ICO declares 'consent or pay' models are legal in the UK

The UK Information Commissioner’s Office is risking a major backlash from privacy groups after ruling that “consent or pay” subscription models, already under blasted by EU officials, are perfectly legal in the UK under new guidance.

The move, which follows a consultation last year, comes in the form of new guidance for organisations implementing or considering implementing models which give people a choice between agreeing to personalised ads to access a service or paying to access a service and avoid personalised ads.

Concerns over ad-free subscription services were first aired back in November 2023, when the Max Schrems-backed privacy organisation NOYB filed a complaint with the Austrian data protection authority after Meta pioneered the scheme in the EU for Facebook and Instagram users; other companies soon followed suit.

At the time, Schrems said: “Fundamental rights are usually available to everyone. There were times when [they] were reserved for the rich. It seems Meta wants to take us back more than 100 years. It’s neither smart nor legal – it’s just pitiful how Meta continues to ignore EU law.”

In April last year, the European Data Protection Board – the top governing body in the EU – ruled that the practice was in breach of GDPR legislation, warning tech firms that they must not transform “the fundamental right to data protection into a feature that individuals have to pay to enjoy”.

Meanwhile, in July, the European Commission ruled the scheme was also in breach of the Digital Markets Act.

EU internal market commissioner Thierry Breton said: “Our view is that Meta’s ‘consent or pay’ business model is in breach of the DMA. The DMA is there to give back to the users the power to decide how their data is used and ensure innovative companies can compete on equal footing with tech giants on data access.”

However, while Meta has not introduced the scheme to the UK yet, the ICO’s guidance clarifies how organisations can deploy “consent or pay” models to give users “meaningful control” while supporting their economic viability. It includes a set of factors for organisations to assess their models against to demonstrate people can freely give their consent.

The regulator said: “If you are implementing a consent or pay model, you must make sure that you are able to demonstrate people have freely given their consent for personalised advertising. This guidance sets out a framework of factors that are important to consider when assessing whether your consent or pay model meets the standard of consent. This reflects and builds on existing UK GDPR standards and ICO guidance.

“You must document an assessment of your model as part of your data protection impact assessment (DPIA). Your assessment should consider the data protection principles set out in the UK GDPR as well as the factors in this guidance and other relevant ICO guidance.”

The guidance has been issued as part of a wider ICO strategy on online tracking, which has seen the regulator reveal plans to bring the UK’s top 1,000 websites into compliance with data protection law.

It has already assessed the compliance of the top 200 UK websites and communicated concerns to 134 of those organisations, setting out clear regulatory expectations that organisations must comply with the law by giving people meaningful choice on how their personal information is used online.

ICO executive director of regulatory risk Stephen Almond said: “We’ll continue to hold organisations to account but we’re also here to make it easier for publishers to adopt compliant, privacy-friendly business models.

“By combining advice, guidance, and targeted enforcement, we aim to create an environment where businesses can succeed, and people can have trust and control over their online experiences.”