The ICO has submitted a call for views on so-called “consent or pay” or “pay or okay” business models seeking responses to help develop its final regulatory position. By way of brief overview, some businesses are considering giving users a choice between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service. The ICO’s call for views is (many will hope) the first step to the ICO formally accepting that such models can comply with the UK GDPR and follows similar dialogue taking place at an EU level into these business models. Submissions may be made until 17 April 2024.
As it is a call for views, the ICO is not yet revealing much detail on its own views and notes that “we continue to develop our position in this area” but for now it points to four factors for organisations to consider when assessing whether consent gathered under a pay or okay model is valid:
- Power balance – i.e. dominant players are more likely to struggle to demonstrate that there is valid consent for ad-funded options;
- Equivalence of the free and paid for services – businesses need to ensure they offer the same service for both free and paid options (for example premium content should not be offered on a free page as a way of enticing users to consent to ad-funded free content);
- Appropriate fee – fees charged for subscription alternatives should not be unreasonably high; and
- Privacy by design – ensuring choices are presented fairly and equally i.e. giving clear, understandable information about what the options mean for users
The ICO also gives some high-level thoughts on transparency and ensuring that the right to withdraw consent is respected i.e. being upfront and honest with people about what happens to their personal information and ensure users can withdraw their consent without detriment.
Finally, the ICO has indicated that updated cookie guidance is on the horizon after the DPDI Bill has received Royal Assent. That guidance is expected to provide clarity around the need to obtain consent for the use of cookies for activities that are "intrinsically linked" on a "technical level" to targeted advertising (such as, for example, ad measurement and fraud detection).
As always, watch this space for the final view of the ICO (and EU supervisory authorities), although no doubt that will not be the end of the story as there will be inevitable challenges to any level of acceptance of pay or okay models.