top of page
Search

Consent or Pay?




What’s cooking (literally!) with new 2025 Data Protection Reviews and Laws?


A big 2025 review of cookie usage on the UK’s top 1,000 websites has just been launched by the Information Commissioner (ICO).

 

His smaller 2024 review of  the top 200 websites, resulted in warning notices to 134 of those organisations (i.e. 2 out of every 3), setting out specific regulatory expectations. One reprimand was issued for ‘unlawfully processing people’s data through advertising cookies without their consent.’ 

 

And with the new 2025 Cookies review comes new ICO guidance about ‘Consent or Pay’ models on websites.


What is “Consent or Pay?” -And do you use this Cookie model?

The ICO’s 2024 review on cookies revealed that some websites had moved to a ‘consent or pay’ model. This model means access to online content or services is dependent on users either consenting to being tracked for advertising purposes (using cookies), or paying for access without being tracked.

The ICO guidance is clear;-

“Consent or pay” models can be compliant with data protection law if you can demonstrate that people can freely give their consent and the models meet the other requirements set out in the law.”

 

The two key laws he is talking about are the UK GDPR and the Privacy and Electronic Communications Regulations (PECR)

 

Our own courses on both these pieces of legislation cover the four key factors to consider when assessing if you are fully compliant with the use of the Consent and Pay Cookie model.

 

These include:-

  1. Power imbalance:- It’s unlikely that people can freely give their consent if they have no realistic choice about whether or not to use the service. You should especially consider existing users of your product or service under this factor.

     

  2. Appropriate fee: Have you set an appropriate fee for accessing your service without personalised advertising? It’s unlikely that people can freely give their consent if your fee is inappropriately high, making it an unrealistic choice.

     

  3. Equivalence: Is your core service broadly equivalent in the products and services offered where people consent to personalised advertising and where people pay to avoid personalised advertising?

     

  4. Privacy by design: Do you present the choices equally to people, with clear, understandable information about what each choice means and what they involve? People cannot freely give their consent if they are uninformed about the available options or have their choice influenced by harmful design practices.

 

Our two courses on both the UK GDPR and PECR focus on:-

 

  • The latest Data Protection law updates based on ICO

    reviews and cases brought by his office

  • Privacy Impact Assessments

  • Cookie Audits

  • Policy Analysis

  • Links to other laws

 

And we cover the latest news on the Data (Use & Access) Bill which  is progressing through Parliament. This fresh legislation provides for:-

  • New Digital Verification Services. These measures will

    focus on creating and adopting secure and trusted digital

    identity products and services from certified providers.

    Helping with things like moving house, pre-employment

    checks, and buying age restricted goods and services

     

  • Smart Data schemes, which is about the secure sharing

    of a customer’s data upon their request, with authorised

    third-party providers. Ministers say that Open Banking is

    the only active example of a regime that is comparable to

    a 'Smart Data scheme' – but it needs a legislative

    framework to put it on a permanent footing, from which it

    can grow and expand.

     

  • Stronger information standards for IT suppliers in the

    health and social care system.

     

  • Broader definitions of consent for areas of scientific

    research, allowing legitimate  researchers in commercial

    settings to make equal use of the UK data regime.

     

  • Modernising and strengthening the ICO. It will be

    transformed into a more modern regulatory structure,

    with a CEO, board and chair.


 
 
 

Comments

bottom of page