The ICO has issued a call for views on “consent or pay” models. “Consent or pay” models require people to choose between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service.
The ICO wishes to provide an initial view on this model. It says that data protection law allows for a wide range of different approaches and business models. It balances fundamental rights like the right to privacy with other rights, like the freedom to conduct a business. Some types of access mechanisms are unlikely to comply with expectations in data protection law for consent to be “freely given”. An example of this might be if they do not provide people with a free choice about whether to receive personalised ads. This can be the case with cookie walls that deny access to a service unless consent to personalised ads.
According to the ICO, in principle, data protection law does not prohibit business models that involve “consent or pay”. However, any organisation considering such a model must be careful to ensure that consent to processing of personal information for personalised advertising has been freely given and is fully informed, as well as capable of being withdrawn without detriment.
The ICO says that the issues that “consent or pay” touches on are complex and the ICO is developing its position in this area, taking account of regulatory and industry developments in the UK and other jurisdictions. It says that it will expand on its thinking later this year when it consults on updated guidance on cookies and similar technologies. As a starting point, it expects organisations thinking about a “consent or pay” model to consider a range of factors when assessing whether it will provide valid consent for personalised ads in the relevant context. These include the following:
- Power balance: to what extent is there a clear imbalance of power between the service provider and its users? Consent for personalised ads is unlikely to be freely given when people have little or no choice about whether to use a service or not, which could be the case when they are accessing a public service or the service provider has a position of market power.
- Equivalence: are the ad-funded service and the paid-for service basically the same? For example, if a service provider offers a choice between personalised ads and a “premium” ad-free service that bundles lots of other additional extra together, then this would not be the case.
- Appropriate fee: is the fee appropriate? Consent for personalised ads is unlikely to be freely given when the alternative is an unreasonably high fee. Fees should be set to provide people with a realistic choice between the options, with the provider capable of providing justification of the appropriateness of the level.
- Privacy by design: are the choices presented fairly and equally? This means giving people clear, understandable information about what the options mean for them and what each one involves. Consent for personalised ads is unlikely to be freely given when people do not understand how their personal information is being used or that they can access the service without having to agree to the use of their personal information.
Organisations need to give special consideration to the treatment of existing users of the service, who may understand the organisation’s current approach and use the service extensively in their daily lives. This may lead to a difference in power balance (for example, users may find it hard to switch) or have implications for how choices are presented.
The ICO emphasises that when an organisation relies on consent it must be able to demonstrate that it is valid. This means organisations must inform people about how they (and any other organisations they work with) intent to use their personal information as payment for the service they receive, as well as what it means if they decide to say no, now or in the future.
The UK GDPR gives people a specific right to withdraw consent. Organisations need to tell people about this and offer them easy ways to withdraw consent at any time. It must be as easy for people to withdraw consent as it is to give. Organisations must also ensure people can withdraw their consent without detriment. Where people deice to withdraw consent organisations will need to make sure that this is communicated to other organisations with which they have shared individuals’ personal information.
The ICO is consulting on key data protection issues in relating these advertising models. The call for evidence is open until 17 April 2024.