After months of debate, the legal basis for the controversial “consent or pay” business model, also known as “pay or okay”, is increasingly under question.
Under the “consent or pay” model, online service providers offer service users a choice to access a service at no additional cost if they consent to their personal data being used for personalised advertising, or, if they decide not to consent, users pay a fee, or higher fee, to access the service.
The model came under scrutiny after being adopted by Meta, owners of Facebook and Instagram, in Europe in November 2023. Under Meta’s “pay or ok” policy, EU service users are asked to either provide consent to their personal data being used for personalised advertisements or subscribe to an ad-free service priced at €9.99 for web users and €12.99 for mobile users.
Meta’s move has caused uproar amongst privacy advocates in the region who argue that the concept is incompatible with data protection law and at odds with the GDPR principle of “freely given” consent based on “genuine ongoing choice”.
Other critics have highlighted the commercial repercussions, arguing that if the model goes unchallenged many other online services will follow suit – putting consumers at risk of hefty bills for consulting their favourite websites.
The initial opinion of the UK Information Commissioner’s Office (ICO) is that, in principle, “consent or pay” is not prohibited by data protection law. However, this opinion could change following a consultation to gather views and issue further guidance to businesses seeking more certainty.
Meanwhile, the European Data Protection Board (EDPB), has suggested in an opinion published last month [17 April], that large online platforms will not be compliant if they offer users a “binary choice”, adding: “The offering of (only) a paid alternative to the service which includes processing for behavioural advertising purposes should not be the default way forward for controllers.”
For now, UK online businesses considering implementing “consent or pay” would be required take a privacy by design approach which ensures valid consent is obtained from service users in accordance with the requirements of GDPR.
Key considerations should include whether an imbalance of power exists between the organisation and its service user. This may occur where the service provider occupies a dominant market position and consent may therefore not be freely given. It is important that organisations ask themselves whether the ad-funded service and paid service are essentially the same.
The level of fee charged should not be excessively high as a high fee is likely to remove a realistic choice for service users who can’t afford or are unwilling to pay an expensive “privacy tax”.
And finally, the requirement to provide service users with clear, understandable information about their choices remains and perhaps is even more critical when presenting a new “consent or pay” policy to existing service users who heavily rely on particular services and are accustomed to the service user’s current approach. implementing the new policy could create a power imbalance that did not previously exist.
The UK organisations that are ad-funded and rely on online advertising will no doubt be eagerly awaiting the outcome of the ICO’s consultation and clarity as to whether there is a GDPR compliant route to “consent or pay”.
Morgan O’ Neill is Director of Data Protection Services at Thorntons Law