This week the ICO launched a call for views on the use of “pay or consent” models in the context of ad-funded online business models, many of which rely on cookies or similar tracking technologies.
Data privacy concerns around “pay or consent” models
A “pay or consent” model is where a business gives people a choice between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service.
The ICO’s initial view is that in principle, data protection law does not prohibit these business models. But it expects organisations to consider certain factors when assessing whether there is valid consent from the individuals, including:
- Power balance: consent for personalised ads is unlikely to be freely given when people have little or no choice about whether to use a service or not, for example when accessing a public service, if the service provider has a position of market power, or if the individual is an existing customer and might find it hard to switch provider.
- Equivalence: the ad-funded service and the paid-for service should be basically the same.
- Appropriate fee: this shouldn’t be unreasonably high and the provider should be capable of providing objective justification of the appropriateness of the level.
- Privacy by design: choices should be presented fairly and equally, which means giving clear, understandable information about what the options mean for them and what each one involves.
The ICO also reminds organisations of the importance of properly informing individuals as to how their data will be used, that they have the right to withdraw their consent and that such consent must be as easy to withdraw (and without detriment) as to give.
Further afield
EU data protection authorities (DPAs) have also been looking at this issue for a while, with the need for consensus now more pressing than ever given Meta's decision to charge for ad-free Facebook and Instagram services in the EU. The EDPB should be producing guidance soon given requests by DPAs and lobby groups such as noyb with its recent letter. Interestingly, the ICO’s factors above largely mirror those recently proposed by the Austrian DPA (and that we discussed in a previous blog).
Next steps
The challenges around “pay or consent” models are numerous, and often go beyond the direct sphere of data privacy into consumer protection and wider societal questions, and thus involve more regulators than just the DPAs. Given the legal developments in this area impact a large number of sectors and organisations, it is crucial that the various relevant regulators in both the EU and the UK set out their respective positions soon. The ICO’s call for views (which closes on 17 April) is a good starting place, but, understandably at this stage, currently lacks detail, so it is hoped that guidance on these models follows swiftly.