“Consent or pay” models under scrutiny in UK and EU

The question

Are “consent or pay” business models compliant with data protection law?

The key takeaway

The European Data Protection Board (EDPB) has issued an opinion stating that, in most cases, it will not be possible for “large online platforms” to comply with the requirements for valid consent under the EU GDPR if they confront users only with a binary choice between consenting to the processing of personal data for personalised advertising and paying a fee.

In the UK, the Information Commissioner (ICO) has initiated a (now closed) consultation on “consent or pay” business models, the responses to which will contribute to the ICO’s upcoming guidance on cookies and similar technologies. In an initial view accompanying the consultation, the ICO indicated that access mechanisms are not likely to comply with expectations in data protection law for consent to be “freely given” where they do not provide people with a free choice about whether to receive personalised ads.

The background

“Consent or pay” refers to the choice given to users by some service providers so they can either access online services without payment if they consent to their personal data being used for personalised advertising or pay to access those services without personalised advertising. This model has been the subject of increasing debate globally.

On 17 April 2024, the EDPB released an opinion in response to requests from the Dutch, Norwegian and German Supervisory Authorities addressing the circumstances under which “large online platforms” can implement consent or pay models in a manner that constitutes valid, freely given consent under the EU GDPR. The EU GDPR does not define “large online platforms” but the EDPB suggests this could be understood as including “very large online platforms” as defined under the EU Digital Services Act and “gatekeepers” as defined under the EU Digital Markets Act.

Separately, on 6 March 2024 the ICO called for views on the use of “consent or pay” business models more broadly. This consultation closed on 17 April 2024.

The EDPB’s view

The key points from the EDPB’s opinion were that:

• consent or pay models will only be valid if providers can demonstrate that consent from the user is informed, unambiguous, specific and freely given
• the CJEU confirmed in the Bundeskartellamt judgment that users who refuse to consent to particular processing operations should be offered, “if necessary for an appropriate fee, an equivalent alternative not accompanied by such processing operations”
• however, personal data should not be treated as a tradeable commodity, and only offering a paid alternative to a service which includes processing for behavioural advertising purposes should not be the default for large online platforms. Large online platforms should instead assess, on a case-by-case basis, both whether a fee is appropriate at all and what amount is appropriate in the given circumstances, considering possible alternatives to personalised advertising that entail the processing of less personal data as well as the balance of power between data subjects and the provider
• consent will not be freely given if data subjects cannot refuse or withdraw consent without detriment, and detriment may arise where (i) non-consenting data subjects who do not pay the fee face exclusion from the service, and (ii) the fee imposed effectively inhibits data subjects from making a free choice
• large online platforms should therefore consider providing data subjects with an “equivalent alternative” that does not entail the payment of a fee eg with a form of advertising involving the processing of less (or no) personal data. In most cases, whether a further alternative without behavioural advertising is offered by the large online platform, free of charge, will have a substantial impact on the assessment of the validity of consent, in particular with regard to the detriment aspect
• In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent under the EU GDPR if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.

The ICO’s view

The ICO’s position on consent or pay business models will become clearer once its upcoming guidance on cookies and similar technologies is published, however the ICO’s initial view suggests that it will take a similar approach to the EDPB. Some key takeaways from the ICO’s initial view are:

• in principle, data protection law does not prohibit “consent or pay” models. However, any organisation considering such a model must be careful to ensure that consent to the processing of personal information for personalised advertising has been freely given, is fully informed and is capable of being withdrawn without detriment
• the ICO recommends that businesses consider several factors when assessing if their consent or pay model constitutes valid consent under the UK GDPR, namely, the power balance between the business and users, the equivalence between the paid-for and free services, whether the fee is appropriate, and whether the choice to users is presented fairly and equally.

Why is this important?

Personalised advertising is lucrative, much more so than non-personalised advertising. Digital businesses that deploy a consent or pay model have typically done so in order to recoup revenue lost by users refusing to consent to personalised advertising. Although the EDPB and ICO do not prohibit the use of consent or pay models entirely, both regulators view consent obtained in this way as a lawful means of processing personal data in only a limited number of tightly defined scenarios, and not an approach that should be widely adopted as default. As a result, we may see companies that have typically generated revenue from personalised advertising, or consent or pay, needing to find new ways of funding their services.

Any practical tips?

Large online platform providers that operate consent or pay models in the EU, need to consider whether their existing practices are likely to give rise to consent from users that is informed, unambiguous, specific and freely given. If not, they should consider whether any changes can be made to their existing practices (eg offering a free “equivalent alternative”) or whether the model is appropriate at all. The EDPB has also indicated that it plans to issue connected guidance on the use of consent or pay models by all providers operating in the EU (ie not just large online platforms), and so other providers that operate consent or pay models in the EU need to be equally mindful that changes are on the horizon.

Similarly, all providers operating consent or pay models in the UK should look out for the ICO’s forthcoming guidance on cookies and similar technologies. In light of the ICO’s initial view, they might also consider whether the consent they are getting is likely to be considered informed, freely given and capable of being withdrawn without detriment.

Summer 2024