ICO Consultation on Consent or Pay Business Models
In March 2024, the Information Commissioner’s Office launched a consultation on “consent or pay” business models for advertising cookies. The consultation is available here (external link) and closes on 17 April 2024.
Under the consent or pay approach (also known as “pay or okay”), users wishing to access an online service (such as a website or mobile app) are given the choice between allowing their personal data to be used for personalised advertising purposes and accessing the service free of charge or paying to access the service if they do not consent to the use of their personal data for advertising.
Does the Law allow Consent or Pay?
In principle, yes. However, this is not without caveats. For example, consent for cookies under the Privacy and Electronic Communications Regulations (PECR) must be “freely given, specific, and informed”. If a service puts its content behind a cookie wall which denies access to that content unless a user consents to personalised advertising, it may be the case that consent has not been freely given.
The ICO states that data protection law does not, in principle, prohibit consent or pay models, but that “any organisation considering such a model must be careful to ensure that consent to processing of personal information for personalised advertising has been freely given and is fully informed, as well as capable of being withdrawn without detriment”.
Points to Consider
The ICO plans to examine consent or pay models as follows:
- How will organisations ensure that they are focused on people’s interests, rights, and freedoms in this context?
- How will organisations show that users are fully aware of what happens when they interact with their online service?
- How will organisations demonstrate that users are making informed, free choices about their engagement with the service?
Points that the ICO expects those considering a consent or pay model to take into account include:
- The power balance (or rather imbalance) between the service provider and the user. If users have little or no choice whether or not to use a service, consenting to personalised advertising is not likely to be “freely given".
- The equivalence of the “free” and paid services. In some cases, a paid or premium option might include features that the ad-supported option does not.
- Is the fee appropriate? If the fee is unreasonably high, consent to personalised advertising instead is less likely to be “freely given”.
- Privacy by design. Options like these can sometimes be presented in such a way as to lead the user to a particular choice and/or without clearly explaining what the options mean for the user. If users do not understand how their personal data will be used or that they can instead pay to access the service and keep their personal data away from advertising, consent is again less likely to be “freely given”.
Giving Users Information
As well as being freely given, consent should be “informed”. Users must be properly informed about what will happen to their personal data if they consent to personalised advertising in a situation like this. Similarly, users should be told what the consequences are if they choose not to consent, either at that time or in the future.
A common theme online and in apps is that if something is free, you are paying with your privacy. This should be borne in mind when choosing how to present information to users. Being clear and honest builds trust and confidence. Trying to pass off something as being free and a good deal while clearly profiting from a user’s personal information could have the opposite effect.
Withdrawing Consent
Users have the right to withdraw consent, and they should be told about this at the time they are asked for it. It should also be made easy for users to exercise this right. Further, the ICO explains that users should be able to withdraw consent without detriment. It would not seem reasonable to interpret this as meaning that users should be able to withdraw consent without losing access to the online service in question, however. What this does mean, is that the organisation that collected the personal data from the user to use for personalised advertising should communicate the user’s withdrawal of consent to other organisations that the data has been shared with.
Have Your Say!
The ICO’s consultation invites organisations’ views on the ICO’s proposed regulatory approach to pay or consent models. Whether your business uses such an approach or not, it is difficult to miss the increasing prevalence of ad-funded online business models, particularly those which offer (or require) personalised advertising.
The ICO’s guidance in this area continues to evolve, and it is also expected to release a further consultation on updated guidance on the use of cookies later this year. For almost any business with an online presence, cookies and related technologies are a key ingredient, and no opportunity to help shape the rules surrounding them should be missed!
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.