Digital Regulation

ICO delivers its verdict on 'consent or pay' in the UK

Published on 6th Feb 2025

UK data regulator takes more positive tone than EU on data privacy compliance for consent or pay models

Close up view on a man typing on a keyboard, working with a desktop and two laptops

On 23 January 2025, the  Information Commissioner's Office (ICO), the UK's data privacy regulator, issued guidance on use of personal data as part of a "consent or pay" business model, following a public consultation on its draft proposals.

The guidance shows that it is possible to operate a consent or pay model in compliance with the UK's General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR), but that it is not straightforward to do so.

The UK data regulator takes a more positive view than the EU on whether businesses can comply with data privacy regulations when making free access to services conditional on accepting personalised advertising.

'Consent or pay' models

Consent or pay models are so called because a provider of online services offers potential service users a choice: either they pay a fee to access the service, or they consent to the service provider using their personal data to provide them with personalised advertising.

They have become more prevalent as regulators have enforced compliance with cookie consent rules, meaning that more people are confronted with cookie consent screens which allow them to easily reject non-essential cookies, and also as some tech companies look to restrict use of third-party cookies on their services.

The targeting of users with personalised advertising entails the creation of a profile of each user usually formed from a combination of personal data from different sources: some provided directly by the user (often when filling in a sign up form), some observed (such as by tracking their movements around online platforms, or activity on their mobile phone or other devices), and some which is inferred from the foregoing data.

The guidance is clear that these models can be compliant with data protection but only if:

  • Users have "freely given" compliant consent if choosing personalised advertising over paying.
  • The model operates in compliance with other legal requirements.
  • Service providers have documented and can demonstrate that their particular consent or pay model is compliant with GDPR and PECR.

Compliant consent

Under the GDPR and PECR, to be compliant, consent must be freely given, specific, informed, unambiguous and the user must be able to easily withdraw consent at any time. Of these criteria, the most problematic for the consent or pay model is that of "freely given".

The guidance sets out factors to be taken into account in assessing this. These include:

  • Power imbalance: whether there is a clear power imbalance between user and service provider, such that a user cannot realistically choose not to use the service. If so, the ICO thinks it is unlikely that the consent can be demonstrated to have been freely given, pointing out that this is especially likely to be an issue with existing users, who may find it more difficult to change to another platform.
  • Appropriate fee level: Whether the fee level is appropriate for the benefit of using the services without personalised advertising. It is unlikely that people can freely give their consent if fees are so high as to make paying them an unrealistic option for some users. The analysis of how to determine an appropriate basis for pricing is interesting. The ICO makes clear that the appropriate basis is "the value that consumers associate with not sharing their personal data for the purposes of personalised advertising". It suggests that some of the usual bases (such as revenue, costs and value of core services) are unlikely to be relevant in this context.
  • Equivalence of core services: Are the core services broadly equivalent for those who consent to the use of their data versus those who pay? If not, it will be more difficult to show that the consent was freely given.
  • Fair presentation of options: Whether the options are presented fairly, with clear information about what each option will involve. If they are not, or if the design of choices is engineered to push users towards a particular option, it is unlikely to be compliant.

The guidance looks at these factors in detail, including discussing how to assess power imbalances, equivalence of services, and appropriateness of fees.

How do the UK and the EU positions compare?

Last year, the European Data Protection Board (EDPB) issued an opinion on "pay or consent" models. The opinion was issued in response to particular questions it had been asked to opine on. This meant that it was restricted in scope, being specific to large online platforms, and their processing for the purposes of behavioural advertising. However, the EDPB has said that it intends to issue guidance on the use of consent or pay which will be broader in scope. 

The ICO and EDPB views agree on the central importance of ensuring that consent is freely given, and that key factors in the assessment include imbalance of power; whether options other than a paid for service are also offered; the extent of detriment suffered by not consenting; whether fees are charged; and the level of any fees.

However, the ICO is markedly more positive towards use of the model, conveying an overall sense that it can be operated compliantly, provided that the use of personal data in the model is carefully considered and documented, that users are offered appropriate options, and that they are properly informed about the options and their consequences.

In contrast, the EDPB states that "in most cases, it will not be possible" for large online platforms to be compliant with the requirements for valid consent if the only choice for users is between paying a fee or having to consent to their personal data being used to deliver personalised advertising.

The EDPB added that granularity was a factor, that is, the extent to which users can consent separately to different processing operations involved in the choosing, serving and measuring of personalised advertising.

When addressing the question of whether a failure consent would result in detriment, the EDPB sets out some useful factors to consider including, for example: exclusion from a prominent service, lack of access to professional networks, or risk of losing content or connections.

In summary, the UK versus EU views differ significantly in tone, with the ICO conveying more of a "can do" message, but they are fairly close on substance, especially taking into account the narrower scope of the EDPB opinion.

What does this mean for businesses?

The fact that the EDPB considered only large online platforms, whereas the ICO did not focus on them in particular, leaves the operators of the biggest platforms with some uncertainties as to how the UK regulation will apply to them specifically, while leaving other businesses unclear on their position in the EEA (pending the EDPB issuing broader guidance).

So far, businesses deploying consent or pay models tend to offer users only the binary choice that the name implies. Given that both the ICO and the EDPB have stressed the desirability of offering additional options, we expect to see more businesses adopt such an approach, in particular by providing an option for users to continue receive a free service in return for consenting to a form of advertising (such as contextual advertising) that involves less processing of personal data. Whether data regulators (as well as consumer bodies, who have also taken a keen interest in the mechanics of consent or pay models) deem this to be sufficient will still ultimately depend on the various other factors noted above.   

Businesses intending to use these models should therefore conduct (and document) specific, detailed assessments of whether there is an imbalance of power, and the ways in which their model will be implemented to ensure that individuals have a genuine choice.  This is in addition to conducting a data protection impact assessment (which is already usually required when conducting the types of processing activities that underpin the delivery of personalised advertising).

It will also be important for businesses to check that they are complying with other aspects of data protection rules, including: ensuring appropriate transparency around how collected data would be used, that there is a simple, easy-to access mechanism for withdrawing consent, and that models/systems are designed with data privacy compliance built in from the outset.

If you have any questions about legal issues arising with consent or pay models, or with the use of data generally, get in touch with one of our team below or your usual Osborne Clarke contact.

Share
Related articles
New legislation advances the digitalisation and modernisation of Spain's financial laws
29/01/2025 6 mins
How businesses can get set for the UK Digital Markets Competition and Consumers Act in 2025
24/12/2024 10 mins
PSD3 and PSR: Impact on payment and e-money institutions
27/09/2024 6 mins
The EU Accessibility Act – Time to start implementation projects now
25/06/2024 6 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up