The ICO issues guidance on ‘consent or pay’ models

This website will offer limited functionality in this browser. We only support the recent versions of major browsers like Chrome, Firefox, Safari, and Edge.
Earlier this year, the UK Information Commissioner’s Office (ICO) published guidance on ‘consent or pay’ models. These models have previously come under scrutiny from consumer authorities and data protection regulators including the ICO and the European Data Protection Board (EDPB), which we reported on here.
The main concerns centred on whether consent is truly "freely given" and if users have a real choice, considering the potential for power imbalance between providers and users, and appropriateness of the fees charged.
We summarise the key takeaways from the ICO’s guidance, which is intended for organisations currently operating or considering a ‘consent or pay’ model in the UK.
Key takeaways
The ICO has recognised an increase in the prevalence of 'consent or pay' models. The guidance broadly reflects the ICO’s initial view on these models pending a public consultation issued earlier this year calling for views.
The guidance confirms that UK data protection law does not explicitly prohibit the use of ‘consent or pay’ models, nor does it require organisations to offer their online products or services for free.
However, the ICO stresses that 'consent or pay' models are only compliant with UK data protection law if organisations can demonstrate and prove that:
The ICO's guidance outlines four factors that organisations can use to assess and determine compliance, building on existing UK GDPR standards and ICO commentary.
Factor 1: Power imbalance between providers and users
Organisations should “reasonably and proportionately” assess whether there is a power imbalance with a potential user. If such an imbalance exists, users may not have a genuine choice. For example, those who rely on a particular online service but become priced out of the ‘pay’ option may feel compelled to consent.
To assess whether such an imbalance of power exists, organisations should consider the:
Where there is a clear power imbalance between users and organisations, organisations should take steps to address this imbalance or risk being unable to use a 'consent or pay' model, since users are unlikely to provide "freely given" consent.
The ICO suggest that organisations could offer alternatives that do not require users to consent to personal advertising or pay to avoid it, such as allowing users to access a service with contextual advertising instead.
Factor 2: Appropriateness of fees
Organisations should consider whether the level of fee for a ‘pay’ option is appropriate. Again, an “inappropriately high fee” may make users feel they have no genuine choice but to consent.
While the ICO emphasises that it is not their role to set fees, the guidance clarifies that offering a ‘pay’ option as an alternative to consent does not automatically invalidate consent, nor does a fee necessarily result in an unfair penalty to a user.
The ICO states that the most appropriate measure to determine whether the fee level can enable freely given consent is the "value that individuals who use or might use an organisation’s product or service associate with not sharing their personal information for purposes of personalised advertising".
Factor 3: Equivalence
Equivalence for this purpose means that organisations should offer the same (but not necessarily identical) core service and of the same quality under the ‘consent’ and the ‘pay’ option.
Organisations are permitted to include additional benefits or features in either option provided that:
Factor 4: Privacy by design
Organisations should implement specific data protection measures and safeguards into their model at the design stage to ensure compliance with their ‘privacy by design’ obligations under data protection laws.
Privacy by design in the context of ‘consent or pay’ models will be relevant to how an organisation presents the ‘consent’ and ‘pay’ options to individuals. The way in which an organisation presents the ‘consent’ or ‘pay choices to individuals can impact the validity of consent. For example, if the options are not presented clearly, or if the design is biased to steer individuals towards a certain option, it is likely to be non-compliant.
The guidance sets out some practical tips on what to consider in relation to this factor:
The ICO’s view is that the processing involved with ‘consent or pay’ models is likely to constitute high risk processing. Therefore, before implementing any 'consent or pay' model, an organisation must complete a data protection impact assessment (DPIA) or review and update any existing DPIA which covers use of advertising technologies.
Conclusion
The ICO guidance recognises the need to ensure that ‘consent or pay’ models comply with data protection laws, whilst balancing the privacy rights of individuals against the right to conduct business.
Any business currently using or looking to adopt a ‘consent or pay’ model should assess the proposed model, taking into account the four factors set out above. If a business can demonstrate that its model meets these factors, that will help demonstrate that the model meets the requirements for valid consent.
If you have any questions or would otherwise like to discuss any of the points raised in this article, please contact Amanda Leiu or Richard Hugo.
This post was written by Yadhavi Analinkumar.