In recent years, the “Consent or Pay” business model has garnered increasing attention among companies operating online platforms. If your organisation is contemplating the adoption of this model, this article serves as an essential guide.
The “Consent or Pay” model, while relatively novel, has sparked considerable debate, particularly concerning its legal viability and the ethical considerations it entails. This article will explore the key dimensions of this model, offering 3 critical insights for companies evaluating its implementation on their digital platforms.
.
Understanding the “Consent or Pay” Model
At its core, the “Consent or Pay” model presents users with two distinct choices when accessing online services:
- 1. Payment Option: Users can pay a fee to access the platform’s services or content without their personal data being collected, shared, or used for any marketing or profiling purposes. This option typically appeals to privacy-conscious users who prefer not to exchange personal data for free access.
- .
- 2. Consent Option: Alternatively, users can consent to the collection, processing, and use of their personal data, often in return for free access to services or content. In this scenario, the data collected may be used for targeted advertising, personalised content, or other commercial purposes.
This model effectively creates a trade-off between privacy and cost, introducing a new dynamic in the relationship between service providers and users.
.
Key Concerns with the “Consent or Pay” Model
The “Consent or Pay” model has sparked significant debate, particularly around the implications of monetising personal data. By positioning personal data as a form of currency, this model underscores the notion that privacy is something to be traded or bought. This raises several ethical and legal concerns:
-
• Monetisation of Personal Data: The model makes the monetisation of personal data more explicit than ever before. It signals to users that if they choose not to pay, their data will be collected and potentially sold or used for profit. This creates a dynamic where personal data becomes a commodity, raising questions about the true cost of “free” services.
- .
- • Impact on Lower-Income Users: One of the most pressing concerns is the potential for this model to disproportionately impact lower-income users. Those who cannot afford to pay may feel pressured to consent to data collection, compromising their privacy. This could lead to a digital divide, where privacy becomes a luxury only available to those who can afford it, exacerbating social inequalities.
- .
- • User Autonomy and Informed Consent: There is also the question of whether users can truly give informed and voluntary consent under this model. When the alternative is a potentially high fee, users may feel they have no real choice but to consent, calling into question the validity of such consent.
- .
Global Legal Perspectives: The EDPB Opinion
The legality of the “Consent or Pay” model is still being tested across various jurisdictions. In April 2024, the European Data Protection Board (“EDPB”) issued an Opinion specifically addressing this model, particularly concerning large online platforms. Although the EDPB did not define what constitutes a “large online platform,” the Opinion provides critical guidance:
- • Permissibility with Conditions: The EDPB confirmed that the “Consent or Pay” model is permissible under the General Data Protection Regulation (“GDPR”), but with stringent conditions. The consent obtained must meet the high standards set by GDPR—being freely given, specific, informed, and unambiguous.
- .
- • GDPR Compliance: Beyond consent, the implementation of this model must align with all relevant GDPR principles, including transparency, data minimisation, and purpose limitation. Companies must ensure that users understand what they are consenting to and that their data is handled in accordance with GDPR’s stringent requirements.
- .
- • Equivalence and Genuine Choice: Importantly, the EDPB emphasised that a pure “Consent or Pay” model should not be the default approach forward. Users must have an equivalent alternative that does not require payment. This means that any fee charged should not coerce users into consenting; there must be a genuine, free choice available to them.
- .
Implications for Malaysia: PDPA 2010 and Upcoming Personal Data Protection (Amendment) Bill 2024
In Malaysia, the “Consent or Pay” business model remains largely uncharted under the Personal Data Protection Act 2010 (“PDPA 2010”) and the forthcoming Personal Data Protection (Amendment) Bill 2024. However, as global trends influence local practices, companies in Malaysia should consider the following key points:
- 1. Legality and Feasibility in Malaysia: The “Consent or Pay” model is not explicitly prohibited under Malaysian law. Companies operating in Malaysia can explore this model, but they must do so with careful consideration of the legal landscape and potential regulatory scrutiny.
- .
- 2. Adherence to PDPA 2010 Principles: Any collection of personal data under this model must comply with the seven core data protection principles outlined in the PDPA 2010. These include the General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle, and Access Principle. Compliance with these principles is non-negotiable and critical to the lawful implementation of the model.
- .
- 3. Transparency and Fairness in Pricing: If the “Pay” option is chosen, transparency in pricing is essential. The fees must be reasonable and should not unduly burden lower-income users. High prices should not be used as a tool to coerce consent, as this would undermine the concept of voluntary and informed consent. Companies should strive for a balanced approach, potentially offering alternatives beyond a strict “Consent or Pay” model, to ensure fairness and avoid regulatory challenges..
- .
Conclusion
The “Consent or Pay” model represents a significant shift in how companies interact with users and manage data. While it offers potential benefits in terms of monetisation and user engagement, it also introduces complex legal and ethical challenges. As your company considers this model, it is essential to stay informed about the evolving legal landscape, both globally and locally. By adhering to best practices and ensuring compliance with relevant data protection laws, your company can navigate the “Consent or Pay” model successfully while minimising legal risks and safeguarding user trust.
If your organisation is considering implementing the “Consent or Pay” model or you have any questions regarding its legal and ethical implications, our team of experienced lawyers is here to assist. Don’t hesitate to reach out to us for tailored advice and comprehensive support in navigating this complex landscape. We are committed to helping you make informed decisions that align with both legal requirements and your business objectives.
About the authors
Ong Johnson
Partner
Head of Technology & Corporate Practice Group
Transactions and Dispute Resolution, Technology,
Media & Telecommunications, Intellectual Property,
Fintech, Privacy and Cybersecurity
johnson.ong@hhq.com.my
.
Lo Khai Yi
Partner
Co-Head of Technology & Corporate Practice Group
Technology, Media & Telecommunications, Intellectual
Property, Corporate/M&A, Projects and Infrastructure,
Privacy and Cybersecurity
ky.lo@hhq.com.my.
.
Nicole Shieh E-Lyn
Associate
Technology & Corporate Practice Group
Technology, Media & Telecommunications, Transactions and
Dispute Resolution, Fintech, Privacy and Cybersecurity
nicole.shieh@hhq.com.my
More of our Tech articles that you should read:
- • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services
- • The Hidden Perils of Software Subscriptions: Are High Early Termination Fees a TMT Litigation Time Bomb?
- • Navigating Competition Law in the Expanding Technology Industry: A Focus on Hardcore Horizontal Restrictions