“Consent or pay” – treading the fine lines of data protection in targeted advertising

In today’s digital age, targeted advertising has become the fuel that powers much of the online economy. By analysing user data, such as browsing habits, location and personal preferences, companies can deliver highly tailored adverts that seem to know what users want before they do. For advertisers, it's a dream; better engagement, higher conversions, and more sales. For users, it can sometimes feel like a double-edged sword. Sure, the adverts are more relevant, but at what cost to their privacy?

What is targeted advertising?

Targeted advertising, as the name suggests, seeks to link data subjects to specific types of adverts. It focuses on the specific traits, interests, and preferences of a consumer, in the hope that it will lead to a greater rate of engagement on the product or service.

In the UK, targeted advertising practices have come under scrutiny from regulators, who are increasingly concerned with the lack of transparency and meaningful consent in data processing for advertising purposes. The Information Commissioner’s Office (ICO) has raised issues with organisations that fail to clearly inform users how their data is being used or to obtain valid consent, particularly when this involves personal data being shared across multiple platforms. In response to growing pressure, the digital advertising industry developed a few models aimed at addressing compliance issues, one of which is the “consent or pay” model.

“Consent or pay” model

The ‘consent or pay’ (or ‘pay or OK’) system offers users of online services a choice: pay a subscription fee to avoid personal data being used for advertising, or provide explicit consent for their data to be processed for targeted advertising. This approach attempts to balance regulatory demands for user consent.

The Consumer Protection Cooperation Network has criticised the ‘consent or pay’ model, arguing that it can be misleading and even exploitative:

1. The “free” illusion: While some services claim that consenting to data use makes the service “free,” the reality is that users are paying with their personal data. Advertisers profit from this data to deliver personalised ads, so the service isn’t truly free, it’s just a different currency.
2. High subscription fee: Some service providers charge such high fees for ad-free services that many consumers feel they do not have a real choice. This can “force” users into surrendering their data.
3. Confusing data practices: Often, users must jump through multiple hoops, navigating layers of interfaces and small print links, just to find out how their personal data is being used, which demonstrates a lack of transparency.
4. Pressured decisions: For example, Facebook (now known as “Meta”) decided to introduce a ‘consent or pay’ model, then pressurised its existing users to make an immediate choice by informing them that their access to the service will be suspended, without sufficient warning or time to consider the implications.

ICO Guidance

The ICO has a helpful guide on the rules relating to cookies and similar technologies (which include the ‘consent or pay’ model). The UK GDPR does not outright ban this practice, but the ICO warns that companies must adhere to strict standards when asking for consent.

According to UK GDPR (Article 4(11)), for consent to be valid, it must be:

• Freely given: Users must have a genuine choice, without facing penalties for refusing.
• Fully informed: Users should clearly understand how their data will be used and who will have access to it.
• Proactive: Users most opt-in to consent.
• Revocable: Consent should be easily withdrawn without negative consequences. If consent is withdrawn, the personal data may no longer be processed as before.

Organisations thinking about using this model must ensure they do not breach the UK GDPR’s principles, as this may result in investigations by the ICO, and potential fines and enforcement action. Such actions could be very heavy, because for serious breaches, the ICO has the power to issue fines of up to £17.5 million, or 4% of an organisation’s annual worldwide turnover, whichever is higher.

Key principles to keep in mind

The following principles are useful to keep in mind:

• Freely given consent: There must be no form of coercion when organisations ask individuals for their consent. Individuals should have a genuine choice.
• Consent withdrawal: The choice to withdraw consent at any point without facing negative consequences should be available.
• Data security and purpose limitation: Individuals who are faced with this decision should be assured that their personal data will only be used for the purposes they consent to. Data controllers should identify and document their purposes for processing the personal data (i.e. targeted advertising) and can only process the data for that purpose.
• Compliance with the UK GDPR generally: The laws in this area can change rapidly, and organisations should be wary that a data protection law that prohibits the ‘consent or pay’ model may come into effect in the future.

If your organisation is considering the ‘consent or pay’ model, you must proceed with caution. Ensure that your consent mechanisms are robust; consent must be truly voluntary, clearly informed, on an opt-in basis and easily withdrawn. Invest in transparent communication with your users, making sure they understand precisely what they are agreeing to and how their data will be used. It is also prudent to maintain detailed documentation of your compliance efforts. Above all, you must stay ahead of the evolving legal landscape; what is compliant today may not be tomorrow, so continuous monitoring and adaptability are key. A proactive approach now can save you from costly fines and reputational damage down the road.

For information on how we can assist you with complying with the UK GDPR, please contact a member of our Data Protection team or submit an enquiry form, below.