The Information Commissioner’s Office (“ICO”) has published guidance for organisations implementing a ‘consent or pay’ online advertising model. It is part of the ICO’s wider work on online tracking (on which we commented here) and follows a call for views launched last year (which we reported on here).

As the Guidance explains, it governs those organisations employing a business model for funding online products and services which presents people with the following three options:

• Consent to the organisation using their personal information for personalised advertising in order to access the product or service;
• Pay a fee to access the product or service and avoid their personal information being used for personal advertising; or
• Leave or decide not to use the product or service.

The Guidance makes clear that these ‘consent or pay’ models can be compliant with data protection law only if organisations which employ them can demonstrate that people have freely given their consent and that they meet other requirements set out in the law.

Whether a person has freely given their consent is, therefore, of crucial importance. The Guidance proceeds to set out four factors that should be considered by the organisation when assessing whether consent has been freely given:

1. Power Imbalance

The ICO explains that “where there is a clear power imbalance, people may not have a realistic choice about consenting to personalised advertising to access a product or service”.

For example, it points to people who may rely on the service and who face an unfair penalty if they can no longer access it, or some groups of people who are in a more vulnerable position which “could have great impact on their ability to refuse or withdraw consent without detriment”.  The Guidance also encourages organisations to give special consideration to the impact that the introduction of a ‘consent or pay’ model would have on existing users of the service, as opposed to those who may never have used it before, stating that organisations “should consider any evidence from your existing users indicating that they are likely to suffer detriment” if a ‘consent or pay’ model were introduced.

The Guidance also sets out that a power imbalance may arise from an organisation’s position in the market. It makes clear that the ICO is not a competition authority, but that it will liaise with the Competition and Markets Authority where necessary, and that organisations are expected to demonstrate and document that they have assessed whether their position in the market creates a power imbalance by considering the range of factors set out in relevant guidance from the CMA.

Finally, the ICO highlights the potential power imbalance associated with network effects and switching costs. If people have no meaningful alternative options for engaging with their network, or the cost of leaving a service means the loss of all or their records of interactions on a platform, that may constitute a power imbalance.

2. Appropriate Fee

Whilst the ICO makes plain that it is not in the business of mandating pricing structures, it states that “the most appropriate measure of whether the level of fee can enable freely given consent is the value that people that use or could use your product or service associate with not sharing their personal information for the purposes of personalised advertising”.

As part of that assessment into what constitutes an appropriate fee, the Guidance recommends, for example, relying on existing evidence and research about the services’ user base, monitoring evidence of users’ privacy preferences, and considering whether certain groups might be priced out of the ‘pay’ option.

The Guidance also states that it may be more difficult to demonstrate that consent has been freely given if the fee combines (a) a fee for access to the service and (b) a fee for not sharing personal data for the purposes of personalised advertising. As the ICO explains, “paying a single price which combines these factors may mean that the fee is inappropriately high and can affect whether people can freely give their consent. People may feel they are “priced out” and have no other choice than to consent in order to access the service”. Therefore, if an organisation chooses to charge for the provision of its product or service, the Guidance states that it should do so outside of the alternative to consent. In other words, if the organisations relies on a subscription model and then chooses to introduce a ’consent or pay’ model on top, whether a fee is appropriate will be gauged by assessing the difference between the subscription fee and the additional fee for the option to avoid personalised advertising.

3. Equivalence

The Guidance sets out that if an organisation is offering a ‘consent or pay’ model, it should offer “broadly the same core product or service under either option” on the grounds the UK GDPR “is clear that people must not experience an unfair penalty for refusing to provide their consent”. For example, a ‘pay’ option that is a lower quality version of the core product, or a different version altogether, may amount to an unfair penalty.

The ICO explains that organisations should identify what their core product or service is, be able to justify this using objective evidence, and offer the core product or service in both the ‘consent’ and ‘pay’ options.

If organisations want to include additional benefits in the ‘consent’ option, they must ensure that any incentives offered to people to consent must not lead to those not consenting suffering an unfair penalty. As for additional benefits in the ‘pay’ option, they cannot be used “to set a higher, inappropriate fee for the subscription option for removing personalised advertising”.

4. Privacy By Design

The Guidance states that ‘consent or pay’ models are likely to constitute high risk processing. Therefore, before implementation, an organisation must either review and update its existing Data Protection Impact Assessment covering the use of advertising technologies, or conduct a new one. The organisation should identify any risks from the ‘consent or pay’ model and how it will mitigate them.

Once the model is implemented, the Guidance sets out that the ‘consent or pay’ options must be presented in a way that “complies with data protection principles and privacy by design requirements set out in UK GDPR”, and provides helpful examples of what this might look like. The ICO also provides examples of the factors that organisations should consider when designing how their options are presented:

• Present the choices clearly;
• Don’t enable storage and access technologies too early;
• Keep consent specific and granular;
• Provide clear information;
• Make sure it’s easy to refuse consent.

To read the Guidance in full, click here.