Consent or Pay in the UK: Decoding the ICO's New Guidance

Ross Webster

4 min read
Consent or Pay in the UK: Decoding the ICO's New Guidance
Photo by tommao wang / Unsplash

The ICO Commitment to Growth

The current economic headwinds in the UK, compelled Prime Minister Keir Starmer to write a Christmas Eve letter to all the major UK regulators, including the Information Commissioner’s Office (ICO), requesting proposals for regulatory reform that will boost economic growth.  Each regulator was requested to respond outlining their commitments by mid-January.   The ICO, responsible for data protection, responded on January 16th.  Claiming a strong track record in promoting growth - drawing attention to a commitment to helping businesses by cutting costs, providing regulatory certainity & offering advice services.    Hardly Trumpian!  Perhaps the looming EU:UK Adequacy extension decision in June 2025 meant that the ICO did not want to really throw caution to the wind by stripping back data protection bureaucracy in the name of driving exponential growth. However,  the ICO did commit to boosting privacy-preserving online advertising, recognising that businesses find the digital advertising regulatory landscape, particularly Privacy and Electronic Communications Regulations (PECR) consent requirements, difficult and burdensome.

ICO's Approach to Privacy-Preserving Advertising

With advertising contributing £129 billion in value to the UK economy, simplifying online advertising regulations could provide significant benefits.  However, the ICO's recent consultation on storage and access technologies may have limited economic impact.  The regulator suggests that reviewing PECR consent rules for low-risk processing could encourage adoption of more privacy-friendly advertising models, such as contextual advertising.While the ICO's promotion of contextual advertising represents a positive shift toward privacy preservation, they will face stiff industry resistance. tThe current advertising ecosystem remains heavily dependent on behavioral signals across supply, demand, and middleware layers. Although contextual advertising offers a more privacy-friendly alternative, the guidance's incremental approach to consent rules is unlikely to stimulate substantial market growth or drive significant innovation in privacy-preserving technologies. This isn't because the direction is wrong - it's because the transition requires more fundamental changes to how the digital advertising market operates

Consent or Pay Guidance Impact Assessment

Last year, the ICO wrote to the Top 200 UK websites (now expanded to Top 1000) emphasising the need for publishers to provide equal prominence to 'Accept' and 'Reject All' options on consent pop-ups. Facing potential loss of behavioral data, many UK publishers began testing paywall options. Following industry consultation, the ICO has issued guidance on the "Consent or Pay" (CoP) model.

This ICO’s guidance has broader implications, as the European Data Protection Board (EDPB) is also currently addressing the viability of CoP.   As well as other jurisdictions, including Australia, Canada, and various U.S. states through privacy laws, are considering similar consent-based approaches.

What does the CoP Guidance mean for Publishers

The ICO writes: ‘In principle, data protection law does not prohibit business models that involve consent or pay. However, any organisation considering such a model must be careful to ensure that consent to processing of personal information for personalised advertising has been freely given and is fully informed, as well as capable of being withdrawn without detriment.’

So cookie banners must be clear, unambiguous, have no default non-essential tracking, and have an easy mechanism to withdraw consent.Into the weeds, the ICO also instructs:

Publishers cannot be so large that there's a power imbalance with users

  • Publishers can't be so dominant that users have no real alternative to consent.
  • Users shouldn't face unfair penalties for rejecting tracking.
  • There must be a genuine choice for users.
  • Publishers must conduct an assessment before implementing CoP, as well as regular documentation and reviews.

The subscription fee must be "reasonable"

  • The cost to avoid personalised ads can't be so high it forces consent.
  • Pricing should reflect privacy value, not arbitrary upcharges.
  • Basic services should remain consistent between paid and free versions.
  • Core content must be equivalent across paid and free versions, although additional premium features can be offered separately.
  • Simple "cookie walls" that only give users the option to accept or leave, and don't offer a payment alternative are not allowed.
  • Publishers cannot serve targeted ads to users who choose to pay the subscription fee.

The guidance tries to strike a balance between two competing interests, on the one hand the Publishers' need to monetise their content and maintain revenue, whilst on the other hand  the users' fundamental right to privacy regardless of their financial situation. 

EDPB CoP Guidance

The EDPB offered their guidance on CoP in April 2024, and there are a few key differences in style and content from the ICO’s guidance.

The ICO generally  accepts "Consent or Pay" as lawful if implemented correctly, the EDPB has taken a more critical stance, stating paid alternatives should not be the default and suggesting publishers should offer a free third alternative without behavioral advertising.

Although the EDPB plans to issue broader guidelines, the April 2024 guidance was taken from a ruling on Meta’s CoP offering, so it is primarily focused on large online platforms and their market power.  In that context the EDPB guidance has a stricter stance than the ICOs, particularly regarding the need for a free alternative option.  And as such focussed on the large publishers responsibility to ensure a pressure on a user around conditionality, detriment and power imbalance is fair. Some publishers have questioned whether regulators should even be issuing guidance on CoP?  Claiming that assessing the economic market dominance and power imbalances is a complex exercise and should really fall under the purview of competition authorities.

What Should Publishers Do in Light of the ICO Consent or Pay Guidance?

Although the ICO guidance diverges somewhat from the stricter approach taken by the EDPB, offering UK publishers more flexibility in their business models. However, publishers must carefully navigate these requirements if considering the Consent or Pay model.Publishers should take several practical steps to align with the ICO's guidance:

  1. Assess Market Position
    • Evaluate whether your organisation's size creates power imbalance concerns
    • Consider if your users have genuine alternatives
  2. Review Pricing Structure
    • Ensure subscription fees are reasonable and justifiable
    • Document the rationale behind pricing decisions in assessment
  3. Update User Interfaces
    • Implement clear, non-manipulative cookie banners
    • Give equal prominence to all options (consent, pay, or leave)
    • Ensure consent withdrawal mechanisms are easily accessible
  4. Document Compliance
    • Maintain records of your implementation decisions
    • Regularly review and update your approach based on user feedback
    • Keep evidence of how you're meeting the guidance requirements

Conclusion

The ICO's "Consent or Pay" guidance represents a significant milestone in the evolution of digital advertising regulation in the UK.  While it may seem to add complexity to publishers' operations, or overreach by a data protection regulator, it actually provides a clear framework for implementing a model that balances commercial interests with privacy rights.

The key to success will be finding the sweet spot between monetization and privacy respect.  Publishers who can implement these requirements while maintaining user trust and service quality will be well-positioned for sustainable growth in the evolving digital landscape.

Sign up for more like this.