The UK Information Commissioner’s Office (ICO) is taking a stronger stance on cookies and tracking similar technologies, a development which is important for businesses, particularly in the online advertising space. With the UK General Data Protection Regulations (GDPR) already reshaping how personal data is handled, the ICO is now sharpening it’s focus on how websites use cookies and whether those sites are getting proper consent from their users.
In particular, the consent or pay model has gained traction. This model gives users three choices: either consent to the processing of their personal data to access content with personalised ads; pay a fee to forego such processing/advertising; or not use the services offered at all (consent or pay model).
The ICO has issued new guidance which outlines four main factors which businesses must follow to ensure their consent or pay model is legally compliant with data protection legislation, including the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). Let’s break down what these guidelines mean for your business and how to stay on the right side of law.
Power imbalance:
The ‘consent or pay model’ can be used provided that the organisation that controls the personal data can demonstrate that such consent is freely given, informed, unambiguous and specific. If users feel they have no choice but to consent, for example if the fee for opting out is too high, it could be viewed as coercion which is a breach of the data protection legislation. Businesses must make sure the option to opt-out is genuinely available and does not excessively burden the user.
Appropriate fee:
The fees must be ‘appropriate’ and not so high that it makes it impossible for users to reasonably choose the ‘pay’ option. The ICO has stressed that the fee should be fair and should not force users into having to consent, especially if the service remains largely the same regardless of the option chosen.
Equivalence:
The ICO’s guidance states that the core service must be substantially the same whether a user chooses to consent to their personal data being used for personalised ads or pays for ad-free access. Organisations cannot offer a lesser experience to users who opt out of the data processing.
Privacy by design:
The choices presented need to be transparent, fair, and equal. Users should fully understand what they are consenting to and the implications of their choice. This means understanding how their personal information is being used and/or that they can access the service without having to agree to the use of their personal information.
What does this mean for your business?
The ICO has made it clear that it plans to actively enforce these guidelines. It will prioritise bringing the UK’s top 1,000 websites into compliance with cookie regulations and consent or pay models. Of course, the ICO won’t stop with the top 1,000 websites, and it is always possible that it will receive direct complains about non-compliant sites. This means it is essential to make any necessary changes to ensure you are complying with the data protection guidelines.
How can we help your business?
If you are unsure on whether your current data practices comply with UK data protection legislation, our expert legal team can assist your organisation in conducting a risk assessment to review your current practices and identify any areas that need improvement. We have specialists who can help you implement clear, robust consent statements for your consent management tool, and provide you with tailored solutions that minimise any risk of non-compliance thereby helping to build trust with your website users.
Get in touch with our Commercial and Data Protection team to ensure your business is compliant and prepared for the future of data protection.
The information provided in this article is provided for general information purposes only, and does not provide definitive advice. It does not amount to legal or other professional advice and so you should not rely on any information contained here as if it were such advice.
Wright Hassall does not accept any responsibility for any loss which may arise from reliance on any information published here. Definitive advice can only be given with full knowledge of all relevant facts. If you need such advice please contact a member of our professional staff.
The information published across our Knowledge Base is correct at the time of going to press.
