New ICO guidance for “consent or pay” online ads

The question

What is the view of the UK Information Commissioner’s Office (ICO) on whether “consent or pay” online advertising models are compliant with UK data protection law?

The key takeaway

The ICO has published guidance for organisations operating or considering “consent or pay” online advertising models. The ICO believes these models can be compliant with UK data protection law if organisations can demonstrate that users have freely given their consent to receiving personalised advertising, as well as complying with other UK data protection law requirements.

The background

“Consent or pay” is a type of online advertising model which gives users a choice to either:

• consent to personalised advertising
• pay to avoid personalised advertising, or
• decide not to use the online product or service.

A key concern is whether and how users can freely give their consent in the context of a “consent or pay” model, given that the alternative presented to consent involves paying a fee. As a result, the emergence of these models has attracted scrutiny from data protection regulators across Europe. This includes the ICO, whose latest guidance was published in January 2025 and follows its call for views in March 2024 (which we reported on in our Summer 2024 edition of Snapshots). The publication of this guidance forms part of the ICO’s broader strategy for 2025, which also includes plans to tackle cookie compliance across the UK’s top 1,000 websites.

The development

The ICO’s guidance sets out the following four factors that organisations operating “consent or pay” models must consider when assessing whether consent to direct marketing has been freely given when the model is used:

1. Any power imbalance in the relationship between the organisation and the individual whose data is being processed. This could arise from a variety of factors including the vulnerability of users, the organisation’s position in the market, network effects and switching costs. Where there is a clear power imbalance, individuals may not have a realistic choice about consenting to personalised advertising. This could potentially mean that consent is not freely given for the purposes of UK data protection law.
   
   
2. Offering a “pay” option as an alternative to consent does not automatically invalidate consent, however the fee must be set at an appropriate level where users genuinely have a choice between consenting to personalised advertising or paying to avoid it. If the fee is too high, users may feel compelled to consent, making the model non-compliant with UK data protection law as consent is not freely given in practice. The ICO’s guidance suggests that the fee should be set with reference to the organisation’s size, market position and the nature of the processing.
   
   
3. The ICO’s view is that organisations using “consent or pay” models should offer broadly the same core product or service under either the “consent” option or the “pay” option. This is because failing to provide an equivalent service may lead to users being unfairly penalised, which is prohibited under UK data protection law in the context of refusing to provide consent to the processing of personal data. Organisations can offer additional features in either the “consent” or “pay” options, provided that the core product or service is equivalent, and the additional features do not change the nature of that core product or service.
   
   
4. Organisations must build data protection measures and safeguards into “consent or pay” models at the design stage, known as privacy by design, as processing by these models is likely to be higher risk processing. The first step is completing a DPIA or updating any relevant existing DPIAs, identifying risks and how these are to be mitigated. The need for privacy by design also extends to how the options are presented to users. Namely, choices must be presented clearly to enable users to make an informed decision, the consent requested must be specific and granular, and it must be as easy for users to refuse consent as it is for them to give consent.

Why is this important?

Significantly, the ICO’s guidance does not invalidate “consent or pay” models, but it does restrict their use should they not provide users with the ability to freely give their consent to personalised advertising. Organisations may therefore need to assess whether such models are suitable for their online business and whether the revenue benefits of personalised advertising outweigh the cost and feasibility of compliance.

Any practical tips?

Organisations considering adopting a “consent or pay” model should consider the ICO’s guidance carefully to avoid breaching UK data protection law. In particular, they must consider whether the model gives rise to consent from users that is freely given, taking into account the four key factors set out in the guidance. No single factor is decisive, so regular reviews and updates of the organisation’s assessment are essential.

If a power imbalance exists, offering alternatives like contextual advertising can help ensure meaningful choice for users. Fees must be fair, and both “consent” and “pay” options should provide an equivalent service to maintain genuine choice. Embedding privacy by design strengthens compliance, and all assessments should be documented within a DPIA.

Spring 2025