In a recent decision, the European Commission fined Meta £171 million for implementing the 'Consent or Pay' model on its popular social media platforms, Facebook and Instagram. In the decision, the Commission determined that this model is incompatible with the provisions of the Digital Markets Act, which governs the conduct of the digital sector in the European Union.
This decision by the European Commission comes amid broader regulatory scrutiny of the 'Consent or Pay' model across Europe following the release of guidance for UK businesses by the Information Commissioner’s Office (ICO) just one month earlier.
In this article, we explain what the ‘Consent or Pay’ model entails, examine why the ICO’s guidance is particularly significant for businesses and investors, and summarise the ICO’s guidance to help those interested in this approach ensure compliance with the UK’s data protection regime.
Under the UK’s data protection regime, businesses must rely on at least one of the following legal bases in order to process (collect, use, or store) data:
The “Consent or Pay” model is built on the first legal basis of consent by offering consumers the following options to access a business’s product or service:
The ICO, which in recent months has observed a growing use of the model across the country, notes that businesses are increasingly capitalising on their expanding customer base - comprising both paying users and those whose access is funded through the use of their personal data for personalised advertising. For example, The Guardian has already adopted a form of the ‘Consent or Pay’ approach, offering users the option to subscribe for a fee or to consent to personalised advertising to access its content.
While the ICO acknowledges that this model can be compliant with the UK data protection regime, it emphasises that consent must be freely given. In contrast to more typical data processing by business, under the model it is more difficult to rely on multiple legal bases such as performance of a contract or legitimate interests, since the data processing is often for the benefit of third-party advertisers rather than for the direct provision of the business’ product or service. The model therefore hinges on the ability of a business to demonstrate that all customers accessing their product or services for free have given such consent. Crucially, this means the payment alternative must represent a genuine and accessible choice for most users - something that can be challenging to prove in practice. The ICO has therefore produced four key factors to help businesses using the model ensure they are obtaining such consent.
According to Meta, personalised advertising on its platforms generates over £19.5 billion in annual revenue for UK businesses, underscoring its value as a powerful and profitable tool for both companies and investors. Given the risk of not obtaining truly freely given consent, investors and businesses should therefore make sure they are up to speed with the ICO guidance before committing significant time or financial resources to implementing such a model.
The ICO guidance sets out, that where there is an imbalance of power between a business and their customers the business is unlikely to be able to operate a “Consent or Pay” model.
An imbalance in power refers to the relationship between the business and their consumers. If the nature of the relationship is that the business has more power than the customer, then it is unlikely the business will be able to demonstrate that their customers are freely giving consent to their data being used for personalised advertising.
To determine whether there is an imbalance in favour of the business the ICO recommends that the business considers the following factors:
Examples of imbalances may include instances where the product or service is essential to the customer or where there is no alternative provider of such product or service. In both cases the customer may feel obligated to consent to processing in order to access the product or service meaning consent cannot be concluded to have been freely given.
Where it is clear that the power lies in favour of the business then the business should take steps to address the imbalance, such as by providing an alternative method of access to their product or service – i.e. an option that does not involve consent or payment.
An inappropriately high fee for a product or service may make customers feel that they have no choice but to consent to personalised advertising.
The ICO guidance defines “appropriate fee” as the value that consumers associate with not sharing their personal data for the purposes of personalised advertising. To determine such value the ICO suggests businesses should consider a number of factors including but not limited to:
The ICO cautions that particular care should be taken by businesses with a power imbalance as customers may feel further obligation to consent if they have a high dependence on the business or if there is no viable alternative business to go to.
According to the ICO guidance, the paid and personalised advertisement supported version of the product or services offered under the “Consent or Pay” model must broadly be equivalent. This means that the product or service does not need to be identical, but the core product or service should be the same.
Differences between the paid and personalised advertisement versions that may lead to consumers feeling forced to consent include:
To demonstrate equivalence the ICO recommends that businesses should identify what the core product or service is and be able to explain this by using objective evidence such as by how the product or service is referred to in the businesses terms of service and how it is marketed externally.
For all businesses that carry out data processing activities, the UK’s data protection regime requires them to consider data protection in every aspect of the company’s data processing activities – this is the principle of privacy by design.
To ensure consent is valid, customers must be fully informed about their choices and the impact those choices have on the processing of their personal data and their data protection rights. This includes providing clear, understandable, and neutral information about the available options, explaining how each choice will affect the use of their data, and showing users how to exercise their rights under the regime.
To demonstrate compliance, businesses must present this information in a way that is appropriate for their target audience, avoiding any pressure or urgency to consent. Consent obtained for personalised advertising must be separate from other forms of consent, and it should be made clear that users have the right to withdraw consent at any time. Additionally, businesses must update their existing Data Protection Impact Assessments (DPIAs) to reflect the risks of the “Consent or Pay” model and the steps taken by them to mitigate them.
It is also important to note that data processing may still occur under the option which requires payment. For example, when collecting personal information to set up user accounts or working with third-party payment providers. These activities should also be considered as part of the business’ overall DPIA to ensure full compliance with data protection obligations.
The “Consent or Pay” model can be compliant with UK data protection law, but only if consent is freely given. UK businesses must carefully consider power imbalances, fee structures, service equivalence, and embed privacy by design to ensure such consent when providing product or service in the UK.
Given the legal and reputational risks of not complying with the UK’s data protection regime, businesses and investors should ensure any “Consent or Pay” model aligns with the ICO guidance before committing significant time or resources.
Importantly, organisations intending to offer similar products or services within the European Union should also note that this model is not permitted under the EU’s Digital Markets Act, as confirmed by recent enforcement action taken by the European Commission.
For further insight on data protection law, please contact Samantha McManus at Samantha.McManus@ilaw.co.uk or call +44 (0)203 987 0222.
