Businesses that operate a “consent or pay” (or “pay or okay”) model should take note of views expressed recently by both UK and EU data protection regulators. The model gives users the option, in return for access and use of a service, either to (i) consent to their personal data being used for personalised advertising, or (ii) pay a fee to not be tracked. The UK Information Commissioner’s Office (ICO) and the European Data Protection Board (EDPB) are both currently addressing issues raised by this model.
The ICO launched a public consultation in March to develop its regulatory position. This recently closed and the ICO is expected to issue updated guidance on cookies and similar technologies later this year. Meanwhile, the EDPB has gone one step further and issued an Opinion in April in the context of “consent or pay” models implemented by large online platforms, following requests from the Dutch, Norwegian and Hamburg Data Protection Authorities.
The ICO consultation
Much like the EDPB’s Opinion, discussed below, the ICO’s initial view is that whilst “consent or pay” models are not prohibited, for consent to be valid, it must be freely given, fully informed, and capable of being withdrawn without any detriment. The ICO emphasises the power imbalance between online platforms and users, appropriateness of fees charged, and providing users with real choice. See, Call for views on “consent or pay” business models | ICO. Businesses that currently operate, or are considering operating, such a model will need to exercise care to ensure that when doing so they fall on the right side of the law.
EDPB’s Opinion and things to consider
Assess current practices: The EDPB’s is of the view that, in most cases, the “consent or pay” model for large online platforms does not comply with the EU’s General Data Protection Regulation for obtaining consent. In its view, confronting users with a binary choice does not constitute real choice. Online platforms must, therefore, assess whether their models meet the GDPR requirements for valid consent.
Review fees: The EDPB stressed that the fundamental right to data protection must not be transformed into a tradeable commodity that users must pay to enjoy, nor be a feature that only the wealthy can access. As such, any fees to access should be carefully evaluated by online platforms. The fee should be appropriate to the circumstances as this could impact the user’s ability to make a genuine choice. The assessment should be made on a case-by-case basis and in light of the requirements for valid consent and the GDPR principles. In this regard, the EDPB emphasises the fairness principle: users must not be pushed into providing consent.
Consider alternatives and user detriment: Genuine and free choice also depends on the options offered to users. The EDPB encourages online platforms to consider providing an ‘equivalent alternative’ that does not involve payment. If, however, online platforms decide to charge a fee for access to the ‘equivalent alternative’, they should consider offering an additional free alternative without behavioural advertising, e.g. advertising which entails the processing of less or no personal data. Online platforms must also be careful not to exclude users entirely if they choose not to consent as well as not to pay a fee, especially in relation to dominant online platforms, or where this might affect the ability of users to participate in social life or access professional networks.
The EDPB’s Opinion is available here. The EDPB also intends to develop guidelines on ‘consent or pay’ models with broader application.
Looking ahead
Businesses operating in this space should familiarise themselves with the views of both the ICO and the EDPB and look out for further guidance. Although the EDPD’s Opinion is not binding in the UK, it will no doubt be influential. Overall, the outcome from both the EDPB’s Opinion and the ICO’s guidance will have significant implications for how online platforms across the UK and EU manage their advertising wall going forward.
Please contact a member of our Data Protection and Cyber Security Team should you have any queries in relation to the issues raised in this e-update.
This article was co-authored by Trainee Solicitor Tulsi Mount.