Data protection authorities scrutinise ‘consent or pay’ business models

The Information Commissioner’s Office (ICO) said that ‘consent or pay’ business models – also known as ‘pay or OK’ models – can comply with UK data protection laws, but it said that compliance will depend on whether businesses adopting the model can show that consent has been “freely given”, that individuals are “fully informed” about the purpose of the data processing, and that individuals can withdraw their consent “without detriment”.

The ICO said its thinking on ‘consent or pay’ models is “emerging”. While it has set out “an initial view” on the issues businesses adopting a ‘consent or pay’ model need to consider, to ensure they comply with the requirements of UK data protection law, it has called for businesses and other stakeholders to share their views to help it shape its regulatory approach and establish more formal guidance.

The ICO’s initial view centres on the adoption of ‘consent or pay’ business models in the context of ad-funded online businesses. It said some businesses are considering “giving people a choice between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service”.

It said the factors playing into whether such models are compliant include the extent to which “there a clear imbalance of power between the service provider and its users” and whether the ad-funded service and the paid-for service are “basically the same”. Other relevant factors are whether the fee charged for the paid-for service is “appropriate” and whether the choices available to users of the service are “presented fairly and equally”. The ICO said the factors it listed were non-exhaustive.

The ICO said: “In principle, data protection law does not prohibit business models that involve ‘consent or pay’. However, any organisation considering such a model must be careful to ensure that consent to processing of personal information for personalised advertising has been freely given and is fully informed, as well as capable of being withdrawn without detriment.”

The ICO is not the only data protection authority scrutinising ‘consent or pay’ business models. The European Data Protection Board (EDPB), which comprises representatives from national data protection authorities in EU member states, is due to issue its own opinion on the topic. The EDPB has been called on to issue the opinion by data protection authorities in the Netherlands, Norway and Hamburg, Germany, and has faced further pressure to “firmly oppose” ‘pay or OK’ models from digital rights groups.

The ICO’s call for views is open until 17 April 2024.