“Consent to tracking or pay for this content.” More and more website visitors are faced with this choice. But under what conditions is consent or pay even permissible?
What is consent or pay?
In the evolving landscape of digital privacy and online business models, data protection regulators are paying close attention to how users’ personal information is monetised. The UK Information Commissioner’s Office (ICO) recently released detailed guidance on a business model known as consent or pay, which has become increasingly popular among online publishers and platforms seeking to balance revenue generation with regulatory compliance.
This model emerges in response to growing limitations around cookie-based advertising and the broader regulatory push for transparency and fairness in data processing. But as companies look for creative ways to sustain free services, they must ensure that these strategies don’t come at the cost of users’ fundamental data protection rights. The ICO’s guidance sets out clear expectations to help organisations navigate this.
Consent or pay refers to a digital business model in which users are presented with a choice: either consent to the use of their personal data usually for personalised advertising or pay a fee to access the same content or services without being subject to such data processing. In some cases, the only alternative to both is to decline access altogether.
This model stands in contrast to the “take it or leave it” approach, where access to a service is conditional upon agreeing to data processing. While the latter is often non-compliant with data protection law, “consent or pay” can be lawful if implemented properly.
The ICO stresses that for consent to be valid under the UK GDPR, it must be freely given, informed, and unambiguous. That means users must have a real, meaningful choice.
Criteria for a valid consent or pay
To evaluate whether a consent or pay implementation meets these standards, the ICO has outlined four key considerations: power imbalance, appropriate fee, equivalence, and privacy by design.
Power imbalance
The first factor is whether there exists a power imbalance between the organisation and the user. If users feel compelled to consent because there are no realistic alternatives, for example, if the platform is dominant in the market or the user base is locked in due to network effects then consent cannot be considered freely given. This is especially important for services that users rely on daily, such as social media, job platforms, or essential information sources. The ICO highlights that a strong market position or high switching costs can undermine genuine user choice.
Appropriate fee
Next, the ICO addresses the appropriateness of the fee charged to users who choose not to consent. If the fee is prohibitively high, it may effectively coerce users into agreeing to data processing, which invalidates the consent. The guidance emphasises that the fee must reflect the value users place on not sharing their data not the company’s lost advertising revenue. A fair and proportionate fee is essential for maintaining a balance between business sustainability and user autonomy.
Equivalence
Another core requirement is service equivalence. Organisations must ensure that the core product or service offered to paying users is broadly equivalent to that offered to users who consent to data processing. While it’s permissible to include some additional features or benefits in either tier, the essence of the service must remain the same. If the free, ad-supported version is significantly better or worse than the paid alternative, the user’s choice could be unfairly influenced.
Privacy by design
Finally, the principle of privacy by design underpins the entire model. The options presented to users must be clearly explained, neutrally framed, and free from manipulative design tactics such as dark patterns. Users must be able to understand what they are consenting to and must be able to withdraw that consent at any time without penalty. Good interface design and transparent messaging are not merely user experience best practices they are legal necessities under UK GDPR.
Moreover, organisations implementing a consent or pay approach must carry out a data protection impact assessment (DPIA). This is particularly crucial where personalised advertising involves processing that is likely to present a high risk to individuals’ rights and freedoms. A thorough DPIA helps identify potential issues, document the justification for the model, and demonstrate compliance with data protection principles. Without it, organisations may struggle to defend the lawfulness or fairness of their approach if challenged.
Conclusion
As digital platforms search for sustainable ways to fund their services in a privacy-conscious world, the consent or pay model presents both an opportunity and a legal risk. The ICO’s guidance makes clear that while the model is not prohibited under UK GDPR, it must be implemented with careful attention to fairness, transparency, and user autonomy.
Organisations considering this approach must go beyond offering a binary choice. They need to evaluate the context in which that choice is presented: whether users are truly free to refuse consent, whether the price to opt out is fair, whether the alternatives are genuinely comparable, and whether the design supports informed, unbiased decision-making.
