‘Consent or pay’
Picture this: you land on a website, faced with a decision. Click a button, agreeing to your data being used for personal advertising, and enjoy free access to the website’s content, or take the alternative route, and cough up some cash for use of the service. It’s no surprise that most of us opt for the convenient click, eager to get to the good stuff without reaching for our wallets. Of course, a lot of us may not pause to consider all of the consequences of the click. On a ‘consent or pay’ website, by this process, we have effectively consented to our personal data being processed. Whether this consent we provide is ‘valid’ is debatable, however, data protection laws do not technically prohibit the ‘consent or pay’ scheme.
The Information Commissioner’s Office (ICO), which is a public body that reports directly to the UK Parliament and upholds information and data protection rights in the UK, recently published its preliminary guidance for organisations considering using ‘consent or pay’ website access. The ICO has opened a call for views, which is a chance for the ICO to determine the popularity of its guidance and organisations’ openness to receiving it. The call for views will close on 17 April 2024.
However, the ICO has stated that any organisation considering this must ensure that the consent to processing of personal data for personalised advertising is being given freely, and is fully informed. This is because the UK GDPR requires consent to be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by a statement or a clear affirmative action signifies agreement”.
Considerations for the ‘consent or pay’ scheme
Organisations which operate this scheme must be careful not to breach the UK GDPR’s principles, as this could result in hefty fines being issued by the ICO. Generally, the following principles should be kept in mind:
- Transparency – individuals should be fully informed about the implications of consenting to their personal data being processed for advertising. Transparency is key to building trust.
- Consent must be freely given – organisations must guarantee that consent is given without any form of coercion. Individuals should feel that they have a genuine choice without facing undue pressure.
- Withdrawal of consent – individuals should have the choice to easily withdraw their consent at any point without facing negative consequences. This aligns with the principles of the UK GDPR.
- Regular audits and reviews – organisations should periodically review the effectiveness and ethical implications of the ‘consent or pay’ model and take into account user feedback.
- Legal compliance – organisations must keep an eye out for changes to data protection law which may forbid the ‘consent or pay’ tactic.
- Purpose limitation – data controllers must identify and document their purposes for processing personal data and must not process it in a way that is incompatible with these purposes.
- Data security – individuals should be assured that their personal data will only be used in the way they consent for it to be used.
- Data minimisation – organisations should process personal data only when necessary.
What’s happening with Meta?
Consumer groups from eight EU countries lodged complaints against Meta, the powerhouse behind Facebook and Instagram. Meta recently made changes to these platforms and has been requiring users to either consent to their personal data being processed for advertising purposes (which would result in being shown personalised ads) or to pay. The European consumer organisation, Bureau Européen des Unions de Consommateurs (BEUC), which is a membership and coordinating body for the consumer groups, filed a complaint about Meta with the network of consumer protection authorities, on the basis that Meta has breached consumer law as a result of its use of ‘consent or pay’.
BEUC’s complaint states that Meta is engaging in unfair commercial practices by providing misleading information to its users, preventing them from making an informed choice. One of the reasons behind this, is that when Meta processes individuals’ personal data, it is gaining valuable information. According to BEUC, Meta’s free services are not really free – people are paying with their personal data. The complaint takes a swing at Meta, accusing it of violating GDPR principles like purpose limitation, data minimisation, fair processing and transparency. The UK GDPR is essentially the same law as the European GDPR as it was drafted from EU GDPR law text and revised to refer to the UK.
The outcome of the complaints against Meta is yet to unfold but brace yourself – GDPR penalties could reach up to 4% of the breaching organisation’s global annual turnover, which for Meta will certainly be a sizeable sum. The suspense is real, and the stakes are high as we await the resolution of these complaints.
Stay tuned, it’s about to get interesting.
If your organisation needs help complying with the UK GDPR, contact our Data Protection team here.