Skip to main content
Home

About this guidance

Contents

Latest updates - last updated 23 January 2025

23 January 2025 - this guidance was published

At a glance 

  • We intend this guidance to provide clarity and advice for any organisation currently operating, or considering, a “consent or pay” model in the UK.
  • “Consent or pay” models present people with a choice. People can: 
    • consent to you using their personal information for personalised advertising to access an online product or service; 
    • pay a fee to access the product or service, with you not using their information for personalised advertising; or 
    • decide not to use the product or service. 
  • If you are implementing a “consent or pay” model, you must make sure that you are able to demonstrate people have freely given their consent for personalised advertising under the “consent or pay” model. This guidance sets out a framework of factors that are important to consider when assessing whether your “consent or pay” model meets the standard of consent. This reflects and builds on existing UK GDPR standards and ICO guidance. 
  • You must document an assessment of your “consent or pay” model as part of your data protection impact assessment (DPIA). Your assessment should consider the data protection principles set out in the UK GDPR as well as the factors in this guidance and other relevant ICO guidance. 

In detail  

What do you mean by consent or pay? 

“Consent or pay” refers to a business model for funding online products and services. This model gives people a choice to:  

  • consent to an organisation using their personal information for personalised advertising in order to access a product or service (“consent to personalised advertising”); 
  • pay a fee to access the product or service and avoid their personal information being used for personalised advertising (“pay to avoid personalised advertising”); or 
  • leave or decide not to use the product or service. 

Personalised advertising is a method of delivering advertising that is targeted to people based on profiles created about them. These profiles are usually based on:  

  • Provided data: information people intentionally provide to the product or service (eg providing information about age, gender or interests when signing up to a service).
  • Observed data: information gathered through observing or tracking a person’s activity whilst using the product or service; their activity across other online products; or services or activity on their device.
  • Inferred data: additional information about the person which is not directly volunteered or observed but is inferred, such as their interests or behaviour.

Are “consent or pay” business models compliant with data protection law?

“Consent or pay” models can be compliant with data protection law if you can demonstrate that people can freely give their consent and the models meet the other requirements set out in the law. This guidance provides a set of factors to assess whether people can freely give their consent or not in the context of a “consent or pay” model. 

You must document your assessment and be able to justify how your “consent or pay” model is compliant with UK GDPR and the Privacy and Electronic Communications Regulations (PECR), taking into account the factors set out in this paper. 

Why have you produced this guidance?

We have observed the emergence of “consent or pay” models elsewhere and, more recently, in the UK. This has happened in the context of regulatory activity in the UK and abroad, industry developments and changing expectations of consumers. 

Any business practice involving the processing of personal data, including the funding model, must comply with data protection law. Where organisations are relying on consent as a lawful basis for processing people’s personal data, they must be able to demonstrate that people have freely given their consent. We have published detailed guidance on consent which organisations should take into account when they rely on this lawful basis for processing people’s personal information. 

The emergence and prevalence of “consent or pay” models has raised questions about whether and how people can freely give their consent in this context.

We published a call for views in March 2024 to hear from consumers and other market stakeholders about “consent or pay” models. We explained that data protection law does not prohibit “consent or pay” business models. However, organisations considering these models must ensure people have freely consented to personalised advertising under these models and that they are fully informed. People also needed the option to withdraw consent without detriment. We set out four factors that organisations should consider when assessing whether people could freely give their consent. We also asked for views on the approach which informed the development of this guidance.

We are aware that the emergence of “consent or pay” models has provoked an often-polarised debate among stakeholders. We have considered and taken into account the range of different views expressed in producing this guidance. 

We are aware that the emergence of “consent or pay” models has provoked an often-polarised debate among stakeholders. We have considered the range of different views expressed in producing this guidance. 

We recognise that the right to the protection of personal data needs to be balanced against other rights, such as the right to conduct a business. Organisations should be able to conduct business and monetise products or services with the funding models that best suit them. This recognises the fact that there is no obligation for providers of online services to offer their services for free. However, organisations must conduct their processing in line with data protection law. We also want to empower members of the public to confidently participate in a thriving and sustainable digital economy. When enjoying the benefits of online services, people should be confident that organisations will protect their information and comply with the law.

How are “consent or pay” models different from the “take it or leave it” approach?

“Take it or leave it” approaches require people to “agree” or “accept” data processing for personalised advertising before they can access a product or service. Under a “take it or leave it” approach, if a person does not accept this processing, they cannot access the service at all. In most cases, the “take it or leave it” approach does not comply with the requirement for consent to be freely given. This is because you must provide the user with a genuine free choice. You must not bundle consent to personalised advertising as a condition of accessing a product or service, unless the processing is necessary for that service (see our consent guidance and our draft guidance on the use of storage and access technologies for further information).

Bundled access and “consent or pay” models

“Consent or pay” models differ from a “take it or leave it” model, as the presence of a “pay” option means that accessing the service is not solely conditional on people providing consent. This can, providing the model meets the factors in this guidance, enable people to make a meaningful choice.  

However, the “pay” option may introduce a separate issue. Where a fee is presented as an alternative to consent, it has the effect of combining:

  • access to the core product or service without personalised advertising; and
  • not sharing personal data for the purposes of personalised advertising.

When the only alternative to consent is paying a single price which combines access to the core product with a fee for avoiding sharing personal data for the purposes of personalised advertising, it can be difficult to demonstrate freely given consent. You can find further details on this in the power imbalance and appropriate fee chapters. 

Organisations can offer additional options to access the product or service alongside the “consent or pay” options, for example:

  • Access to the product or service that does not require people to consent to personalised advertising or pay to avoid personalised advertising. This may include access to the service with contextual advertising where advertising is targeted based on the content of the page the user is currently viewing.

  • Offering a menu of options including different premium subscription tiers with additional features, as well as the “consent” and “pay” options. 

You can read further details about these options in the power imbalance, appropriate fee and equivalence chapters. 

Who is this guidance for?

We intend this guidance to provide clarity and advice for any organisation currently operating, or considering, a “consent or pay” model in the UK. 

How is this guidance structured?

This guidance sets out our position on “consent or pay” models. It confirms and builds upon the four factors set out in our call for views. We explain how each of these factors is relevant to an assessment of whether people can freely give consent in the context of your “consent or pay” model. You should consider these factors in the round in your assessment. Further information about how to use these factors to support your assessment is detailed below. The four factors are:

  • Power imbalance: Is there a clear power imbalance between you and the people using your product or service? It’s unlikely that people can freely give their consent if they have no realistic choice about whether or not to use the service. You should especially consider existing users of your product or service under this factor.
  • Appropriate fee: Have you set an appropriate fee for accessing your service without personalised advertising? It’s unlikely that people can freely give their consent if your fee is inappropriately high, making it an unrealistic choice.
  • Equivalence: Is your core service broadly equivalent in the products and services offered where people consent to personalised advertising and where people pay to avoid personalised advertising? You can include additional perks or features in either service, however you should provide an equivalent core service across all options to ensure that people have a free choice.
  • Privacy by design: Do you present the choices equally to people, with clear, understandable information about what each choice means and what they involve? People cannot freely give their consent if they are uninformed about the available options or have their choice influenced by harmful design practices.

This guidance sets out our expectations of how organisations should assess a “consent or pay” model against these factors to determine whether people can freely give their consent. 

This guidance sets out our expectations of how organisations should assess a “consent or pay” model against these factors to determine whether people can freely give their consent. 

This guidance draws on existing ICO positions relevant to online advertising such as:

You should read this guidance alongside relevant ICO publications.

In this guidance, we say what organisations must, should and could do to comply with data protection law. Must refers to a legal requirement in legislation or binding case law. Should is not an explicit legal requirement, but what we expect you to do to comply effectively with the law. If you take a different approach, you’ll need to demonstrate how that still complies with the law. Could refers to an option or good practice example you could consider to help you comply. 

How should we use this guidance to demonstrate our compliance?

You must be able to demonstrate that people can freely give their consent against the requirements of valid consent under UK GDPR. You should assess your current or proposed “consent or pay” model in the round, taking into account all four of the factors set out here. No single factor can determine whether a “consent or pay” model has met the requirements for valid consent. 

Your assessment will help you to either demonstrate that your model enables valid freely given consent or help you to identify additional steps you should take to ensure that people are freely giving their consent. You should keep your assessment under review and reflect any changes in circumstances.

If you can show that you have met the factors in this guidance, this will help you to demonstrate that people are freely giving their consent and your “consent or pay” model meets the requirements for valid consent.

If your assessment identifies that you are not meeting the expectations set out in this guidance, it’s less likely that your model meets the standard for freely given consent. You must be able to demonstrate that your model still enables freely given consent. If this isn’t possible, you will need to reconsider your model to demonstrate your compliance.

If you identify a clear power imbalance between you and the people who use your product or service, this will have significant implications for your assessment. It will also affect the additional steps you will likely need to take to demonstrate your “consent or pay” model complies with data protection law. Where this is the case, you should take steps to ensure people have a meaningful choice. For example, providing users with an alternative option to accessing your product or service which does not require people to “consent” or “pay” (eg offering a service with contextual advertising). 

You should demonstrate that your fee is appropriate. This will be even more important where there’s an imbalance of power, as people may not have a genuine and free choice to leave your service or not to use it.

You should demonstrate that you offer a broadly equivalent product or service to people across both the “consent” and “pay” options. If you cannot demonstrate equivalence, it will be difficult to show that people have a genuine free choice between consent and pay options. You should reconsider your model to ensure that you offer an equivalent service. 

You must always ensure that you comply with your privacy by design obligations. This will help you to demonstrate that consent meets the legal standards under data protection law.

You must document this assessment to demonstrate your compliance as part of your data protection impact assessment (DPIA). Article 35 of the UK GDPR says that organisations must carry out a DPIA for any type of processing likely to result in a high risk to people’s rights and freedoms. Personalised advertising often involves processing ‘likely to result in high risk’. This guidance includes steps you can take to support you to make this assessment.

Your assessment should also consider the data protection principles set out in the UK GDPR and other relevant ICO guidance. We will consider the factors in this guidance if we assess whether a “consent or pay” model is compliant with the law. We have provided two case studies which may support your assessment.

What does the law say?

Article 5 of the UK GDPR sets out the overarching data protection principles. The first principle is that the use of personal data must be lawful, fair and transparent. Organisations must identify a lawful basis for their processing. Article 6 sets out six potential lawful bases, one of which is seeking consent for processing.

Freely given consent

For consent to be valid, it must be freely given. Article 4(11) of the UK GDPR defines consent as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Article 7 also sets out further ‘conditions’ for consent that organisations must follow, with specific provisions on:

  • keeping records to demonstrate that people have given their consent;
  • the prominence and clarity of requests for consent;
  • the right for people to withdraw consent easily and at any time; and
  • ensuring that people do not have to consent to unnecessary processing as a condition for provision of a service.

The recitals in the UK GDPR provide further detail on what counts as ‘freely given’ consent. These are of particular importance for a “consent or pay” model:

“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

Recital 43 explains:

“In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller.”

The phrase “without detriment” means that people should not be unfairly penalised if they refuse or withdraw consent. It does not mean that consent should not be regarded as freely given if there is any level of negative consequence. Therefore we use the term “unfair penalty” in this guidance. You can find more detailed information about consent in our guidance on consent. We refer to existing ICO guidance where relevant below.

Regulation 6 of PECR says that organisations must have consent before using storage and access technologies (such as cookies or similar technologies) on people’s devices. The combined effect of this legislation is that organisations must obtain valid consent to deliver personalised advertising that relies on these technologies.

Other relevant aspects of data protection law for this guidance include:

  • You must ‘bake in’ data protection when designing your services under article 25(1). The design and presentation of options is key to compliance for “consent or pay” models.
  • You must also be able to demonstrate your compliance with the principles of data protection law as part of article 5(2) UK GDPR. 

The right to object to direct marketing 

Articles 12 and 21 UK GDPR make clear that, if you process personal data for the purposes of direct marketing, you must demonstrate that people can exercise their right to object free of charge. If they do object, you must stop using their data for direct marketing. Our guidance explains that the definition of direct marketing includes processing for personalised advertising purposes.

In the context of “consent or pay” models, the right to object to direct marketing can operate in the same way as withdrawing consent to personalised advertising. 

What about other areas of law?

Organisations will also need to consider other legal requirements relevant to “consent or pay” models, including: 

  • consumer law;
  • competition law; and
  • the UK’s new digital markets competition regime, under the Digital Markets, Competition and Consumers Act 2024. 

This guidance may refer to other sources of law but it does not provide a view on compliance with those laws.

Can we offer consent or pay models to children?

If children use or are likely to access your product or service, you should give particular consideration to how a “consent or pay” model may impact them. Children merit special protection with regard to their personal information. They may lack financial independence or have a more limited understanding of what different processing activities mean for them. This may impact a child’s ability to provide freely given consent, which you must be able to demonstrate.

Where your product or service is offered to children under the age of 13 (the UK’s age of digital consent), you must consider article 8 UK GDPR. Where you are seeking consent for processing from children under 13, you must obtain parental consent. Where you are relying on children’s consent, you will need to implement effective age assurance measures and make reasonable efforts to verify parental responsibility for those under the relevant age.    

Standard 12 of our Children’s code (also known as the Age Appropriate Design Code) on Profiling sets out that you should switch profiling for children ‘off’ by default, including for the purposes of personalised advertising. This applies unless the service can demonstrate a compelling reason to keep profiling on by default, considering the best interests of the child. You should always provide a privacy setting for personalised advertising which is used to fund a service but is not part of the core service that the child wishes to access. In most cases, the funding model will be distinct from the core service and so should be subject to a privacy setting that is ‘off’ by default. Conforming with the standards in the code will help you to demonstrate compliance with data protection law.