On April 17, EPIC submitted comments to the UK ICO on its call for views relating to “Consent or Pay” business models. In its comments, EPIC urged the ICO to prohibit the use of the facially illegal business model due to the clear violation of the UK GDPR’s definition of consent. Under the UK GDPR, consent must be “freely given, specific, informed, and unambiguous.” Forcing users to pay a fee or lose access to a website if they don’t want their data to be processed for targeted advertising is anathema to the rigorous standard of consent needed under the UK GDPR and does not pass the muster under the UK ICO’s own guidance on consent. There is no fee that would ever be appropriate to sell a UK citizen’s fundamental right to privacy and data protection, so the UK ICO should prohibit the practice.
This call for views comes on the heels of a November 2023 decision by the European Data Protection Board (EDPB) stating that Meta was in violation of the EU GDPR for processing personal data for targeted advertising without an appropriate lawful basis to process such data. Following the decision, Meta rolled out its “consent or pay” business model, where it offered a “free” version of its social media platforms where Meta would continue to process personal data for targeted advertising as well as a paid version of the platform that would not process personal data for the purpose of targeted advertising. The Norway, Dutch, and Hamburg Data Protection Authorities requested an opinion from the EDPB regarding the legitimacy of this business model. Twenty-eight organizations, including EPIC, sent a complaint to the EDPB in February 2024 requesting that the EDPB prohibit “consent or pay” business models based on the irrevocable harm to the fundamental rights to privacy and data protection. On April 17, the EDPB released its decision, holding that “in most cases, it will not be possible for [platforms using a “consent or pay” business model] to comply with the requirements for valid consent[.]”
EPIC has long advocated for robust safeguards to protect consumers from exploitative data collection, use, distribution, and retention practices both in the United States and abroad. EPIC has filed amicus briefs, regulatory comments, and supported legislation with comprehensive data minimization provisions to protect consumers from commercial surveillance regimes.