UK data watchdog allows 'consent or pay' model for online publishers

The UK's data protection regulator has confirmed that news publishers can implement "consent or pay" models for their websites, provided they offer users genuine choice and meet strict data protection requirements. The Information Commissioner's Office (ICO) released comprehensive guidance on January 23, 2025, establishing a framework for organizations adopting this increasingly common business approach.

Under these models, websites present visitors with a choice: consent to personalized advertising based on their data, pay a fee to access content without such tracking, or leave the service entirely. The practice has gained prominence since late 2024, when major UK news outlets including The Times, The Sun, Daily Mail, Mirror, Express, and The Independent implemented varying payment tiers ranging from £1.99 to £6.99 monthly.

Stephen Almond, ICO's executive director of regulatory risk, emphasized the organization's commitment to user privacy while acknowledging business needs. According to the ICO documentation, companies must demonstrate that users can "freely give their consent" under these models, requiring careful consideration of four key factors.

The first criterion addresses power dynamics between service providers and users. Organizations must evaluate whether individuals have a realistic alternative to using their service, as significant imbalances could invalidate consent. This consideration becomes particularly relevant for dominant market players or essential services.

Fee structures represent another critical element. The ICO stipulates that charges must be "appropriate" and not "unreasonably high," warning that excessive fees could effectively coerce users into consenting to data collection. Notably, the guidance recommends separating core service access fees from data protection opt-out charges.

Service equivalence forms the third pillar of compliance. Publishers must ensure comparable core functionality regardless of whether users choose to consent or pay. While premium features may differ, the fundamental service should remain consistent across options to preserve genuine choice.

The framework's fourth component focuses on transparency and design. Organizations must present choices clearly and equally, avoiding manipulative interfaces or "harmful design practices" that could unduly influence user decisions. This aligns with the ICO's broader initiative on cookie compliance, which began with the top 100 UK websites in November 2023.

Looking ahead, the ICO announced plans to expand its cookie tracking scrutiny to the 1,000 most-visited UK websites. This extension follows successful compliance improvements among the initial 200 sites reviewed, with 99 of the top 100 websites now meeting requirements.

The guidance addresses specific concerns for vulnerable users, particularly children. Organizations targeting users under 13 must obtain parental consent and implement effective age verification measures. The ICO's Children's Code requires that profiling for personalized advertising remain disabled by default for young users.

This regulatory clarification arrives amid growing debate over digital publishing business models and data privacy. While some industry observers argue these models could reshape online content monetization, others express concerns about digital inequality and access to information.

The ICO's position reflects a nuanced approach to balancing commercial viability with privacy protection. Companies implementing "consent or pay" systems must document their compliance through data protection impact assessments, considering both the outlined factors and broader UK GDPR principles.

For publishers specifically, the guidance includes provisions for offering tiered services, such as premium content subscriptions, alongside basic access options. However, the ICO emphasizes that any additional features must not conflate core service fees with data privacy choices.

The regulator maintains its authority to assess individual implementations and take enforcement action against non-compliant models. Organizations must regularly review their systems against these standards, particularly as market conditions and user expectations evolve.