Clusters of black smudges on a beige background.
Philipp Schmitt / Better Images of AI / Data flock (digits) / CC-BY 4.0

We have submitted evidence to the Information Commissioners’ Office (ICO) on ‘Consent or Pay’ models


‘Consent or Pay’ models invite a user of an online service or platform to either:
– access that service for free if they consent to their personal data being used for personalised advertising, or
– pay a fee for the service, without consenting to their personal data being used.

In recent months there has been significant debate in different European countries about the legality of this model.

In the EU, GDPR law allows personal data to be collected in several specific scenarios. One of those scenarios is if the user has consented to their data being used.

The question is whether a ‘Consent or Pay’ model sufficiently meets that definition of ‘consent’ for data use. The European Data Protection Board (EDPB), the body that oversees the application of data protection law across European jurisdictions, has recently said that it does not.

Our submission

The ICO called for evidence on ‘Consent or Pay’ in the UK. 

Our submission, prepared by Dr Ann Kristin Glenster, argues: 

‘Consent or Pay’ models should be banned:

– Protection of personal data is enshrined in the EU Charter of Fundamental Rights. We agree with the EDPB that ‘consent or pay’ models are unsuitable because they commodify personal data.

Behavioural Advertising is intrusive and should be banned:

– Data collected in ‘consent or pay’ models is used for targeted behavioural advertising. We agree with the EDPB that behavioural advertising is a particularly ‘intrusive form of advertising’. We argue it should be banned.

The ICO should align its guidelines on ‘Consent or Pay’ with the EDPB:

– UK-EU data sharing is reliant on an assessment of the ‘adequacy’ of the UK’s data protection regulations by the European Commission. Now that the EDPB has issued guidelines against ‘consent or pay’, this approach is likely to be adopted across Europe. Diverging from this approach in the UK would risk our ‘adequacy’ status, the loss of which would have a profound impact on UK organisations and businesses, as they would no longer be able to send or receive personal data to and from the EU.