ICO’s guidance on Consent or Pay: What you need to know 

On 23 January 2025, the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) issued important guidance on ‘Consent or Pay‘ models for online tracking and personalised advertising. If you’re a publisher relying on advertising revenue, this guidance clarifies the key considerations for balancing user consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed., fees, and compliance with the UK General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.) and the Privacy and Electronic Communications RegulationsPECR is the UK implementation of the ePrivacy Directive (Directive 2002/58/EC) providing certain rules on marketing, cookies, communication services security and customer privacy (in relation to traffic/location data, billing, line identification and caller directories). (PECR).  

If your organisation relies on a Consent or Pay model, the ICO’s latest guidance provides essential clarifications. Are your consent mechanisms genuinely fair? What changes do you need to make to your consent model? And how do you ensure robust compliance?  In this blog, we explain the ICO’s ‘Consent or Pay’ model and explore the guidance, highlighting the key considerations for publishers. We also share practical steps and real-world examples to help you implement these changes effectively.  

What is the ‘Consent or Pay’ model?

A ‘consent or pay’ model is a business approach that gives people the option to either access a product or service by consenting to the use of their personal dataInformation which relates to an identified or identifiable natural person. for personalised advertising or pay a fee to access the product or service without the provider using their data for personalised advertising. 

Privacy governance is critical for ensuring compliance with the GDPR, which applies to all EU and UK organisations that processA series of actions or steps taken in order to achieve a particular end. the personal data of EU/UK individuals. Its extra-territorial scope also requires businesses worldwide to comply if they offer goods or services to individuals in the EU/UK or monitors their behaviour. Non-compliance can result in significant fines, reputational damage, and operational disruptions, making robust personal data management practicesThe systematic and compliant handling of personal data throughout its lifecycle. This includes processes for data collection, storage, security and governance, ensuring adherence to data protection laws.  essential. 

What does the ICO guidance say about Consent or Pay models?

The ICO guidance explains that ‘Consent or Pay’ models can be compliant with data protection regulations, providing consent is freely given and other legal requirements are met. 

The ICO sets out four key factors to help organisations assess if consent is given freely: power imbalance, appropriate fee, equivalence, and Privacy by Design. You must document your assessment and justify how your model complies with UK GDPR and PECR. 

Key steps before launching a ‘Consent or Pay’ model

• Conduct a DPIA 

Before implementing a ‘Consent or Pay’ model, organisations must conduct a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA) to evaluate potential privacy risks. A well-documented DPIA will help demonstrate your compliance and accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. with the UK GDPR.   

To learn more about the importance of DPIAs and best practices, read our blog, What is a DPIA?

• Assess any power imbalance 

Ensuring there is no power imbalance is crucial, as consent must be freely given under the GDPR. If users feel they have no real choice due to financial constraints, lack of viable alternatives, or the essential nature of the service, their consent may be considered invalid.  

Evaluate any potential power imbalances between your organisation and its users. Ensure that users are not unfairly penalised for refusing or withdrawing consent and provide viable alternatives.  

If you identify a power imbalance, you could provide users with an additional alternative to ‘Consent or Pay’, such as contextual advertising. 

• Set an appropriate fee

Fees for opting out of data tracking should be fair and reasonable. If the cost is inappropriately high, users may feel they have no real choice but to agree to tracking.   

To determine an appropriate fee, organisations should consider their size, position in the market, and the nature of their processing. Amongst other considerations, The ICO places additional weight ‘on the value that consumers associate with the avoidance of their personal data being used for the purposes of personalised advertising’. 

Organisations should regularly review and adjust their fees to ensure they remain appropriate. 

• Ensure equivalence

Users need to receive a fair and comparable service whether they choose the free, ad-funded service or the paid alternative. If the paid version is significantly better in ways that go beyond the removal of ads, users may feel coerced.   

When designing a ‘Consent or Pay’ model, businesses must ensure that both options offer a consistent core experience. This means: 

• No artificial downgrades 
• Fair access to content and features 
• Transparency in what users will get in return for consenting or paying
• Avoid withholding features from the free version unless they are strictly tied to ad delivery.  

• Implement Privacy by Design

Privacy by Design is crucial in ‘Consent or Pay’ models as it prevents coercive practices that could undermine freely given consent. To ensure users can make informed decisions about whether to ‘consent’ or ‘pay’ without feeling pressures, you should:  

• Provide clear and transparent information about each option, using plain language 
• Explain the consequence of each option on data processing, including what information is collected and how it will be used  
• Use a neutral design that does not unfairly nudge users toward one choice 
• Demonstrate how users can exercise their data protection rights, including the right to withdraw consent at any time

How will the ICO’s Consent or Pay guidance affect your business?  

The impact of the ICO’s guidance depends on whether your business generates revenue through ad-based monetisation or a subscription model. 

If your business relies heavily on ad revenue, you must ensure users have a genuine choice. 

If you operate a subscription model you need to assess whether offering an ad-supported, free version aligns with compliance requirements.  

Considerations for market leaders 

If your organisation is a dominant player in the market, users may have limited or no alternatives. Therefore, the ICO may scrutinise whether your model truly offers a free and fair choice or if it effectively forces users to consent due to a lack of options. 

Let’s look at a couple of examples, illustrating the challenges faced by different types of businesses. 

Online forums

Challenge

Online forums provide community–driven advice, from gaming tips to care repairs, and parenting support. While usually free, operators can earn revenue by allowing third-party tracking. Forums for vulnerable users, such as those discussing health condition, pose greater privacy risks.

Solution

Consider a ‘Consent or Pay’ model, allowing users the choice to access the forum for free with tracking or ad-free for a cost. The ad-free cost must be reasonable to avoid coercion, and users must receive clear, transparent details on tracking. For forums catering to vulnerable users, you will need to clearly assess the risk of ‘Consent or Pay’ to the user and ensure you have controls in place to prevent them. 

Online streaming services

Challenge

Online streaming services can generate income by tracking user interactions to identify popular videos, podcasts, and programmes and building profiles to sell to advertisers for targeted marketing.

Solution 

Consider implementing the following ‘Consent or Pay’ model, providing it meets the requirements above: 

• Free subscription that includes tracking for personalised advertising 
• Low-cost subscription that relies on contextual advertising 
• Paid subscription that removes all tracking for personalised advertising 

Key considerations for European businesses

Businesses operating in the EU need to consider how the ICO’s guidance differs from that of the European Data Protection Board (EDPB). Whilst their full guidance on the topic has not yet been published, their opinion on use by Large Online Platforms stated that ‘Consent or Pay’ models do not generally meet the requirement of valid consent.  

Organisations operating in both the UK and EU might need to consider the implications of adopting a ‘Consent or Pay’ model in each jurisdiction. 

Takeaways

Adopting a ‘Consent or Pay’ model requires careful planning and execution. By assessing power imbalances, setting appropriate fees, ensuring service equivalence, and integrating privacy by design, publishers can create a user-friendly experience that aligns with regulatory requirements for freely given consent.  

The ICO’s guidance on ‘Consent or Pay’ models provides a framework for publishers balancing user consent with monetary fees through personalised advertising. By understanding and implementing the key considerations outlined by the ICO, publishers can evidence they remain compliant with UK GDPR and PECR while respecting user privacy.  

If your business would benefit from support with UK GDPR compliance, please contact us today.  

______________________________________________________________________________________________________________________________

In case you missed it… 

• Building a privacy office: Key strategies for EU/UK compliance 
• Unveiling dark patterns: Sales tactics and regulatory compliance 
• GDPR advice for SaaS companies entering EU & UK markets 

______________________________________________________________________________________________________________________________

Don’t miss out on the latest data protection updates – stay informed with our fortnightly newsletter, The DPIA