Consent or pay – okay for Meta in the UK ICO gives Meta the green light, but what do other businesses need to consider? There’s been much debate about Meta’s use of personal information to target Facebook and Instagram users with advertising. Until now, targeted advertising was part of the standard terms and conditions for UK users of these services, but the Information Commissioner’s Office (ICO) says this is not in line with UK law. Meta is now planning to switch to a ‘consent or pay’ model. A model which many of us are now familiar with when trying to access online newspaper articles. Consent or pay (aka ‘pay or okay’) gives users a choice: a) consent to being tracked for advertising purposes; or b) pay for an ad free service; or c) leave without accessing the content. It’s a model not without its fierce critics – how can consent be freely given? how can it be a genuine choice? There are clear battle lines between the right to privacy, data protection and ePrivacy laws, and the right to conduct business. The ICO seems to be trying to walk this tight rope. In a statement the regulator has welcomed Meta’s decision to move to asking for the consent of users for targeting ads, saying; “People must be given meaningful transparency and choice about how their information is used. At the same time, the ICO recognises that online platforms, like every business, need to operate commercially. There are a number of ways online platforms can do this in compliance with UK law and the ICO’s guidance. “Under Meta’s chosen approach, people will be able to choose between consenting to personalised ads or paying a monthly subscription for an ad-free service – known as a ‘consent or pay’ model.” A crucial point for the ICO is the pricing point for those who choose to pay. The ICO asked Meta to set a price which gives people a fair choice. As a result, Meta is said to have significantly lowered the starting price for a subscription, which will be close to half that of EU users. The ICO says it will continue to monitor the roll-out of Meta’s changes, and indeed other companies’ use of consent and pay models. 4 cornerstones of ‘consent or pay’ “Consent or pay” models can be compliant with data protection law if you can demonstrate that people can freely give their consent and the models meet the other requirements set out in the law.” ICO If you are using a consent or pay model, or considering implementing it – there’s the potential to find yourself on the regulator’s radar, so it’s worth familiarising yourself with ICO guidance. This guidance make it clear the right to the protection of personal data needs to be balanced against other rights, such as the right to conduct business. We may have got used to lots of free news content, online games, and other free services, but the ICO recognises organisations should be able to monetise products, and there is no obligation for providers of online services to offer their services for free. However, the ICO says any decision to adopt the ‘consent or pay’ model must be assessed and documented to make sure it’s compliant with the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). Businesses need to be ready to justify their approach. The guidance sets out four key areas for an assessment to focus on. 1. Power imbalance: Is there a clear power imbalance between you and the people using your product or service? It’s unlikely that people can freely give their consent if they have no realistic choice about whether or not to use the service. You should especially consider existing users of your product or service under this factor. 2. Appropriate fee: Have you set an appropriate fee for accessing your service without personalised advertising? It’s unlikely that people can freely give their consent if your fee is inappropriately high, making it an unrealistic choice. 3. Equivalence: Is your core service broadly equivalent in the products and services offered where people consent to personalised advertising and where people pay to avoid personalised advertising? You can include additional perks or features in either service, however you should provide an equivalent core service across all options to ensure that people have a free choice. 4. Privacy by design: Do you present the choices equally to people, with clear, understandable information about what each choice means and what they involve? People cannot freely give their consent if they are uninformed about the available options or have their choice influenced by harmful design practices. What’s clear is the UK ICO is taking a more lenient approach to consent or pay than some of its European counterparts. The model continues to be scrutinised by EU data protection authorities, and is the subject of high-profile complaints by privacy right campaigners. It would be wise to do even more homework if you operate in the EU. European Data Protection Board Opinion on Consent or Pay. In all of this, while much ‘targeted’ advertising can be innocuous, in some cases ads can cause very real distress and harm when targeting goes awry. The BBC has written here about a case where mothers who lost their babies were still targeted with upsetting baby related content.

UK email marketing rules Is email marketing putting your business as risk? Hardly a month goes by without an announcement from the UK’s Information Commissioner’s Office of another business being fined for falling foul of the email & SMS marketing rules. It continues to surprise me some marketing and communications teams haven’t heard of the Privacy and Electronic Communications Regulations. They’ve been around since 2003 (far longer than GDPR) so businesses really have no excuse. Of course, there will always be some who want to try and get away with it. Under PECR there are specific rules for direct marketing by telephone, email and SMS, plus rules for cookies and similar technologies. Here I’m going to focus on email marketing. The same rules apply to SMS and to other ‘electronically stored’ marketing messages, including picture or video messages, voicemail, in-app messages and personal messaging on social media. Consent for business-to-consumer (B2C) marketing emails Unless using the exemption below, you must collect consent before you send email marketing to what are termed individual subscribers. This definition covers people who personally subscribe to their email service provider. For example people who give you their personal gmail, hotmail or btinternet email address. Soft opt-in exemption for business-to-consumer (B2C) marketing emails There’s an exemption to consent for B2C email marketing, commonly known as the soft opt-in. This can only be used if the following criteria are met: The individual’s contact details are collected during the course of a sale (or negotiations of a sale) of a product or service An opportunity to refuse or opt-out of the marketing is given at the point of collection and in every subsequent communication AND You only send marketing about your own similar products and services. See PECR Regulation 22 and the ICO Guidance on Electronic Mail This strict criteria means the ability for charities to rely this exemption is very limited. However, the UK Data (Use & Access) Act 2025 amends PECR and introduces the ‘charitable purpose soft-opt in‘, which we’ve written more about here. Marketing emails to business contacts (B2B) The rules on consent and the soft opt-in exemption do not apply to what are termed corporate subscribers. A corporate subscriber is described by the ICO as any corporate body (an entity with a separate legal status) with its own phone number or internet connection. For example, my work email address has the domain <name>@dpnetwork.org.uk. DPN Associates pays for this service, not me as an individual. Businesses don’t legally need consent to contact me at my DPN business email address. To quote the ICO on this: “The PECR rule on direct marketing by electronic mail does not apply to corporate subscribers. For example, this means you can send B2B direct marketing emails or texts to any corporate body. You do not need their consent under PECR to send such messages.” A couple of key points to bear in mind: A named business contact will still fall under the definition of personal data. Therefore B2B marketing to named individuals must comply with UK GDPR. Sole traders and some partnerships technically fall under the definition of individual subscribers, where consent or the soft-opt-in exemption would be required. The right to object Everyone has the absolute right to object to direct marketing. This applies to both B2C and B2B marketing communications. Marketing emails should always have an unsubscribe link or clear instructions how to opt-out. Businesses also need to make sure everyone who has opted-out of emails is not included again. Global email marketing If you’re a UK-based company sending marketing emails outside the UK, you’ll need to check the rules in the destination country. The rules in the recipients’ country will apply. The rules in Germany, for example, are stricter than they are in the UK. Rules differ across Europe and the rest of the world for B2C and B2B email marketing. What about UK GDPR? Once you’ve got the PECR rules straight, you need to also consider what’s necessary to comply with UK GDPR. For example you should be transparent about your activities, fulfil the right to be informed, the right to object to direct marketing and so on. You also need to identify a lawful basis for your marketing activities and meet the requirements of this lawful basis. Consent If you’re relying on consent under PECR, the ICO tells us consent must meet UK GDPR’s standards. In other words, consent should be ‘freely given, specific, informed and unambiguous’ and must be given by the individual with a ‘clear affirmative action’. One of the big changes under GDPR was the consent requirement became far stricter. It’s worth double-checking you’re meeting them. Consent – are you getting it right? Legitimate Interests If you don’t have to rely on consent, your other option is legitimate interests. There is a handy table in the ICO’s legitimate interests’ guidance under Can we use legitimate interests for our marketing activities?, which sets out when consent is required and when legitimate interests may be appropriate. It shouldn’t be a throwaway decision to rely on legitimate interests. GDPR requires you to carefully balance the legitimate interests of your business with the ‘rights and freedoms’ of the people you’re going to market to. You need to take care to make sure the rights of those whose data you’re collecting are not undermined by your business legitimate interests. We’d advise completing a Legitimate Interests Assessment (known as a balancing test) and keeping a record of this. Other areas to be mindful of Disguising a marketing message as a service message. Businesses will often need to send service messages by email for administrative or customer services purposes. These can be sent to everyone provided they only contain essential factual information for your customer. Such as confirming an order, confirming a delivery date/time, and so on. However, if there’s any promotional content, for example an upsell or cross-sell message, they will be deemed to be direct marketing messages and then PECR will apply. See Marketing and Service Messages Asking for permission to send marketing by email is deemed to be a marketing message in itself. So you can’t email people (‘individual subscribers’) to ask them to consent to marketing. ‘Hosted’ emails; this is where you use another organisation to promote your products or services to their database. This could cause a problem if you are judged to be the ‘instigator’ of these emails, especially in a B2C context, and valid ‘named’ consent wasn’t collected, i.e. your business wasn’t named when the other organisation collected consent. The above are all areas the ICO has taken action in the past. On the face of it, email marketing rules might seem a minefield of terms; consent, soft opt-ins, opt-outs, legitimate interests, sole traders and corporate subscribers. But once the rules are embedded into marketing teams’ heads and ways of working, it can make life easier and reduce the chances of unknowingly violating them and risking a fine.

Yet more CC email data breaches Despite a stark warning from the Information Commissioner’s Office last year that a failure to correctly use the BCC field (Blind Carbon Copy) is one of the most common cause of breaches – the mistakes keep happening. The ICO has recently fined and issued a reprimand to the Central YMCA for sending an email to individuals participating in a programme for people living with HIV. The CC field was used, thereby revealing the email addresses to all recipients. 166 recipients could be identified or potentially identified from this, and it could be inferred they were likely to be living with HIV. Then we hear the Conservative party has reported a breach to the ICO, after hundreds of email addresses were visible to all recipients in an email communication promoting the party’s annual conference. Again a mistake in using CC rather than BCC. The latter would have kept email addresses private. And a mistake which has the potential to reveal people’s political affiliations. Last year in response to the number of breaches of this nature, the ICO published specific email security guidance to try and help organisations make sure their email communications are more secure. Such breaches can cause considerable distress and harm, especially if sensitive personal information is involved, or can be inferred from the context of the email. The Regulator provides the following suggestions: Setting rules to provide alerts to warn employees when they us the CC field. Setting a delay, to allow time for errors to be corrected before the email is sent. Turning off the auto-complete function to prevent the system suggesting recipients’ email addresses. Making sure staff are trained about security measures when sending bulk communications by email Using alternative more secure bulk email solutions. The Central YMCA and Conservative Party are not the first to find themselves in the spotlight for incorrectly using CC. Sadly, I suspect they won’t be the last. A couple of years ago, HIV Scotland was fined for failing to protect personal data. An email was sent to 105 members of HIV Scotland’s Community Action Network (CAN). Email addresses were visible to all recipients in the CC field. Although the email addresses themselves may be considered fairly innocuous, due to the nature of the email, the charity had inadvertently disclosed special category data. The ICO commented assumptions could be made about individuals’ HIV status or risk from the data disclosed. The ICO investigation found a number of shortcomings in the charity’s email procedures, including inadequate staff training and an inadequate data protection policy. The message is simple: the BCC method of bulk email is open to human error, and not advisable when sending bulk emails to multiple recipients and/or if the email could reveal sensitive information. Instead the advice is to use other secure means, such as bulk email services. This would prevent the chance of mistakes being made. The ICO says it would also expect businesses have policies and training in relation to email communications. It’s also worth checking out the National Cyber Security Centre’s useful Email Security Checklist.

PECR fine for invalid marketing consent What lessons can we learn from the HelloFresh case? HelloFresh used a marketing consent statement with a clear opt-in box for customers to tick, but the ICO has ruled the wording of the statement did not meet the requirements for consent to be specific and informed. The regulator has issued a £140k fine. Sometimes, the ICO issues fines under PECR based on only a handful of complaints, however in this case thousands of complaints were raised via the ICO spam reporting tool. The online meal order business was found to have sent over 80 million marketing email and text messages between September 2021 to February 2022 without first collecting valid consent. When relying on consent for direct marketing under PECR, consent must meet the UK GDPR requirements; a freely given, specific, informed and unambiguous indication for an individual’s wishes, given by a clear affirmative action. What ‘consent’ statement was used? The consent statement HelloFresh used at the time was as follows: “Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I confirm I am over 18 years old”. This was relied on to send marketing emails and texts to customers with an active or paused subscription, and to former customers who’d cancelled their subscription within the last 24 months, but had given their ‘consent’ for marketing. Users were able to update their communications preferences via an app, but the settings did not allow users to set preferences individually by channel e.g. phone, text and/or email. ☛ Consent: Getting it Right Key ICO findings Two points were highlighted as being particularly relevant in this case: for consent to be valid it is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it. ‘consent will not be “informed” if individuals do not understand what they are consenting to. Organisations should therefore always ensure that the language used is clear, easy to understand, and not hidden away in a privacy policy or small print. The ICO found HelloFresh’s statement did not satisfy the requirement for consent to be “specific” and “informed” because: Consent for marketing was not clear, as it was bundled in with other aspects. It combined an age confirmation statement and consent to receive free samples with consent for marketing by email. It failed to tell people about text messages and thereby failed to collect valid consent for marketing by text message. Customers were not told they could receive direct marketing messages for up to 24 months after they’d cancelled their subscription. Key takeaways (no fresh veg included I’m afraid) ✓ Collect consent separately for different aspects /activities – don’t bundle everything into the same tick box In my opinion using; I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email would have been okay for email marketing. The big problem was adding; By ticking this box I confirm I am over 18 years old. This clearly should have been separate, and the ICO found this was likely to ‘unfairly incentivise’ customers to agree. ✓ Collect consent separately for each marketing media channel you want to use for communications e.g. telephone, text and email In my opinion, HelloFresh may have avoided regulatory scrutiny if the statement had at least mentioned ‘via email and text’. The safest approach (from a regulatory perspective) is to collect consent by channel. Also in our experience, people may want email, but not texts, so separating them can optimise email opt-in. ✓ Don’t assume you can continue sending marketing to people after they have cancelled a subscription with you The last point is interesting and a little surprising. The ICO is indicating that even if a customer has consented to marketing when they take out a subscription, this may not be valid once the customer ends that subscription – unless people are made aware of this when they give their consent. I doubt this point would ever have been picked up if HelloFresh had clearly collected consent for marketing by text in the first place. Picking through the detail of ICO fines under PECR is always worth doing. The findings can give a nudge to check you aren’t doing anything similar. The full details can be found in the ICO’s enforcement notice.

Marketing messages and service messages How to avoid falling foul of the PECR rules Many businesses need to send important or essential messages to their customers by email or SMS, or may telephone them. But if the content of these messages strays into becoming promotional in nature, the marketing rules under the UK’s Privacy and Electronic Communications Regulations (PECR) will apply. The Information Commissioner’s Office has issued a number of fines over the years where marketing messages have been ‘disguised’ as service messages. I’ve included a few examples below. The risk for businesses is it can take just one, or a handful of complaints to cause a problem. What’s a service message? Essentially, a service message is a communication sent to individuals purely for administrative or customer service reasons. Such messages must be neutral in tone, providing just important and necessary information. The ICO tells us these must not include any advertising or promotional materials and that the key is in the ‘phrasing, tone and context’. Pure services messages can be sent to everyone provided they only contain essential factual information for your customer. Some examples would include: confirming an order/purchase confirming a delivery date/time providing necessary event information when someone has purchased a ticket (free or paid for) notifying people you require certain information to comply with the law, for example, an airline requesting passport information before an overseas flight informing service users about essential changes, for example, telling leisure centre members the swimming pool has been unexpectedly closed communication changes to the terms and conditions of a contract or agreement the individual has with you, or material changes to privacy information What’s a marketing message? If a message is actively promoting or encouraging an individual to make use of a particular service, a special offer, or upgrade for example, then it is likely to be direct marketing. This would include where part but not all of the message, or phone call, is of a promotional nature. The Data Protection Act 2018 defines direct marketing as: the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. A definition which applies under PECR. It’s a broad definition and covers any advertising, marketing or promotion of products and services directed targeted at a specific individual or individuals. It also includes promoting aims and ideals, so covers fundraising and campaigning. Regulatory communications Some businesses, for example in the financial sector, will be required by a statutory regulator such as the Financial Conduct Authority to make people aware of specific information. The ICO has published direct marketing and regulatory communications guidance. Again it depends on the context and tone of the message, but some examples are provided of messages which are unlikely to count as direct marketing. give advance warning of changes to terms, conditions or tariffs explain about statutory complaint or compensation schemes warn about fraud and how to report it remind people of how to get in touch if they are struggling with payments provide offers of support for those customers most at risk of harm. Where businesses have got it wrong Navigating the line between service messages and marketing messages can be tricky, as the following companies discovered. We all have feet of clay; I’m sure many other organisations are shimmying along this regulatory tightrope. Some consciously pushing the boundaries, others inadvertently breaking the rules. American Express In 2021 AMEX was fined £90,000 for sending 4 million emails, which were judged to fall under the definition of direct marketing, to customers who’d not given their consent or who’d opted out of marketing. The nature of these emails ranged from encouraging people to download the AMEX app, to how to make the most of an AMEX card, rewards and offers, how to earn more rewards by referring friends, getting an improved rate on cashback, and so on. The key here is AMEX’s decision to internally classify these emails as ‘service’ messages, which is why customers who’d opted out / objected to marketing still received them. The ICO disagreed and determined these were direct marketing, and marketing opt-outs should have been applied. And just to be clear, in this case the ICO found AMEX hadn’t deliberately flouted the rules but did find them to be negligent. In its defence AMEX said the emails were an integral part of the service they provide to AMEX customers. Their argument was that a crucial aspect of being an AMEX customer was taking advantage of member benefits. They said this was cited by customers as one of the primary reasons for having an AMEX card. AMEX therefore determined these messages were necessary and “required to be sent based on legal and contractual requirements”. The ICO however assessed the content of the emails and found the following: The emails encouraged customers to use their AMEX credit cards to make purchases or, in specific cases, download an app The emails were clearly of an advertising and promotional nature None were “neutrally worded and purely administrative” Whatever their stated purpose internally, the ICO found the email content fell under the definition of direct marketing. The emails were aimed at encouraging customer actions from which AMEX would financially gain. The penalty notice reveals AMEX received twenty-two complaints about ‘service’ emails during the period investigated. Five people complained directly to the ICO, some after initially raising their concerns with AMEX (but not all). It’s also worth noting some people complained because AMEX refused to let them opt-out because they viewed the messages as service ones not requiring an opt-out capability. What struck me was the tiny percentage of complainants, especially when you consider AMEX sent out four million emails. (Admittedly this figure is likely to include repeated emails to the same individuals). It starkly illustrates how only a few complaints can cause a world of pain. (There have been cases in the past based on a single complaint). Halfords In 2022 the ICO fined Halfords £30,000 for sending half a million emails without consent. This case shows how just one complaint directly to the ICO triggered unwelcome scrutiny. Halfords sent an email campaign to customers letting them know about a Government ‘Fix your Bike’ scheme during the Covid pandemic, whereby cyclists could take advantage of a voucher towards repairs. A voucher which could be used with any of a list of approved repairers or mechanics. This was sent to customers who had opted out of marketing in the past and the email contained a disclaimer stating; This is a service message and does not affect your marketing opt-in status. The email didn’t include an unsubscribe link. In exchanges with the ICO, Halfords claimed they were acting in the public interest to support a Government scheme in a one-off campaign during the pandemic. Halfords also pointed to the fact that 3,700 people took up the opportunity to claim the voucher, and only received seven complaints themselves from almost half a million ‘service’ messages. However the ICO said the content of the email promoted Halfords, and was therefore a marketing message. It was found to imply a connection between Halfords and the scheme, emphasising the service provided by Halfords. People were told to “Visit halfords.com to find out more now”. The regulator said this not only signposted individuals to the company’s website but included ‘a sense of urgency in the messaging, which is a typical marketing strategy.’ The enforcement notice reveals how much information companies need to provide when they end up on the ICO’s radar. A lack of clarity was initially provided surrounding the numbers of emails delivered/received No policies and procedures existed to guide staff in respect of PECR It goes to show it’s all very well to have a Data Protection Policy, but having specific marketing guidelines shouldn’t be overlooked. What lessons can we learn? It pays to carefully scrutinise any service messages which may be in danger of crossing the line. Give your staff clear policies/guides on the marketing rules and your internal approach. These cases and others before it, show the ICO takes a strict interpretation and a handful of complaints can put you firmly in their sights.

Cookie compensation demands A quick buck for non-compliance? What’s darkening our e-doormat this morning? It’s not a letter from the Information Commissioner’s Office. It’s not ransomware or a phishing attempt. No… it’s the dreaded cookie compensation demand! Increasingly my colleagues and I, and friends in the data protection space, hear reports of official looking, legally-laden letters being received by companies. The simple message; your cookies are non-compliant, this is distressing me and I want money from you. And everyone’s a potential target – any size of business, any sector. We know of small agencies through to blue chips receiving these letters. They aren’t complaining to a regulator, they‘re coming straight to your front door or in-box. Unlike the well-known privacy group noyb, who threaten to raise a formal complaint with a regulator if the offending company doesn’t remedy violations within a specified time, these demands from individuals would appear to have the sole aim of earning a quick buck. For me, such letters leave a nasty taste, especially when smaller businesses or not-for-profits are targeted and where cookie use is limited. How do they know our cookies aren’t compliant? It’s easy to find out what cookies are used by any website. There are a number of free tools which you can just pop a website domain name into, and hey presto! A scan is run, and the results returned, revealing any cookie sins you may have committed. What’s the claim? Generally the claim letters allege non-essential cookies are being dropped onto users’ devices automatically, without clear information about their purposes and without consent. If a cookie banner is present, the claim will be it’s not compliant with UK GDPR / Privacy and Electronic Communications Regulations (PECR). The letters often assume personal data is captured by the cookies – which may or may not be true. However, remember the PECR rules apply to cookies and similar tech regardless of whether the data they collect is personal or not. The letters will claim distress or damage has been caused as a result of the placement of cookies onto the user’s device. It’s worth noting the right to compensation isn’t automatic; the claimant must be able to prove ‘damage or distress.’ As for how much – this isn’t nearly as scary as the realms of ransomware, with typical compensation demands in the region of £500-£1000. To pay, or not to pay? Companies are of course taking different approaches. In our experience many are ignoring them, and never hear from the complainant ever again. Others are standing their ground and asking for evidence of distress or damage. While some take a look at their cookies and similar tech and think, okay, fair cop we aren’t compliant so we’ll pay. If you pay out, do you need to quickly get your cookie house in order? There’s the risk if you don’t, they could be back in a few months’ time if you’ve not successfully resolved any issues. What are the cookie rules? Before we blame GDPR, the rules for cookies and similar technologies are in the UK set out in PECR. Other countries across Europe have similar (but not identical) rules derived from the European ePrivacy Directive. In short, we need to provide meaningful information to people about the categories of cookies and similar tech we use, and gain consent for any cookies which are not strictly necessary. Different regulators across Europe have taken slightly differing approaches to what would be considered strictly necessary. Here in the UK, for example website statistical cookies are not considered strictly necessary. (This could potentially change under government plans to reform data laws; you can read more about this here). However the French regulator, CNIL, for example, accepts statistical cookies as strictly necessary. When GDPR came into effect in 2018, consent needed to meet a higher standard. The days of implied consent were over. This is why we’re greeted by a barrage of cookie banners and notices wherever we go online. The reason these compensation demands are possible is under PECR, people who have suffered damage or distress as a result of a contravention of the rules are entitled to bring proceedings against the offending party and seek compensation for that damage. Similarly under GDPR people have the right to receive compensation where they’ve suffered material or non-material damage due to an infringement of the law. What can we do to protect ourselves? The only way to completely avoid a cookie compensation demand is to understand what types of cookies and similar tech are used by our website(s), behave transparently with a clear notification and collect informed consent for any which aren’t strictly necessary. The ICO Cookie Guidance illustrates what type of cookies might be considered strictly necessary. There are lots of cookie consent management platforms on the market, some of which are free. However, if your cookie use is quite sophisticated, or you have sub-domains, a free option might not be enough. Alternatively the options are to ignore, stand your ground or pay out. I’ve heard a little rumour, one of the posse of cookie claimants is an in-house DPO who does this as a side hustle. And if you ask me, it’s just not cricket.