.svg)
While behavioral and targeted advertising is critical to many businesses in displaying relevant ads to their target customers, the UK data protection law generally does not allow websites and mobile apps to use them without consent.
Therefore, businesses turn to alternative methods such as ‘Consent or Pay’ models (offering users the ability to access gated content by either consenting to data collection or paying a fee) to strike a balance between revenue generation and their GDPR compliance efforts.
Against this background, the UK Information Commissioner's Office (ICO), the UK’s data privacy regulator, published a new Guidance on Consent or Pay models, which addresses whether businesses can implement such mechanisms on their websites/apps and how they can obtain valid consent that complies with the UK GDPR and the PECR.
If your website, app, or online platform is accessible to UK users and you operate a Consent or Pay model, you need to understand the new requirements. Keep reading for the full breakdown.
Understanding the background of the ICO 'Consent or Pay' guidance
In 2024, almost 60% of the cookie complaints made to the UK Data Protection Authority (ICO) concerned the inability to reject non-essential tracking. Furthermore, a survey conducted by the ICO in 2022 found that around 90% of people expressed concern over the collection and use of their information without permission.
Given the growing concerns over online tracking via cookies, it's no surprise that the ICO made online tracking a key focus in its 2025 plan:
“We are committed to giving people meaningful control over how they are tracked online, enabling them to go about their online daily lives with trust and confidence.”
- Commissioner's Office (ICO), Taking control: our online tracking strategy (source: ICO)
In line with this objective, the ICO took two important actions: It published its long-awaited Guidance on Consent or Pay models, providing advice on whether the consent or pay model is legal and how a website or app should implement it, and announced its plans to review the cookie usage practices of the top 1000 websites and apps in the UK.
How to implement a ‘Consent or Pay’ model in accordance with the UK GDPR and the PECR?
The ICO states that Consent or Pay models can be compliant with the GDPR and the UK data protection law in principle.
However, it emphasizes that businesses must comply with the GDPR consent requirements and be able to demonstrate that they obtained freely given valid consent from their users.
The ICO Guidance thus recommends that businesses carry out a 4-factor assessment to determine if the consent is freely given and fulfills the GDPR consent requirements:
Factor 1: Power imbalance
The UK GDPR requires consent to be freely given; meaning that individuals have a genuine choice and do not feel any coercion or pressure to consent.
Therefore, the ICO Guidance recommends that you assess whether there is any power imbalance between you and the individual to ensure that the consent is freely given.
When assessing the power balance between the parties, you should consider various factors, such as your market dominance or whether an individual is overly reliant on your services. For instance, in an employer-employee relationship, the employee’s consent is highly unlikely to be freely given.
Factor 2: Appropriate fee
The ICO Guidance notes that in a Consent or Pay model, an inappropriately high fee may coerce individuals to consent to data collection, thus invalidating their consent.
Organizations must evaluate the appropriateness of their fee to ensure that the free choice of individuals is not compromised.
In this regard, the ICO states that organizations should consider the value individuals assign to avoid the use of their data for personalized advertising.
Factor 3: Equivalence
The ICO Guidance states that the core services made available under the consent option and the paid option must be equivalent.
For instance, if the services provided with the paid version are lower quality than those provided with the consent version, individuals may not be able to exercise their free choice and choose the consent option involuntarily.
Factor 4: Privacy-by-design
Under this factor, the ICO advises organizations to implement various measures to ensure that consent complies with GDPR consent requirements and that individuals are informed about the data processing and potential impact.
The ICO advises that consent must be specific, granular, and informed. Furthermore, organizations must make refusing to give consent as easy as providing it and provide individuals with a one-step consent withdrawal mechanism.
Lastly, the ICO recommends that organizations carry out a Data Protection Impact Assessment (DPIA), as it considers the consent or Pay model presents high risks to the rights and freedoms of individuals.
How to design a ‘Consent or Pay’ banner that complies with the UK data protection law
As you can see from the previous section, complying with the strict GDPR consent requirements is a must to operate a GDPR-compliant Consent or Pay Model.
In this section, we will help you understand how you can design and operate a Consent or Pay model in accordance with the ICO’s Guidance.
Step 1: Present ‘Consent or Pay’ choices early and clearly
Organizations must provide clear information about both the consent and pay options in plain language.
This includes explaining the meaning and differences of each option and informing users about the data processing activities taking place, such as targeted or behavioral advertising. Additionally, organizations should also be transparent about user rights and how those rights can be exercised.
The ICO gives the following as an example of a non-compliant consent or pay banner:
This banner is non-compliant because the language is vague and potentially misleading, and users are not informed about the targeted advertising taking place if they choose the free version.
Step 2: Ask for specific consent separately for each distinct processing activity
Organizations must ensure that consent is specific and granular: If data is to be used for distinct purposes such as retargeting, personalized ads, and behavioral advertising, the organization must ask for specific consent for each of these.
In other words, consent for personalized advertising, retargeting, video embeds, and content personalization must be distinct from each other, and consenting to one does not mean that the user consents to all other processing activities.
The ICO provides the following as an example of a compliant Consent or Pay banner where personalized advertising is separated from other purposes:
As you can see, the option to consent to personalized ads is not bundled with other purposes, and all non essential purposes have been turned off by default.
Step 3: Offer a consent withdrawal mechanism
Organizations must make refusing to give consent as easy as providing consent. Furthermore, organizations must also provide a one-step consent withdrawal mechanism for users to withdraw their consent easily.
This has emerged as an important topic in other jurisdictions and has been identified as a key topic for 2025 by our Chief Privacy Officer:
{{consent-withdrawal}}
Step 4: Designing the “Pay” option
While the Pay option may not involve personalized advertising, the ICO still recommends organizations consider a privacy-by-design approach, inform users sufficiently, and collect data lawfully.
For instance, individuals should be clearly informed that they are free to leave the service if they do not want either option. Lastly, organizations can offer a clear and easily accessible ‘Leave’ option for users.
How Didomi can help you comply with the UK data privacy requirements?
If you plan to operate a Consent or Pay model in the UK, obtaining GDPR-compliant consent is a must.
To do so, you need to design a banner that provides sufficient and clear information about both options to your users, keep records of every user’s choice, provide an effective mechanism for withdrawing consent.
All this can be set up with our solutions. Book a demo with one of our experts, or check out our Consent Management Platform to get started:
{{cmp-start-collecting-consent-today}}
.avif.avif){kind=tracking}
