This call for views sets out the ICO’s emerging thinking on “consent or pay” business models. It should not be interpreted as confirmation that such an approach is legally compliant.
In recent months there has been a growing debate about ad-funded online business models. This is happening in the context of regulatory activity in the UK and abroad, industry developments and changing expectations of consumers.
As part of this, some businesses are considering giving people a choice between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service. This type of access mechanism is typically known as “consent or pay”, or “pay or okay”.
We understand that businesses want regulatory certainty to help them not just ensure they’re complying with the law, but also to guide their investment decisions. So, we want to provide an initial view on this model and the kinds of things that organisations considering it should take into account.
You can respond to this call for views using the survey or by emailing us at [email protected]. Please share your thoughts with us before the consultation deadline of 17 April 2024.
What does the law say about “consent or pay”?
Data protection law allows for a wide range of different approaches and business models. It balances fundamental rights like the right to privacy with other rights, like the freedom to conduct a business.
As our guidance says some types of access mechanisms aren’t likely to comply with expectations in data protection law for consent to be ‘freely given’. For example, where they don’t provide people with a free choice about whether to receive personalised ads. This can be the case with cookie walls that deny access to a service unless users consent to personalised ads.
In principle, data protection law does not prohibit business models that involve “consent or pay”. However, any organisation considering such a model must be careful to ensure that consent to processing of personal information for personalised advertising has been freely given and is fully informed, as well as capable of being withdrawn without detriment.
What do organisations need to consider?
The issues that “consent or pay” touches on are complex and we continue to develop our position in this area, taking account of regulatory and industry developments in the UK and other jurisdictions. We’ll expand on our thinking later this year when we consult on updated guidance on cookies and similar technologies.
In line with our 2021 Commissioner’s Opinion on online advertising, we'll be looking at “consent or pay” proposals in terms of how organisations:
- ensure what they want to do is focused on people’s interests, rights and freedoms;
- evidence that people are fully aware of what happens when they interact with an online service; and
- show that people are making informed, free choices about whether to engage or not.
As a starting point, we expect organisations thinking about a “consent or pay” model to consider a range of factors when assessing whether it will provide valid consent for personalised ads in the relevant context. These factors are non-exhaustive and we welcome feedback on our approach.
Power balance
To what extent is there a clear imbalance of power between the service provider and its users? Consent for personalised ads is unlikely to be freely given when people have little or no choice about whether to use a service or not, which could be the case when they are accessing a public service or the service provider has a position of market power.
Equivalence
Are the ad-funded service and the paid-for service basically the same? For example, if a service provider offers a choice between personalised ads and a ‘premium’ ad-free service that bundles lots of other additional extras together, then this wouldn’t be the case.
Appropriate fee
Is the fee appropriate? Consent for personalised ads is unlikely to be freely given when the alternative is an unreasonably high fee. Fees should be set so as to provide people with a realistic choice between the options, with the provider capable of providing objective justification of the appropriateness of the level.
Privacy by design
Are the choices presented fairly and equally? This means giving people clear, understandable information about what the options mean for them and what each one involves (see below). Consent for personalised ads is unlikely to be freely given when people don’t understand how their personal information is being used or that they can access the service without having to agree to the use of their personal information.
Organisations need to give special consideration to the treatment of existing users of the service, who may understand the organisation’s current approach and use the service extensively in their daily lives. This may lead to a difference in power balance (for example, users may find it hard to switch) or have implications for how choices are presented.
What do organisations using “consent or pay” need to tell people?
Remember, when an organisation relies on consent it must be able to demonstrate that it’s valid. There must be no room for any doubt that people have been properly informed about what will happen with their personal information and what this means for them.
This means organisations must inform people about how they (and any other organisations they work with) intend to use their personal information as payment for the service they receive – as well as what it means if they decide to say no, now or in the future.
Being upfront and honest with people about what happens to their personal information when they use the service is a good thing. It will build their trust and confidence in what the organisation is doing and how it protects people’s personal information.
What if people later want to withdraw consent?
The UK GDPR gives people a specific right to withdraw consent. Organisations need to tell people about this, and offer them easy ways to withdraw consent at any time. Remember, it must be as easy for people to withdraw consent as it is to give.
Organisations must also ensure people can withdraw their consent without detriment. Where people decide to withdraw consent organisations will need to make sure that this is communicated to other organisations that they have shared people’s personal information with.
Call for views
The ICO is consulting on key data protection issues in relation to “pay or okay” advertising models. Your responses will help us develop our final regulatory positions on these models which will be reflected in the ICO’s upcoming guidance update on cookies and similar technologies.
This survey is split into two sections:
- Section 1: Your views on our proposed regulatory approach
- Section 2: About you and your organisation
The call for evidence will remain open until 5pm on 17 April 2024. We may not consider responses received after the deadline.