“Consent or Pay”: The Price of Privacy

Consent: the new currency?

The ‘consent or pay’ model, essentially offers a choice between pay with your data, or pay with your money.

Meta became the most notable company to use this tactic and were immediately met with questions as to how they could justify such an arrangement, and more importantly, how they could do so lawfully.

When the GDPR came into effect in 2018 Meta had relied on the lawful basis of contract to process its user’s data – claiming that its terms constitute a contract under which the user consented to the processing of their personal data.

This was challenged by Privacy’s darling, Max Schrems, a notable Privacy and Data Protection activist of sort - a figure Meta would’ve likely have dreaded to have on their horizon while employing what was already a questionable paying model.

Schrems argued that contractual necessity was not a valid basis of processing when it was relating to personalised advertising, which saw Meta then change their lawful basis to consent, but in a way where users who consented to personalised ads could use their service for free, meaning those who did not consent were required to pay a monthly subscription fee to continue to use the service.

As the saying goes – if you aren’t paying for the product, you are the product.

It raises the question as to whether all content should be put behind a paywall as a subscription model. The divide that the pay or okay model causes shows a clear imbalance between paying users and those who use the service freely.

The pay or consent notion attacks what is the cornerstone of consent – being that not only does consent have to be freely given, it should also go without saying that free means free, and not at a premium.

Consent is defined in the GDPR as ‘’a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her’’.

It can be seen from this definition that introducing a mechanism where one must pay their hard-earned money attacks the essence of consent, in that it becomes questionable just how freely such consent can be given, if provided in such a transactional scenario.

What do the Regulators say?

Although data protection law does not completely outright prohibit the pay or okay model, the regulator’s say that organisations must first and foremost focus on people’s rights and freedoms in making free and informed choices. This issue gave regulators an opportunity to set a standard in rejecting this tactic, as anything else would likely see a rise in this model being enforced with other large online platforms in the future.

EDPB

The EDPB released a non-binding opinion regarding the pay or ok model used by online platforms such as Meta for behavioural advertising. They concluded that ultimately this kind of arrangement does not generally meet the requirements of valid consent under GDPR, and that the fundamental right to data protection should not come at a price, as personal data is ‘’not a tradeable commodity’’.

They addressed the issue of an imbalance between those who paid, and those who did not; namely that consent cannot be considered freely given if the user suffers any kind of detriment by providing consent or withdrawing consent, reiterating back to the GDPR’s emphasis on consent being a free and affirmative wish to have one’s personal data processed.

The EDPB has stated that each platform and each circumstance is different, and they must be judged accordingly, on a case- by case basis. They addressed the need for an equivalent alternative to the consent or pay model, and that such an alternative should not require users to consent to the processing of personal data for behaviour advertising.

We are still awaiting an EDPB Official Guidelines publication on this area, that will surely serve as a new milestone in an area of data protection law that is currently still being deliberated.

ICO

Closer to home, the ICO has differed somewhat in their interpretation of this model.

The ICO opined that strictly speaking, data protection law does not prohibit consent or pay models in principle, but organisations must ensure that consent is freely given, fully informed, and can be withdrawn without detriment. The ICO is currently seeking views on consent or pay models and plans to update its guidance on cookies and similar technologies.

The ICO have gone further and raised the questions of:

1. An appropriate fee, stating – ‘consent for personalised ads is unlikely to be freely given when the alternative is an unreasonably high fee. Fees should be set to provide people with a realistic choice between the options.
2. The equivalence of the ad-funded and paid for services. They suggest that either service should not come at a detriment to the user, regardless of whether they paid or not.
3. The power imbalance – ‘consent for personalised ads is unlikely to be freely given when people have little or no choice about whether to use a service or not, which could be the case when they are accessing a public service, or the service provider has a position of market power’.
4. Privacy by design – the ICO ask if the choices are being presented fairly and equally. They state that people must be given clear understandable information about what the options mean for them, and that consent for personalised ads is unlikely to be freely given if people don’t understand how their personal data is being used or that they can access the service without having to agree to the use of their personal information.

What can I do to comply with this?

If you are a Large Online Platform, it would be prudent to consider the following steps to stay compliant with the pay or consent model.

• Current practices - review current practices on your data processing activities, especially if they use consent or pay models for behavioural advertising.
• Alternative method - Evaluate an alternative method – large online platforms should consider developing an ‘equivalent alternative’ that does not require users to consent to the processing of personal data for behavioural advertising.
• The issue of detriment – large online platforms must ensure that users do not suffer detriment based on their decision to either pay or consent. You must ensure that users are not excluded from online services even if they choose to neither pay nor consent for their personal data to be processed for behavioural advertising.
• Equivalence – if a large online platform is able to offer an alternative to the consent or pay model, you must ensure that the alternative is genuinely equivalent, levelling the playing field for all users alike.

There will surely be changes to how platforms track us in the future, with Regulators pressurising LOP’s to address how they track behavioural advertising.

As it stands, Meta is still relying on performance of contract to process UK users’ data for behavioural advertising purposes, rather than consent or legitimate interests.

For UK data subjects this means that their right not to be subject to a decision based solely on automated processing may be limited, as it does not apply where the decision is necessary for entering into or performing such a contract.

It is interesting to note how the ICO have taken a more lenient approach to the pay or okay model for behaviour advertising in comparison to the EDPB, perhaps this is due to a shift in regulatory and political priorities post-Brexit.

All we can do is wait until the EDPB releases their own guidelines, which may come before the end of the year, as a meeting discussing the pay or consent model is due to take place in the coming weeks.