The Information Commissioner’s Office (ICO) has published guidance to provide clarity for organisations using or considering using the “consent or pay” model.
What is the “consent or pay” model?
This is a model used by some organisations that gives users of websites or products a choice in relation to the processing of their personal data. They can:
- Consent to the use of their personal data and personalised advertising;
- Pay a fee to access the product without using their personal data for personalised advertising; or
- Decide not to use the product or service.
Article 4(11) of the UK GDPR confirms that consent is:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The ICO has made it clear that “consent or pay” models can be compliant with data protection laws. For them to be compliant, an organisation needs to carry out an assessment in relation to whether consent by users is freely given. This assessment should be based on four factors that are set out within the guidance. The organisation should document the outcome of their assessment as the burden is on them to establish that consent was freely given.
Four factors
Organisations should assess their current or proposed models, taking into account the four factors set out within the ICO guidance, which are:
- Power imbalance – Is there a power imbalance? It is unlikely that people can freely give their consent if they have no realistic choice about whether or not to use the service;
- Appropriate fee – What fee is the user required to pay? It is unlikely that consent can be freely given if a fee is inappropriately high, which makes it an unrealistic choice for many.
- Equivalence – is it the same service offered to users who consent to personalised advertising or pay to avoid it? Equivalent core services should be offered across the options; and
- Privacy by design – are the choices presented equally to people with clear information about what each choice means and what is involved? People cannot freely give consent if they are uninformed.
The ICO has confirmed that all four factors should be taken into account. No single factor can determine whether the model has met the requirements for valid consent. If an organisation has carried out the assessment and cannot demonstrate that consent has been freely given, they will need to reconsider their model accordingly.
Comment
The guidance makes it clear that it is not simply enough to give users an option to consent to the use of their personal data or to pay a fee. An organisation has an obligation to demonstrate that the consent is freely given in accordance with the UK GDPR.
How can we help?
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us