ORG Response to the ICO “consent or pay” consultation

Open Rights Group welcomes the opportunity to respond to the Information Commissioner’s Office consultation on the “consent or pay” model, which is or could be relied upon for processing personal data on the basis of consent.

‘Consent or Pay’ and Data Protection

Interferences with our right to privacy and data protection are admissible only and insofar they represent a necessary and proportionate mean to achieve another, worthy objective. This principle does not only originates from the rights-based approach of the UK GDPR, but from the broader obligations that stem from the European Convention of Human Rights and the western legal tradition the UK adheres to, which is rooted in the rule of law and the protection that individuals, their subjectivities and their personalities enjoy.

In practice, this principle becomes material in the UK GDPR by requiring that data processing is based upon a legal basis, that authorises such processing a) for the pursuit of a legitimate aim, b) within given boundaries that ensure necessity and proportionality, and c) upon conditions that protect affected individuals from abuses.

The compatibility of a “consent or pay” model as a mean for online service providers to obtain consent for behavioural profiling and personalised advertising manifestly fails to meet this test. In summary:

• Data processing for behavioural profiling is not necessary to protect a vital interest or pursue a legitimate aim. Relying on behavioural profiling to fund an online platform via advertisement is a deliberate decision to adopt a funding model that interferes’ with users’ privacy and right to data protection in the absence of a justifiable reason.

• As such, subjecting individuals to behavioural profiling is is an unjustified interference with one’s right to privacy and data protection, unless the individual freely exercises their agency to accept such interference. It is, thus, unlawful unless individuals freely provides consent, and the conditions laid out by the UK GDPR for consent to be valid are met.

• The adoption of the “consent or pay” model for the practical purpose of enabling behavioural profiling and funding an online service via advertising violates individuals’ agency by forcing them to consenting to such processing, and denying them the opportunity to withdraw their consent without detriment. Thus, it cannot constitute valid and freely given consent.

• Indeed, reliance on the “consent or pay” model reveals that online service providers themselves do not believe users would provide their consent if they were able to refuse to be subject to behavioural profiling free of charge. The objective of circumventing the law is not legal nor legitimate, and does not deserve protection.

• Behavioural profiling inherently exposes individuals to predatory advertising, discrimination, and potential violations of their habeas corpus and fundamental rights—such as in the case of women’s reproductive freedom and health. Forcing individuals into accepting these risks is immoral.

• Finally, condoning the “consent or pay” model for behavioural profiling would not only violate individuals’ fundamental rights, but it would expose legitimate advertisers to unfair competition. Consent or pay would allow ads providers and online platforms to force-feed advertisement to its users and siphon advertisement revenues from other legitimate and law-abiding businesses that respect individuals’ dignity and authonomy.

• It follows that the ICO proposed regulatory approach fails to recognise the inherent abusive nature of “consent or pay” in the context of behavioural profiling and personalised advertising. The ICO should not condone such practices, and should instead enforce against unfair, deceptive, predatory or otherwise illegal adtech practices.

The problem with ‘Consent or Pay’

We substantiate our reasoning in the paragraphs below:

The UK GDPR already allows interferences with one’s right to data protection to protect their vital interest, or in the pursuit of a legitimate aim enshrined in a legal obligation, or a public task, or if the existence of a legitimate aim that overrides the interest of the individual can be demonstrated.

Each of the legal bases discussed above provide conditions to ensure that data processing does not unduly interfere with one’s fundamental rights. It follows that processing that cannot be justified under these conditions is unnecessary and unjustified to achieve any of such aims—be it the protection of vital interests, a public task, a legal obligation, or legitimate interest (henceforth “qualified legitimate aim”).

The UK GDPR allows interferences with one’s right to privacy or data protection when it is not necessary to protect a vital interest or to pursue a qualified legitimate aim. This is the case of data processing based upon a contractual necessity or the consent of the individual. Absent a substantial justification to authorise such interference with one’s fundamental rights, its legitimacy rests in the agency and free will of the individual—in other words, in their willingness to be subject to such interference. In the UK GDPR, this is reflected in the conditions that require the existence of a valid contractual obligation, or the conditions that allow consent to be relied upon as a legal basis. In both cases, reliance on this legal basis is constrained to data processing that is necessary to achieve what the individual has consented to, or to perform the contract they willingly entered into. For the legal basis of consent, this must also be freely given, specific, informed, and as easy to withdraw as it is to give. Individuals cannot be subject to negative consequences for withdrawing their consent, but can be given incentives to provide their consent.

While it is true that the Court of Justice of the European Union has recognised that “consent or pay” may in principle be admissible to legitimise data processing, this is a statement of principle that reflects the horizontal applicability and the broad range of uses cases the GDPR applies to. Principles must be translated into practice by checking their application against the conditions set forth by Article 6(1)a and Article 7, and interpreted in line with recital 42.

In Case C-252/21 Meta Platforms and Others (General terms of use of a social network), the Court of Justice has already ruled that data processing for behavioural profiling and personalised advertising does not constitute a legitimate interest, as it fails the balancing test against the interest of the individuals affected. It has also ruled that behavioural profiling and personalised advertising are not necessary for fulfilling a contract between an individual and an online service provider. It is also undisputed that behavioural profiling does not protect a vital interest, constitutes a legal obligation, nor it is necessary for the performance of a public task. Thus, behavioural profiling and personalised advertising constitute an interference with one’s right to data protection which is not justifiable to achieve a qualified legitimate aim, nor it is expression of one’s decision to enter a contractual obligation

Based on the above, a service provider that decides to fund themselves via behavioural profiling and personalised advertising takes a deliberate business decision to interfere with one’s right to data protection in a manner that is not justified by either the pursuit of a legitimate objective or contractual will: the online service provider could have chosen to fund themselves with means that are respectful and compatible with the rights and freedom of an individual—such as contextual advertising— but deliberately chose not to do so. The deliberate business decision to override an individual’s fundamental right is inadmissible and illegal, unless it can be demonstrated that the individual consented to such interference, and the condition for consent to be valid are met. Accepting otherwise would mean accepting that individuals could legally be coerced to relinquishing their rights in the absence of a valid justification.

Article 7 of the UK GDPR provides conditions upon which an interference with one’s right to data protection can be considered legitimate. However, the practical implementation of the “consent or pay” model, as being adopted by Meta and other online service providers, obviously fails to meet these requirements: individuals who who want to enjoy and not relinquish their right to data protection must face adverse financial consequences to do so and are “unable to refuse or withdraw consent without detriment”.

The absence of free agency and free will in such arrangement is not only revealed by its incompatibility with GDPR legal standards, but it is embodied in “consent or pay” as a business model for personalised advertising. Despite claiming that personalised advertising is useful and provides benefits to users, service providers are trying to force the provision of consent via “consent or pay” because they know their users will not consent to it, and thus they need to bypass individual agency and free will in order to make their business decision profitable. Indeed, individuals do not want to consent to online profiling and personalised advertising, they refuse to provide such consent when possible, and they boycott such attempts to interfere with their privacy when they can’t refuse.

It is also worth mentioning that individuals have very good reasons to be willing to avoid behavioural profiling and personalised advertising. Individuals behaviour inherently reflects one’s addictions or vulnerabilities (in other words, their compulsive behaviours), sensitive traits (such as the places they go to worship or engage in political activities) and other, very personal and sensitive choices (such as sexual health, medical conditions, or reproductive behaviours). Behavioural profiling exposes such information to commercial exploitation as well as interference and abuses from the State—for instance, it allows gambling companies to prey on problem gamblers, or State authorities to persecute women for exercising their reproductive rights such as the right to abortion. Accepting to subject oneself to the risks posed by behavioural profiling is a highly sensitive and consequential choice: restricting and individual’s agency, and trying to coerce them into taking this choice is immoral even before any consideration concerning its legality.

Finally, it is worth emphasising that allowing behavioural advertisement providers to serve ads to individuals against their will does not only violate the right of the individuals, it violates the rights of legitimate advertisers and service providers who compete into the market and comply with the UK GDPR. By not honouring an individual’s choice not to be behaviourally profiled, adtech companies that illegally target users with personalised advertising are allowed to siphon advertisement revenue from legitimate and law-abiding advertisement channels such as contextual advertising.

Recommendations

Upon these basis, the ICO regulatory approach to “consent or pay” risks legitimising reliance on “consent or pay” in an area where such reliance is an obvious attempt to violate human rights, coerce individuals and trump their agency and autonomy. We therefore recommend the ICO:

• To clarify that “consent or pay” cannot be relied upon to justify behavioural profiling or personalised advertising.

• To enforce against against unfair, deceptive, predatory or otherwise illegal adtech practices, with the aim of removing unsafe products from the market, protect the public and their right to privacy and data protection, and restore fair competition in the online advertising space.

Open Rights Group remains available for further comments or clarifications at the contact below

Mariano delli Santi, Legal and Policy Officer: mariano@openrightsgroup.org