“Consent or pay”: ICO publishes new guidance

Under the UK General Data Protection Regulation 2018 (UK GDPR) a business must have at least one lawful basis (or ground) for processing personal data. One of the grounds which may be relied on is that the individual data subject has given their consent. The UK GDPR requires a higher standard than previously when relying on data subject consent and Article 4(11) defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by a statement or a clear affirmative action signifies agreement”.

The ICO has published new guidance for businesses, particularly those with ad-funded online business models, on how to use “consent or pay” mechanisms to give website access to users in a way which is compliant with the UK GDPR’s consent requirements. The ICO has at the same time asked for a “call for views” on this guidance, which ends on 17 April 2024.

What is “consent or pay” website access?

Some businesses have started giving website users a choice between:

• Accessing online services for free provided they “consent” to website cookies which collect their personal data so that this data may be used for personalised advertising.
• Paying money to be able to access the online services, i.e. if they don’t want to give marketing consent.

The ICO’s main message in the guidance is that “consent or pay” website access should be in line with the UK GDPR’s Article 4(11), and that consent for the processing of personal data for personalised advertising should be freely given, fully informed, and capable of being withdrawn without detriment. The ICO says that there are “many lawful ways to use online advertising when websites give people a fair choice over how their personal information is used” but they disapprove of websites that do not offer people a fair choice and so will be continuing their “crackdown” on non-compliant websites.

The ICO has said that they are publishing this guidance to give businesses regulatory certainty over this topic. The ICO is urging businesses to consider a range of factors, such as the power balance between them and the user, the appropriate fee, the presentation and clarity of the information, and the potential equivalence of a ‘premium’ ad-free service.

The power balance between the parties may be a key aspect of the ICO’s consideration of “consent or pay” mechanisms, especially when a user has little choice about whether they need the service or not. The service provider’s market power will be crucial element to consider. Hopefully the “call for views” will shed more light on this point.

What do businesses already have to do to make sure their website complies with data protection laws?

Businesses need to publish a privacy policy on their website. This tells individuals what they can expect the business might do with their personal data when they contact the business or use its services. In order to publish an effective privacy policy, a business will need to undertake “behind the scenes” privacy compliance work which should be recorded and communicated internally within the business through its data protection policies and procedures. The website privacy policy is likely to be the key means by which it communicates about its policies and procedures to the outside world.

The business will most likely also have a cookies policy, often in a separate document which is also published on the website. This explains to website visitors what cookies are used on the website, what personal data they collect, what the business does with the data and how long the data will be kept.

The “behind the scenes” work which the business should undertake is likely to include the following:

• Carrying out periodic data audits/reviews to check what data is being collected and processed, and the lawful basis/grounds on which the data is processed.
• Periodically reviewing whether the business adheres to data minimisation principles (i.e. ensuring that it collects and processes the minimum amount of data necessary for its identified purposes).
• Making sure it holds complete, accurate and up to date records of its data processing activities.
• Ensuring that the data it holds is safe and secure.
• Having in place robust internal procedures (including how to handle data breaches and dealing with data subjects wishing to exercise their rights).
• Understanding how the rules on international transfers of data apply to its business and making sure that it takes all necessary actions to comply with those rules.
• Understanding what cookies are used on its website (particularly if the website has been developed, and is maintained by a third party) and providing easy to understand information about the cookies, and how long they last, in a suitable cookies policy which is published on its website.

Next steps for businesses

What adjustments may need to be made will depend on the particular circumstances of your situation, but given the ICO has flagged this issue and its plans to continue cracking down on businesses who make access to their website conditional on users “consenting” to their personal data, this should act as a wake up call. Under the UK GDPR not only do businesses need to comply with the law but there is also a requirement of accountability – businesses also need to be able to demonstrate their compliance. Being unaware of the ICO’s guidance – or ignoring it – will be no defence in the event of an issue arising and the ICO investigating and taking enforcement action.

If you have any questions arising from this article, or about data protection compliance more generally, please contact FSP’s commercial & technology team.