ICO cookie action and ‘consent or pay’ guidance

January 2025

There’s been a flurry of activity recently in relation to cookies and similar technologies; a key strategic area for the ICO in 2025.

A review of cookie usage on the UK’s top 1,000 websites has been announced, new guidance on ‘consent or pay’ models has been published, and the ICO has published draft ‘guidance on the use of storage and access technologies’ (previously known as ‘cookies guidance’).

Meanwhile the Data (Use & Access) Bill is progressing through Parliament and may pave the way for a more relaxed approach to first party analytics cookies.

1,000 websites in the regulatory spotlight

With a focus on the ‘uncontrolled tracking’ of users, the ICO is set to review the compliance of the top 1,000 websites. This marks a significant expansion of the regulator’s proactive reviews, having already assessed the top 200 websites. That resulted in communications to 134 of those organisations (i.e. 2 out of every 3), setting out specific regulatory expectations. One reprimand was issued for ‘unlawfully processing people’s data through advertising cookies without their consent’. You can read more about the reprimand here and our five steps to cookie compliance.

Stephen Almond, ICO Executive Director of Regulatory Risk says; “Our ambition is to ensure everybody has meaningful choice over how they are tracked online.”

What does this mean in practice?

Along with not deploying non-essential cookies on users’ devices if they haven’t actively given their consent, the ICO is stressing organisations must make it as easy for users to ‘reject all’ as it is to ‘accept all’.

ICO action in this area, has seen a number of organisations (but certainly not all) implement consent management platforms to provide users choices. Whether CMPs are actually configured correctly is another matter.

Organisations should be mindful or this regulatory attention, and could also be the target of a cookie compensation demands from individuals.

Are ‘consent or pay’ models, okay?

The ICO’s focus on cookies, has seen some websites move to a ‘consent or pay’ model. This model means access to online content or services is dependent on users either consenting to being tracked for advertising purposes (using cookies or similar technologies), or paying for access without being tracked.

This move has caused some controversy with questions over whether it can really be a fair choice. Let’s look at how it has come about, and I’ll use news content publishers as an example.

I remember the days when I had to buy a physical copy of a newspaper. Then everything went online, and we could all access this content for ‘free’. However, the publishers still needed a way to fund (and dare I say make a profit) from all this content they paid journalists to write. The way this has been primarily funded is by running ads which are targeted to optimise the user experience and revenues using cookies and other tracking technologies.

When a US senator as Mark Zuckerberg how Facebook remained free, you may recall he famously and simply answered; “We run ads”. And the same could be said for publishers and other website operators.

With websites pushed to make sure their activities comply with data protection and ePrivacy rules, we’ve seen more sites providing a “Reject all” button. However, if users increasingly click “Reject all” alternative approaches are needed to fill a not insignificant revenue hole.

This led some publishers to introduce a full pay wall. For example, for a quite a while users had to pay to read most articles on the Telegraph or Independent’s websites. Other forms of advertising have and are also being experimented with, such as ‘contextual advertising’ which don’t rely on cookies/similar tech. However, there remain concerns alternatives do not yet (or may never) be as profitable as cookies. Please also see Life after cookies

Hence the emergence of the ‘consent or pay’ model which has been adopted by some website operators in the UK and elsewhere in Europe – notably news publishers.

The ICO’s take on ‘consent or pay’

The ICO’s new guidance states: “Consent or pay” models can be compliant with data protection law if you can demonstrate that people can freely give their consent and the models meet the other requirements set out in the law.

The guidance makes it clear the right to the protection of personal data needs to be balanced against other rights, such as the right to conduct business. We may have got used to lots of free news content, online games, and other free services, but the ICO recognises organisations should be able to monetise products, and there is no obligation for providers of online services to offer their services for free.

However, the ICO says any decision to adopt the ‘consent or pay’ model must be assessed and documented to make sure it is compliant with the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). Businesses need to be able to justify their approach.

Four key factors are set out in the guidance to support this assessment. These are:

Power imbalance: Is there a clear power imbalance between you and the people using your product or service? It’s unlikely that people can freely give their consent if they have no realistic choice about whether or not to use the service. You should especially consider existing users of your product or service under this factor.

Appropriate fee: Have you set an appropriate fee for accessing your service without personalised advertising? It’s unlikely that people can freely give their consent if your fee is inappropriately high, making it an unrealistic choice.

Equivalence: Is your core service broadly equivalent in the products and services offered where people consent to personalised advertising and where people pay to avoid personalised advertising? You can include additional perks or features in either service, however you should provide an equivalent core service across all options to ensure that people have a free choice.

Privacy by design: Do you present the choices equally to people, with clear, understandable information about what each choice means and what they involve? People cannot freely give their consent if they are uninformed about the available options or have their choice influenced by harmful design practices.

Any business looking to use the ‘consent or pay’ model would be wise to read the Consent or Pay Guidance in detail.

It’s worth noting this model has also been scrutinised by EU Data Protection Authorities and is the subject of complaints by privacy rights groups. See the European Data Protection Board Opinion on Consent or Pay.

Draft guidance on the use of storage and access technologies

The ICO has also published draft Guidance on the use of storage and access technologies, which is open to consultation until 14 March 2025. This builds on the regulator’s previous ‘cookies guidance’, and has clearly been deliberately renamed to reflect the range of storage and access technologies which are in widespread use, alongside cookies. The aim is to give providers of online services a deeper understanding of how PECR, and where relevant, data protection law applies to the use of storage and access technologies.

In brief, PECR applies to any technology which stores information, or accesses information stored on a subscriber/user’s terminal equipment. The ICO says this includes but is not limited to; cookies, tracking pixels, link decoration and navigational tracking, web storage, fingerprinting techniques, and scripts and tags. In a nutshell, the rules are:

  • You must tell users about any storage and access technologies you use, including explaining what they do.
  • You must collect prior consent unless an exemption applies, and such consent must meet the UK GDPR standard.
  • For the ‘communication’ exemption to apply, the transmission of the communication must be impossible without the particular storage and access technology.
  • For the ‘strictly necessary’ exemption to apply, the purpose of storage or access must be essential to provide the service requested.

It’s also worth noting the ICO says any UK-based organisation, even if they host online services overseas, will need to comply with PECR.

In conclusion, every business with an online presence needs to carefully consider how they are using cookies and similar technologies, and requesting consent from users. Web and app developers in particular need to be aware of the regulatory landscape and have a good understanding of the rules.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.