Skip to main content
Home

Privacy by design

Contents

At a glance

  • “Consent or pay” models must meet the standard for freely given consent. How you design and present the options in a “consent or pay” model must enable freely given consent and must be data protection compliant.
  • Before you implement a “consent or pay” model you must complete a DPIA or review and update any relevant existing DPIAs.
  • You must provide clear information about each of the options in your “consent or pay” model using concise, clear and plain language to enable people to make an informed decision.
  • You must avoid using harmful design practices when presenting people with choices.
  • You must limit your consent option to asking for specific consent for personalised advertising purposes. You must keep this separate from consent for other purposes.
  • You must give people an easy way to withdraw their consent and you must make this easily accessible on your service at all times.
  • Once a person withdraws consent, you must stop any processing based on consent as soon as possible. You must tell other organisations you disclosed that person’s information to about the withdrawal of consent.
  • Carrying out user testing of your consent mechanisms can help you to demonstrate that you are meeting your compliance obligations. 

In detail

Why is privacy by design relevant to “consent or pay”?

In order for your “consent or pay” models to be lawful, you must be able to demonstrate that people can freely give their consent. The way in which you present “consent” or “pay” choices to people can impact the validity of consent. If people are not appropriately informed about what the choices mean and their impact on data processing and data rights, consent will not be valid. PECR says you must provide clear and comprehensive information to people before they give consent.

You must implement specific data protection measures and safeguards into your model at the design stage to comply with your UK GDPR obligations under article 25(1).

What do you mean by “privacy by design”?

Data protection law requires you to integrate data protection considerations into every aspect of your processing activities. We call this “privacy by design”. In the context of “consent or pay” models, privacy by design is relevant to how you present the “consent” and “pay” options to people. How you design and present these options is key to ensuring people can provide freely given consent.

This means: 

  • giving people clear, understandable and neutral information about what the options are; 
  • explaining what each option means for processing a person’s data; and
  • showing people how they can exercise their data protection rights.

How should we approach privacy by design?

Due to the nature of the processing involved in personalised advertising, “consent or pay” models are likely to constitute high risk processing. Therefore, before you implement a “consent or pay” model, you must either review and update your existing DPIA covering your use of advertising technologies or conduct a new one. In particular, you should identify any risks arising from the “consent or pay” model and how you will mitigate them. 

Your approach should focus on ensuring people have meaningful choice and control over their personal information. You should consider your target audience and focus on your users’ experience. You could conduct user testing to understand your audience and demonstrate how your approach enables people to have meaningful comprehension and control. 

How should we present the options to people? 

You must present the “consent” and “pay” options to people in a way compliant with the data protections principles and privacy by design requirements set out in UK GDPR.
 
We have provided some non-exhaustive information about areas to consider when designing the presentation of your options.

Present the choices clearly

  • You must provide enough information to enable people to make an informed decision. This includes making it clear to people what each options means, the impact it will have on data processing and how people can exercise their data protection rights.
  • You should label the options clearly and transparently so that they accurately inform people about each option’s impact on them. For example, if you label your “consent” and “pay” options as “continue to read for free” or “subscribe for all content”, people may not realise that they are consenting to personalised advertising and tracking if they select the “read for free” option. In this case, it’s unlikely that their consent would be valid. 

 

Description: The display on a mobile phone (left) and desktop (right). Options are presented with unclear and misleading language. "Continue to read for free" may not be understood as providing consent for personalised advertising.

  • You should provide a clear summary of the differences between the options and ensure people don’t feel pressured to make a quick decision.
  • You must avoid using harmful design practices when presenting choices, ensuring you do not mislead people or create any reasonable expectations that you cannot meet. You can find further examples of harmful design practices in the ICO-CMA joint paper on harmful design in digital markets (external link).
  • You must use concise, clear and plain language. You should make sure this is appropriate to your target audience. You could include this in your user testing to make sure people understand the information you’re presenting (see below for more information). 

Don’t enable storage and access technologies too early

  • You must not use storage and access technologies for non-essential purposes before people provide consent. The only such technologies you can use at this point are those which are exempt from the consent requirements, such as those that are strictly necessary to make your “consent or pay” mechanism work.
  • You must make sure that any storage and access technologies you use for your “consent or pay” mechanism are session-based rather than persistent. This ensures you don’t store information on people’s devices for longer than necessary, particularly if they decide to leave the service.   

How should we design the “consent” option?

In addition to the general points listed above about presenting choices to users, there are further areas to consider when designing the “consent” option. 

Keep consent specific and granular

  • You must ask for specific consent for personalised advertising. You must keep this separate from consent for other purposes, such as content personalisation, re-targeting or video embeds. Bundling together consent for multiple processing purposes can make it difficult for users to understand what they are consenting to. This may make it hard for them to exercise control over your use of their information. Consequently, bundled consent is likely to be invalid.
  • Specific consent for personalised advertising can include the use of data and storage and access technologies required to deliver adverts and storage and access technologies used to measure the effectiveness of your advertising. For more information on this, see our draft guidance on storage and access technologies.
  • You must obtain separate consent for re-targeting people who use your services with adverts on other sites or services. The “consent” option should only cover people consenting to personalised advertising when accessing your product or service. The consent does not include you advertising to the people who access your product or service when they are on another different service.

Provide clear information 

  • PECR says you must provide clear and comprehensive information to people before they give consent. The wording and framing you use is very important.
  • Your approach must enable people to understand the consequences of any consent they choose to give.
  • You must also tell people that they have the right to withdraw consent at any time. You should include information on how to do so. 

 

 

Description: A graphic displayed on a mobile phone (left) and desktop (right). Step 1 displays accepting on a consent or pay banner. Step 2 displays a "cookie settings" option at the bottom of the webpage. Step 3 shows all non essential purposes have been enabled by default without gathering specific and granular consent.

 

Description: A graphic displayed on a mobile phone (left) and desktop (right). Step 1 displays accepting on a consent or pay banner. Step 2 displays a "cookie settings" option at the bottom of the webpage. Step 3 shows all non essential purposes have been turned off by default as consent for personalised advertising on the consent or pay banner is not specific and granular consent for other non essential processing.

Make sure it’s easy to refuse consent

  • You must make it as easy for people to refuse consent as it is to accept consent.
  • Your mechanism must allow people to refuse consent to personalised advertising easily and without detriment. In practice, this means you must have clear alternative options to consenting presented to people, including “pay” or to leave the service.
  • You must allow people to access your product or service even if they don’t consent to non-essential processing purposes such as analytics, re-targeting or personalised advertising. 

How should we design the “pay” option?

The “pay” option doesn’t involve obtaining consent. However, you must build this option with privacy by design in mind from the outset. For example, if your “pay” option involves collecting personal information to set up accounts and partnering with payment providers so people can pay, you must process this information fairly, lawfully and transparently. Don’t collect more information than you need and only use storage and access technologies that are required for these purposes.

You should include these considerations as part of your overall DPIA for your “consent or pay” implementation.

What if someone wants to leave the product or service?

In some cases, people may not want to:

  • consent to personalised advertising; or
  • pay to avoid personalised advertising.

In this instance a person may choose to leave your product or service.  

In addition to the general points listed above about presenting choices to people, there are some further points to consider about how you enable people leave your product or service:

  • You should make it clear that if people don’t want to “consent” or “pay” they can leave your product or service. This helps you demonstrate your compliance with your transparency requirements and that your service makes it “as easy to refuse as to accept” consent for people.
  • You could present users with a specific option to “leave”, which is a prominent choice that allows users to leave the product or service. Users can also leave a service through their own actions, such as by visiting a different online service, using the “back” button or by closing their browser. 
  • Existing users of your product or service may hold an account on your product or service. Where you present a leave option to existing users, you should consider how this will impact their account, including deleting the account and how you can transfer or port their information to an alternative product or service, where appropriate, in line with their right to data portability. You should appropriately inform existing users about how leaving the product or service will impact their information. 

Having an effective and clear “leave” option won’t automatically mean your approach to “consent or pay” is valid. For example, sometimes your market position means that leaving the service isn’t a viable choice for the user. See the power imbalance chapter for more information about this.

How should we integrate the right to withdraw consent?

You must provide people with a way to withdraw their consent to personalised advertising, give clear information about how to do so and make sure it is always easy for people to do so. 

You should make withdrawing consent an easily accessible, one-stop process. You should make the mechanism to withdraw consent clear, prominent and easy for people to find. This could look like:  

  • including the option to withdraw consent as a command in a ‘settings’ menu. If you do this, you should display the option clearly and prominently in the menu and make sure people are informed about how to access the mechanism(s); or
  • using a floating icon at the bottom of a browser window which enables people to withdraw their consent when selected. 

Where possible, you should allow people to withdraw consent using the same method by which they gave it. For example, if a person provided consent by ticking a box or clicking a slider, you should allow them to withdraw consent in the same way.

Once a person withdraws consent, you must stop any processing based on that consent as soon as possible. This means you must stop using that person’s profile to serve personalised advertising. You must also tell any other organisation you disclosed that person’s information to about the withdrawal of consent.

You must interpret a withdrawal of consent as a request for erasure. This means you must delete any personal information you gathered under that consent. Our right to erasure guidance provides more information on how to comply with this request. If a person re-consents to processing in future, you should base your personalised advertising on data gathered after the person has re-consented. 

While people do have the right to withdraw their consent to personalised advertising, this doesn’t mean that they have the right to continue accessing your service for free. If a person withdraws their consent, you can take them back to the first layer of the original “consent or pay” mechanism. 

Article 12 and 21 UK GDPR make clear that if you process personal data for the purposes of direct marketing, you must demonstrate that people can exercise their right to object free of charge. In the context of “consent or pay” models, the right to object to direct marketing can operate in the same way as withdrawing consent to personalised advertising.

What is user testing and how can we do it?

You could incorporate user testing of the design and presentation of your “consent or pay” model as a way of demonstrating how you’ve considered privacy by design. There are different approaches and methodologies you can use. Any testing should be appropriate for the type of product or service you provide and the groups of people you provide it to. We have provided a non-exhaustive list of areas to consider:

  • the appropriateness of the language you use to present choices in the “consent or pay” mechanism for the group(s) of people who use your product or service;
  • the impact a “consent or pay” model will have on different user groups, and whether any user groups are in a more vulnerable position;
  • people’s understanding of the information provided about the processing and tracking technologies involved in personalised advertising;
  • people’s comprehension of the processing activities and purposes you are asking them to consent to;
  • whether people understand how to withdraw their consent; and
  • whether people understand what all the options in the model are and what they mean for data processing and data protection rights.