A Shift Towards Data Subject Rights or Business Interests?
The Information Commissioner’s Office (ICO) recently released guidance on “consent or pay” models, offering clarity for organisations navigating the balance between monetising online services and respecting data protection laws. This guidance aims to establish a framework that aligns with UK GDPR, ensuring that individuals have meaningful control over their personal data while businesses maintain the ability to innovate and generate revenue.
However, it raises a fundamental question: does this guidance place the rights of the individual at the centre of data protection, or does it tilt in favour of enabling business interests?
As a data protection professional with an LLM in Information Rights Law and Practice, I approach this topic from the perspective of the data subject. While the guidance makes strides in embedding transparency and user empowerment, there is room for debate about whether it sufficiently prioritises individual rights or inadvertently creates space for organisations to dilute the principle of freely given consent.
The ICO’s Intent: Balancing Transparency and Choice
The guidance on “consent or pay” models is undoubtedly a step towards addressing the complexities of online tracking and personalised advertising. It introduces critical factors to ensure compliance, including power imbalances, equivalence of services, appropriate fees, and the integration of privacy by design. Organisations must now demonstrate that users have a genuine, unpressured choice between consenting to personalised advertising or paying a reasonable fee to access a service without tracking.
The ICO has made it clear that consent must be freely given, specific, informed, and unambiguous. These requirements align with the UK GDPR’s foundational principles of fairness and transparency. Furthermore, the emphasis on providing users with clear information and the ability to withdraw consent at any time reflects a strong commitment to upholding individual autonomy.
Data Subject Rights: Are They Fully Protected?
While the guidance outlines safeguards for data subjects, its practical implications may lead to subtle but significant erosions of individual rights. The first area of concern is the introduction of fees for non-personalised access. The principle that users should not face an unfair penalty for refusing consent is clear in both UK and EU GDPR. However, the guidance allows organisations to charge fees for avoiding personalised advertising, provided they are deemed “appropriate.”
This raises questions about accessibility and equity. What happens when an organisation sets fees at a level that is technically “appropriate” but unaffordable for many users? Does this create an economic barrier that undermines the right to freely give or withhold consent? In practice, individuals who cannot pay the fee may feel coerced into consenting to data processing, even if the organisation provides alternatives such as contextual advertising. For vulnerable groups, such as those with limited financial means, this could exacerbate existing inequalities in digital access and privacy.
The second concern relates to power imbalances. The ICO acknowledges that dominant organisations or those offering essential services may have an inherent power imbalance with users, making it harder to demonstrate freely given consent. While the guidance encourages organisations to mitigate these imbalances, it stops short of prohibiting “consent or pay” models in such scenarios. This leaves room for interpretation and potential exploitation, especially in industries where users have few or no alternatives.
Business Interests: Empowered or Over-Prioritised?
From a business perspective, the guidance provides much-needed clarity and flexibility. Organisations can monetise their services through innovative models, such as contextual advertising or subscription fees, while maintaining compliance with data protection laws. The ICO’s position appears to recognise the importance of sustaining the digital economy, particularly for sectors like media, which rely heavily on advertising revenue.
However, this approach risks shifting the burden of privacy protection from organisations to individuals. Instead of challenging organisations to develop privacy-preserving technologies that minimise data collection, the guidance allows them to offer users a binary choice: consent to tracking or pay to opt out. While this might foster compliance on paper, it raises the question of whether it truly upholds the GDPR’s principle of data minimisation.
In effect, the guidance could be seen as enabling a transactional approach to privacy, where users must “pay for privacy” rather than being afforded it as a fundamental right. This raises ethical concerns about whether data protection law is being diluted to accommodate business models rather than challenging those models to innovate in ways that respect privacy by default.
Is the ICO’s Approach Data Subject-Centric or Business-Centric?
The ICO’s guidance attempts to strike a balance between the rights of individuals and the interests of businesses. On the surface, its principles are firmly rooted in data subject rights: consent must be freely given, withdrawal must be easy, and alternatives to personalised advertising must be provided. However, the practical implementation of these principles may favour business interests, particularly when it comes to charging fees or managing power imbalances.
The introduction of “consent or pay” models may inadvertently create a two-tiered privacy landscape, where those who can afford to pay enjoy greater data protection, while others are left with little choice but to consent. This approach risks undermining the universality of privacy as a right and could exacerbate inequalities in digital participation.
While the ICO’s guidance reflects a pragmatic recognition of business realities, it raises broader questions about the direction of UK data protection law. Is it moving towards a model that truly centres the individual, or is it adapting to an economic context where privacy is increasingly commodified? The lack of explicit safeguards for vulnerable users and the reliance on businesses to self-regulate power imbalances suggest that there is more work to be done to fully protect the rights of all data subjects.
A Path Forward: Strengthening Data Subject Protections
To ensure that the rights of data subjects remain at the heart of data protection law, additional measures may be needed. These could include stricter limits on fees for non-personalised access, clearer prohibitions on the use of “consent or pay” models in scenarios where power imbalances exist, and stronger incentives for organisations to adopt privacy-preserving alternatives.
The ICO has taken a step in the right direction by addressing the challenges of consent in the digital age. However, as professionals in the field of data protection, we must continue to advocate for policies and practices that prioritise the individual over the business. Privacy is not a privilege to be purchased but a right to be protected, and it is our collective responsibility to ensure this principle is upheld in the evolving regulatory landscape.
Need further advice? Contact us today.
