What happened?
The UK Information Commissioner’s Office (ICO) has released updated guidance on ‘consent or pay’ business models. These models present users with a choice to either consent to the processing of their personal data for purposes like personalised advertising in return for access to a product or service, or pay a fee to access the product or service without personalised ads.
For many online services, the consent or pay business model provides an important way of monetizing their product or service, generating essential revenue streams. However, there has been uncertainty about whether companies could obtain valid consent from users through these models under UK data protection laws – and, consequently, whether they could establish a legal basis for the processing of personal data for personalised ads.
The ICO’s guidance therefore aims to help companies navigate the complex intersection between UK data protection laws and online monetization. It shows that companies may be able to operate a consent or pay business model in compliance with applicable UK data protection laws; however, some types of companies (such as large social media platforms) may struggle to satisfy the necessary criteria without offering a third option, such as contextual advertisements.
What does the guidance say?
In order to operate a consent or pay business model, companies must assess whether they can demonstrate that their users’ consent is ‘freely given’. The standard for freely given consent is set out in the UK General Data Protection Regulation (GDPR). In the context of consent or pay business models, freely given consent means that users must have a genuine, voluntary choice to consent (or refuse to consent) to personalised ads. If users feel compelled to provide their consent, it will be invalid.
This means that before companies implement a consent or pay model, they must conduct a data protection impact assessment (DPIA) to:
- Assess the validity of consent.
- Identify any risks.
- Take necessary steps to mitigate risk or bring the model into compliance.
The guidance sets out various issues to consider in the DPIA, such as:
| Issue | Action |
| Power imbalance between users and service providers: This can arise from a variety of factors that influence the relationship between a service provider and its users. For example, a power imbalance could occur if a social media user: – Spends time building a social media profile. – Relies on that social media network to connect with family and friends. | Services should consider providing an alternative option – such as ‘consent to contextual ads’ – whereby advertising is targeted based on the content of the page that the user is currently viewing rather than their behavioural profile history. Users who choose this option should be allowed to access the core product or service without being required to consent to personalised ads or paying to avoid personalised ads. |
| Inappropriately high fees for the paid option: This relates to the amount of money that people can pay while freely providing their consent. For example, a service might be charging an inappropriate fee if the fee for the ‘paid’ option is so high that users feel they can only afford the ‘consent’ option. | Services should consider their pricing structure and keep their company’s specific context in mind when setting their fees, such as the company’s: – Size – Market position – Nature of processing As above, providing an additional option, such as contextual ads, could be an effective mitigation strategy. |
| Lack of equivalent core services between consenting and paying users: This means that services do not necessarily have to be identical but should be broadly the same under both your ‘consent’ and ‘pay’ options. If a service offers ‘paid’ users a materially worse or completely different core service from ‘consenting’ users, it may not be able to demonstrate equivalence. For example, a social media company could meet this requirement if it allows users who choose contextual ads to access core features, such as the ability to post information and connect with family and friends, but not extra features, such as photo editing or avatars. | Assess the quality of the services you offer, including functionality, features, content, personalisation and user control over personal data. Ensure that at least one other option: – Provides the core product or service. – Does not require consent to personalised ads. – Does not unnecessarily reduce the overall product or service quality. – Does not have an inappropriately high fee. Keep your assessment under review over time to ensure equivalence is maintained as the core product develops. |
What should companies do?
To avoid enquiries from the ICO or complaints from UK individuals about their consent or pay business models, companies subject to UK data protection law should:
- Conduct a DPIA to review current practices and compare them against the ICO’s guidance.
- If the DPIA identifies any compliance gaps or risks in relation to the company’s model, take any necessary steps to mitigate or resolve such gaps and risks. This may require offering an alternative option, such as contextual advertising.
- Keep the consent or pay model under regular review as the company’s product or service develops over time.
Authors
Ann Bevitt, Partner, London
Morgan McCormack, Associate, London
