‘Pay or Consent’ and the Law: What Businesses Need to Know

The UK Information Commissioner’s Office (ICO) has published new guidance on ‘consent or pay’ models, a framework where users either consent to personalised advertising in exchange for free access to a service, pay a fee to avoid ads, or opt out entirely. 

The key issue at stake is whether user consent in these models is truly “freely given” under the General Data Protection Regulation (GDPR). The ICO has outlined specific criteria to determine whether businesses implementing consent or pay models are compliant, emphasising that these models are not automatically non-compliant but must be carefully assessed.

What Is Consent or Pay?

‘Consent or pay’ is a business model that allows users to choose how they access online products and services, either by consenting to the use of their personal data for targeted advertising, paying a fee to opt out of such data use, or simply not using the service. While data protection laws do not outright ban this model, businesses must ensure that user consent is freely given, fully informed, and easy to withdraw without negative consequences. 

The ICO’s Approach and Key Compliance Factors

The ICO’s guidance acknowledges that ‘consent or pay’ models can be legally viable, provided they meet specific conditions. The central concern is ensuring that users’ consent is given without coercion and that businesses do not exploit power imbalances.

One of the primary considerations is whether a power imbalance exists between the organisation and its users. If a company holds a dominant market position such as Apple for instance, users may feel they have no real alternative but to consent, making their choice less than voluntary. Similarly, if users are in vulnerable positions, due to age, disability, or financial constraints, their ability to make a genuine choice is compromised. In such cases, businesses should consider offering additional options, such as a lower-cost alternative that relies on less invasive advertising methods.

The ICO also stresses that any fee imposed for ad-free access must be appropriate. It should reflect the value users place on protecting their personal data rather than being prohibitively high, which could pressure users into consenting against their true preference. While the ICO does not set a fixed price point, businesses must carefully justify their pricing models and ensure they do not indirectly force consent.

Furthermore, businesses must ensure that the core service remains equivalent for both paying users and those who consent to advertising. If those who choose to pay receive a diminished service compared to users who opt for personalised ads, this could undermine the validity of their consent.

Another crucial factor is transparency. Businesses must clearly communicate what each option entails so that users can make an informed decision. Misleading phrasing such as “continue to read for free” without clarifying the implications for data usage, does not meet the ICO’s standards for informed consent.

How the ICO’s Approach Differs from the EU

The ICO’s stance is notably more flexible than that of the European Data Protection Board (EDPB), which has been more skeptical of ‘consent or pay’ models, particularly for large online platforms. The EDPB has taken a stricter approach, emphasising that users should have genuine alternatives that do not require payment or extensive data collection. In contrast, the ICO sees a pathway for compliance as long as businesses ensure a fair and transparent choice for users.

This divergence highlights how UK businesses operating across both jurisdictions must navigate differing regulatory expectations. While the ICO is open to well-designed ‘consent or pay’ models, organisations targeting EU users must take a more cautious approach to avoid potential enforcement action from European regulators.

What This Means for Businesses

Companies using or considering ‘consent or pay’ models should review their approach against the ICO’s criteria to ensure compliance. They should conduct detailed assessments to identify and address potential power imbalances and document these assessments to justify their approach under regulatory scrutiny. Ensuring strong transparency measures is essential, so users fully understand their choices. There should also be an easy mechanism for withdrawing consent in line with GDPR requirements. Privacy-by-design principles should be embedded from the outset, making data protection considerations integral to the service model rather than an afterthought.

Here are some other considerations:

1. User Experience & Trust: Businesses must ensure that the choice between consenting or paying does not feel like a forced trade-off. A well-designed, user-friendly consent process enhances trust and brand reputation.

2. Market Competition & Alternatives: If a service is essential (such as news, healthcare, or education), charging for privacy may not be fair. Businesses should assess whether users have reasonable alternative services that don’t rely on a consent or pay model.

3. Regulatory Divergence (UK vs EU): While the ICO has taken a flexible approach, European regulators, like the EDPB, are more skeptical. Businesses operating across jurisdictions need to ensure their model complies with different legal standards.

4. Impact on Revenue & Advertising Models: Companies must evaluate whether shifting toward a consent or pay framework will affect their ad revenue or subscription uptake. Understanding user behaviour and willingness to pay is crucial.

5. Technological Implementation: Businesses should ensure that their platforms can properly handle user consent choices, securely store preferences, and allow easy withdrawal of consent, all while maintaining compliance with data protection laws.

6. Fairness & Accessibility: If fees for opting out of ads are too high, the model could disproportionately impact lower-income users, raising ethical and compliance concerns. Businesses should assess whether pricing is fair and does not create an undue burden.

7. Long-Term Sustainability: User expectations around privacy are changing. Companies should build adaptable consent models that can withstand future legal and consumer-driven shifts.

With the ICO planning further measures to give users more control over their data, businesses should stay ahead of regulatory changes. Those that fail to align their models with data protection laws risk enforcement actions, reputational damage, and potential legal challenges. 

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.