UK privacy watchdog takes credit for rise of ‘consent or pay’ rule

The UK’s data protection watchdog says its crackdown on sites that don’t ask visitors to consent to having their browsing activity tracked and profiled for ad targeting is bearing fruit. However, it admits that some of the changes prompted by the crackdown have seen sites adopt a controversial type of paywall that requires users to pay a fee to access content or opt in to being tracked and profiled for ad targeting (also often known as “pay or consent”).

The ICO didn’t disclose which websites had switched to a pay-or-agree model because it began asking questions on their tracking cookies. But it did name and shame several corporations for failing to comply with other cookie rules.

On Tuesday local time, the Information Commissioner’s Office (ICO) announced it had reprimanded Bonne Terre, the corporate behind Sky Betting and Gaming, for unlawfully processing personal data without consent.

Research has shown that data tracking can do loads of harm to individuals with addiction problems, which can explain why the general public rebuke of the ICO focused on an organization within the gambling sector.

“From 10 January to 3 March 2023, Sky Betting and Gaming processed users’ personal data and shared it with advertising technology companies as soon as they accessed the SkyBet website – before they had the opportunity to accept or reject advertising cookies,” the ICO wrote in a press release. “This meant that their personal data could be used to target them with personalised adverts without their prior consent or knowledge.”

The regulator told TechCrunch that it selected to issue a warning moderately than a sanction on this case since it believes it’s a proportionate use of its powers — “based on what will achieve the best outcome, and based on our priorities and limited resources.”

“In this case, we took into account Bonne Terre’s positive engagement with the ICO and the steps it has taken to improve compliance and considered that a reprimand was the most proportionate action,” ICO spokesman James Huyton added.

The reprimand is an element of a wider crackdown by the ICO on the use of cookies without consent, with the regulator highlighting a review of the UK’s “top 100 sites” last yr that identified “problems” with the way in which greater than half of sites used promoting cookies. then he wrote to 53 involved sites, warning they face enforcement motion in the event that they don’t change the way in which they deploy promoting cookies to comply with data protection law. The ICO suggests the outreach has helped remove some non-compliant cookie banners.

The regulator declined to verify the identity of any of the opposite sites contacted as part of its cookie compliance check. However, reporting the outcomes of its flurry of letters, the ICO said 52 of the sites it approached had made changes to the way in which they collected consent to tracking. The ICO said it had observed a number of changes, including some sites moving to a so-called “pay or consent” model – where visitors are blocked from accessing site content unless they consent to tracking or pay a fee.

Pay or consent is a controversial approach that’s currently being challenged legally and regulatory-wise within the European Union, including by privacy and consumer protection groups. Meta’s implementation of pay or consent can also be suspected of violating the bloc’s fair market principles. (The ICO declined to say whether Meta was one of the positioning owners it contacted about cookie consent.)

In a press release accompanying the report on the outcomes of the cookie banner crackdown, Stephen Bonner, deputy commissioner on the ICO, said the intervention had led to 99 of the highest 100 UK web sites “either already offering meaningful choice in advertising cookies or making changes to get people’s consent”. Which is sort of an either/or.

Bonner’s statement doesn’t provide any data to quantify the actual impact of the ICO on consent selections for UK web users. He says only that “some” of the changes observed included the introduction of a reject all button on sites that previously didn’t have one; others involved sites making their accept all and reject all buttons equally visible; and other sites introduced alternatives corresponding to “agree or pay” – a business model the ICO is “currently reviewing” for legality.

The gold standard for compliance with the UK’s General Data Protection Regulation, which is predicated on the EU framework of the identical name, could be to present website visitors with: easy yes/no selection accept or decline tracking. Sites that fail to accomplish that—for example, by only allowing users to simply accept but not decline tracking, or by making it easy to click a tracking acceptance button but hiding the decline option from multiple menus in confusingly worded settings—needs to be penalized for failing to comply. But too often, they get away with using manipulative, hidden patterns to steal consent.

The ICO must take some of the blame for years of ignoring warnings from privacy activists in regards to the ad tech industry’s unchecked data collection. It also didn’t act decisively by itself concerns in regards to the sector’s data collection practices, as set out in a 2019 report – for example, closing a grievance without issuing a choice in 2020 since it opted for soft industry engagement moderately than vigorous enforcement.

Last yr’s cookie harvesting campaign looks like an attempt by the ICO to finally see itself do something after years of exempting adtech players from compliance. However, its actions may raise questions provided that enforcement has apparently fuelled a rise within the use of controversial ‘pay or agree’ tactics. It’s also interesting to think about the sites it chooses to call and shame in comparison with others that also don’t offer users a transparent yes/no selection, but whose names we have now to infer.

As well as publicly reprimanding Sky Betting, the ICO has decided to call and shame gossip website Tattle Life – which it says was the just one of 53 web sites contacted that didn’t become involved – and said it might now launch an investigation into its use of cookies and its “apparent failure” to register with the ICO.

What about sites which have switched to implementing “agree or pay” cookie banners, meaning they don’t offer web users a free selection to opt out of tracking?

Tech giant Meta entered the sport last yr, deciding to force ad-tracking consent from Facebook and Instagram users by imposing a “pay us or let us track you” paywall on its formerly free social networks. Since then, a growing number of British news sites have imitated the tactic, with “pay or let us” paywalls popping up in all places previously free, ad-supported journalism was available.

We asked the ICO for its views on the creep and growth of “pay or agree”, including Meta’s adoption of the tactic, and a spokesperson referred to Bonner’s previous comments, writing: “Following engagement with Meta, we are investigating how UK data protection law would apply to any potential ad-free subscription service. We expect Meta to consider any data protection concerns we raise before rolling out a subscription service to UK users.”

At the start of this yr, ICO conducted consultations on “pay or consent” business models saying it hopes to supply an initial view of the approach but has not yet adopted a transparent public position. And on this regulatory gray area, loads of “consent or pay(wall)” is happening.

“When it comes to opt-in or pay models, we have told companies that they are not transparent with the public and that they must offer people meaningful choice about how their data is used and shared on their websites,” the spokesperson added. “Some companies have introduced alternative methods of obtaining consent, such as ‘opt-in or pay’, which we are currently considering as a business model following our consultation in early 2024. We will provide our position later in the year. In the meantime, we will continue to monitor developments in new approaches.”