The ICO has issued guidance on “consent or pay” models. The ICO intends the guidance to provide clarity and advice for any organisation currently operating, or considering, a “consent or pay” model in the UK.
“Consent or pay” models present people with a choice. People can:
- consent to websites using their personal information for personalised advertising to access an online product or service;
- pay a fee to access the product or service, with websites not using their information for personalised advertising; or
- decide not to use the product or service.
The ICO says that if you are implementing a “consent or pay” model, you must make sure that you are able to demonstrate people have freely given their consent for personalised advertising under the “consent or pay” model.
The guidance sets out a framework of factors that are important to consider when assessing whether your “consent or pay” model meets the standard of consent. This reflects and builds on existing UK GDPR standards and ICO guidance.
The four factors are:
- Power imbalance: Is there a clear power imbalance between you and the people using your product or service? It is unlikely that people can freely give their consent if they have no realistic choice about whether to use the service. Businesses should also consider existing users under this factor.
- Appropriate fee: Have you set an appropriate fee for accessing your service without personalised advertising? It’s unlikely that people can freely give their consent if your fee is inappropriately high, making it an unrealistic choice.
- Equivalence: Is your core service broadly equivalent in the products and services offered where people consent to personalised advertising and where people pay to avoid personalised advertising? You can include additional perks or features in either service. However, you should provide an equivalent core service across all options to ensure that people have a free choice.
- Privacy by design: Do you present the choices equally to people, with clear, understandable information about what each choice means and what they involve? People cannot freely give their consent if they are uninformed about the available options or have their choice influenced by harmful design practices.
Businesses must document an assessment of their “consent or pay” model as part of their data protection impact assessment (DPIA). This assessment should consider the data protection principles set out in the UK GDPR as well as the factors in the ICO’s guidance and other relevant ICO guidance.
