ensuring users have a genuine choice and are not unfairly pressured into consenting.
Contextual advertising is essentially non-personalised advertising. Rather than the advert being changed to match the profile of the user, contextual advertising is typically only relevant to the content being viewed (so it is not targeted but ideally still relevant).
If the business employs the ‘consent or pay’ model, it must demonstrate that users have freely given their consent to personalised advertising, meaning they have a genuine choice. To do this, businesses should carry out an assessment of whether there is a power imbalance, document this assessment and keep it under review.
The business should consider its position in the market and how much people rely on its service or if they will suffer detriment if they refuse to consent. A special consideration should be given to already existing users of the website if the business is introducing this model later on and ensure they do not suffer detriment if the business introduced this model, such as switching costs – for example someone who uses social media to connect with customers may face difficulties rebuilding the same network.
If the result of the assessment is that there is a risk of power imbalance, this should be taken into account and addressed to ensure people are still able to freely give their consent.
- APPROPRIATE FEE
An appropriate fee refers to an amount at which it is possible for users to genuinely choose between consenting to personalised advertising or paying a fee to avoid it. The appropriate fee is the value associated with not sharing personal data for personalised advertising.
When assessing the fee, the size of the business, market position and nature of processing should be taken into account.
If the business cannot demonstrate that the fee is appropriate and allows for a genuine choice, users may feel pressured to consent simply to avoid the fee.
This undermines the notion of freely given consent, making it harder to demonstrate compliance.
- EQUIVALENCE
Equivalence means that the business should offer essentially the same core service under the ‘consent’ and the ‘pay’ option. It does not have to be identical.
To assess this, the business should identify what this core service is and then should be able to demonstrate that both the ‘consent’ and the ‘pay’ options provide this core service which is equivalent and of the same quality.
The business can offer features additional to the core service in the ‘consent’ or ‘pay’ options as long as they do not change the nature of the core service.
The reason why equivalence is relevant is that if a paid-for version of the website is worse than if the user had given consent, then the user would likely feel pressure to give consent in order to access the better version of the website.
If the business is unable to demonstrate equivalence, it should reconsider what it is offering to ensure it is providing an equivalent service.
- PRIVACY BY DESIGN
In the context of the ‘consent or pay’ model, privacy by design means ensuring that user privacy is a core consideration from the outset, rather than just an afterthought.
This involves presenting the ‘consent’ and ‘pay’ options in a way that is compliant with privacy by design requirements set out in the UK GDPR. This also feeds into the requirements under PECR.
Before implementing the ‘consent or pay’ model, the businesses must update their existing data protection impact assessment (DPIA) to cover the use of advertising technologies and personal data processing. If a DPIA has not yet been conducted, a new assessment must be carried out to ensure compliance with UK GDPR.
A privacy by design approach ensures users have a meaningful choice and control over their personal data. This includes:
- Clear presentation of options. Users must fully understand the difference between ‘consent’ and ‘pay’, with transparent labelling and accessible information on data processing. Furthermore, it is also an express requirement of PECR to provide ‘clear and comprehensive’ information to individuals before they consent.
- Avoiding harmful design practices. Deceptive or coercive tactics (such as misleading wording) must be avoided to ensure consent is freely given.
- Ensuring specific and granular consent. Consent for personalised advertising must be separate from other data uses like content personalisation or analytics, ensuring users retain control over their information.
- Making refusal easy. Users should be able to decline consent just as easily as they accept it, without undue pressure or negative consequences.
- Allowing users to leave the service easily. If a user does not wish to consent or pay, they should have a clear and straightforward exit option.
Businesses could also conduct user testing to assess how effectively their design allows users to understand their choices and data protection rights.
Conclusion
The ICO’s guidance highlights the complexities of the ‘consent or pay’ model, emphasising that businesses must carefully balance privacy rights with commercial interests.
While this approach is not automatically illegal, it must be implemented in a way that ensures consent remains freely given, fees are reasonable and users have a genuine choice in order to comply with the UK GDPR and PECR.
If you need assistance reviewing your business’ policies, conducting a DPIA or advice on this ICO Guidance or data protection more generally, please contact our data protection specialists Neil Williamson, Colin Lambertus or Howard Ricklow.
