This website will offer limited functionality in this browser. We only support the recent versions of major browsers like Chrome, Firefox, Safari, and Edge.

The ICO issues guidance on ‘consent or pay’ models

Picture of Amanda Leiu
By Amanda Leiu
17 Mar 2025 5 min read
Passle image

Earlier this year, the UK Information Commissioner’s Office (ICO) published guidance on ‘consent or pay’ models. These models have previously come under scrutiny from consumer authorities and data protection regulators including the ICO and the European Data Protection Board (EDPB), which we reported on here.

The main concerns centred on whether consent is truly "freely given" and if users have a real choice, considering the potential for power imbalance between providers and users, and appropriateness of the fees charged.

We summarise the key takeaways from the ICO’s guidance, which is intended for organisations currently operating or considering a ‘consent or pay’ model in the UK.

Key takeaways

The ICO has recognised an increase in the prevalence of 'consent or pay' models. The guidance broadly reflects the ICO’s initial view on these models pending a public consultation issued earlier this year calling for views. 

The guidance confirms that UK data protection law does not explicitly prohibit the use of ‘consent or pay’ models, nor does it require organisations to offer their online products or services for free.

However, the ICO stresses that 'consent or pay' models are only compliant with UK data protection law if organisations can demonstrate and prove that:

  • users can freely give their consent; 
  • users are fully informed; and 
  • users have the option to refuse or withdraw their consent without detriment (such as an unfair penalty) – akin to the ‘right to object to direct marketing’ under Articles 12 and 21 UK GDPR.

The ICO's guidance outlines four factors that organisations can use to assess and determine compliance, building on existing UK GDPR standards and ICO commentary. 

Factor 1: Power imbalance between providers and users

Organisations should “reasonably and proportionately” assess whether there is a power imbalance with a potential user. If such an imbalance exists, users may not have a genuine choice. For example, those who rely on a particular online service but become priced out of the ‘pay’ option may feel compelled to consent. 

To assess whether such an imbalance of power exists, organisations should consider the: 

  1. type of organisation and product/service offering (e.g. whether the organisation offers a public service); 
  2. extent to which people rely on that organisations’ products/services; and 
  3. extent to which the organisation holds a position of market power (e.g. whether users can switch to a comparable alternative).

Where there is a clear power imbalance between users and organisations, organisations should take steps to address this imbalance or risk being unable to use a 'consent or pay' model, since users are unlikely to provide "freely given" consent. 

The ICO suggest that organisations could offer alternatives that do not require users to consent to personal advertising or pay to avoid it, such as allowing users to access a service with contextual advertising instead. 

Factor 2: Appropriateness of fees

Organisations should consider whether the level of fee for a ‘pay’ option is appropriate. Again, an “inappropriately high fee” may make users feel they have no genuine choice but to consent.

While the ICO emphasises that it is not their role to set fees, the guidance clarifies that offering a ‘pay’ option as an alternative to consent does not automatically invalidate consent, nor does a fee necessarily result in an unfair penalty to a user. 

The ICO states that the most appropriate measure to determine whether the fee level can enable freely given consent is the "value that individuals who use or might use an organisation’s product or service associate with not sharing their personal information for purposes of personalised advertising".

Factor 3: Equivalence

Equivalence for this purpose means that organisations should offer the same (but not necessarily identical) core service and of the same quality under the ‘consent’ and the ‘pay’ option. 

Organisations are permitted to include additional benefits or features in either option provided that: 

  1. The features or benefits included in the ‘consent’ option do not unfairly penalise users who refuse or withdraw consent; 
  2. The features or benefits do not change the core service or product; and 
  3. The features or benefits included in the 'pay' option do not increase the price beyond an appropriate fee.

Factor 4: Privacy by design 

Organisations should implement specific data protection measures and safeguards into their model at the design stage to ensure compliance with their ‘privacy by design’ obligations under data protection laws. 

Privacy by design in the context of ‘consent or pay’ models will be relevant to how an organisation presents the ‘consent’ and ‘pay’ options to individuals. The way in which an organisation presents the ‘consent’ or ‘pay choices to individuals can impact the validity of consent. For example, if the options are not presented clearly, or if the design is biased to steer individuals towards a certain option, it is likely to be non-compliant. 

The guidance sets out some practical tips on what to consider in relation to this factor:

  • Present the choice clearly and make it clear to individuals what each option means, the impact will have on data processing and how individuals can exercise their rights;
  • Do not use storage and access technologies for non-essential purposes before people provide consent;
  • Keep consent specific and granular; and
  • Make it easy to refuse consent.

The ICO’s view is that the processing involved with ‘consent or pay’ models is likely to constitute high risk processing. Therefore, before implementing any 'consent or pay' model, an organisation must complete a data protection impact assessment (DPIA) or review and update any existing DPIA which covers use of advertising technologies. 

Conclusion

The ICO guidance recognises the need to ensure that ‘consent or pay’ models comply with data protection laws, whilst balancing the privacy rights of individuals against the right to conduct business. 

Any business currently using or looking to adopt a ‘consent or pay’ model should assess the proposed model, taking into account the four factors set out above. If a business can demonstrate that its model meets these factors, that will help demonstrate that the model meets the requirements for valid consent.

If you have any questions or would otherwise like to discuss any of the points raised in this article, please contact Amanda Leiu or Richard Hugo. 

This post was written by Yadhavi Analinkumar