1. Option C: Consent or Pay Model (UK, ES, DE, AUT and FR only)

Ensure that your Consent or Pay Model complies with applicable data protection law, including GDPR (and UK equivalent), as well as guidance, decisions or opinions issued by relevant supervisory authorities, in particular as it concerns the collection of users' valid consent; and that you have performed the necessary assessments to this effect.

Validity of your Consent or Pay Model

1. Ensure your Consent or Pay Model meets the conditions for a valid and freely given consent in accordance with applicable data protection law.

2. You have performed the necessary assessments to support number 1 above, with regards to the appropriateness of the fee charged, the equivalence of the services offered, the absence of power imbalance* and the “privacy by design” aspects of the model and these assessments must remain valid for as long as the Consent or Pay Model is in use.

3. You do not hold more than 25% market share in the relevant market in which you operate and/or in which the digital property using Utiq Technology is active.

4. You inform Utiq if any of the above changes.

* For customers subject to EU law and relevant EU guidance, decisions and opinions, confirm that you do not classify as a “very large online platform” (“VLOPs”) or “gatekeeper” within the meaning of (i) the Digital Services Act (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC), (ii) the Digital Markets Acts (Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828) or (iii) applicable European Data Protection Board (EDPB) guidance and inform Utiq promptly if this would not be the case anymore.

Ensure users are provided with sufficient transparency information to support choice and control over the processing of their personal data.

You must provide clear information about each of the options in your Consent or Pay model using concise, clear and plain language to enable people to make an informed decision.

1. The consent text must clearly explain what each option means, the consequences and the impact it will have on data processing.

2. If there is a summary section, main CMP provides a clear summary of the differences between the options.

The main CMP title must be adequate

1. The main CMP title must not only reference or concern cookies. It must also address other similar technologies, given that Utiq falls under “other similar technologies” and is not a cookie per se.

2. The main CMP title must be adequately worded, describing both the “Consent” and “Pay” options, with clear wording used and creating no ambiguity regarding the options available to the user.

Valid consent must be obtained for Utiq technology activation and operation

It should be sufficiently clear that Utiq technology is used by the digital property (i.e., website or app) - Visual elements (e.g. Utiq logo) must be used to draw the attention of the users on the presence of also Utiq.

When integrating Utiq consent text in a CMP making use of Consent or Pay model you must ensure that:

1. The Utiq consent text (v4.0) is used and displayed within the 1st layer of the CMP without modifications.

2. Utiq consent text is shown in the same form as the digital property's own consent text (same size, font, colour).

3. Sub-title provided by Utiq is implemented without any variations.

4. Utiq logo is placed next to Utiq consent text sub-title.

5. Utiq consent text is inserted in an appropriate location within the 1st layer to ensure visibility and distinct from other consent wording.

6. In case scrolling is required to view Utiq consent text, Utiq logo is placed in a fully visible section of the CMP not requiring scrolling down. The most logical place is expected to be next to the mention of use of similar tracking technologies by inserting “(including Utiq)”.

   1. Where technically possible, Utiq logo should be clickable and, if clicked, it should automatically direct the user to the Utiq section including the full Utiq consent text).

   2. Where not technically feasible, the text must include additional wording to make it clear to the user that they can find the relevant information by scrolling further down or opening another section (example “(including Utiq (see below)”).

7. If the digital property is listing the purposes as accordions in the 1^st layer, Utiq must be listed as accordion as well.

8. No reliance on deceptive design patterns [1] and [2] that could compromise the visibility of Utiq consent.

Users must be provided with equivalent selection options, displayed with an equivalent design.

The “Accept” and “Pay” buttons are transparently labelled and presented on both the first and second layer.

The “Accept” and "Pay" buttons should be:

1. Located in the first and second layers of the CMP.

2. Equally visible (factors to consider here are size, font and location for example).

3. Clear wording used, creating no ambiguity as to the function of each option/button in both the first and second layers (e.g. avoid “continue to read for free” or “subscribe for all content”).

4. Consent button should not make reference to “cookies” only, it should also mention “other similar technologies”.

5. No reliance on (other) deceptive design patterns [1] and [2].

6. In case scrolling is required to view Utiq consent text, the buttons should always be displayed and placed in a fully visible section of the CMP (i.e. the accept/pay buttons do not disappear with the scrolling down).

Paying journey is functional and easy.

1. Paying journey is functional (effectively works)

2. Paying journey is easy

It must be as easy for users to refuse and withdraw consent as it is to give consent.

Correct configuration of consent/accept and pay/reject functions

The CMP must be configured to ensure that Utiq calls are only triggered if user consents to the activation of Utiq technology.

1. Utiq technology must be off by default.

2. No Utiq calls to enable the Utiq technology shall be triggered if a user specifically:

   1. selects the “pay” option

   2. rejects consent to the use of Utiq technology

   3. makes an overall rejection of all non-essential cookies and other tracking technologies

   4. rejects Utiq custom purpose and/or Utiq custom vendor.

3. Only strictly necessary cookies (i.e., utiq_consent_status) can be dropped if user denies consent to non essential cookies and other similar technologies.

The digital property’s main consent text must clearly explain how users can exercise their data protection rights.

1. The digital property’s main consent text should include information on the withdrawal options for both the Consent and Pay selection options.

2. If a user withdraws their consent, Utiq technology must be switched off/disabled.

3. There should be a clear distinction between withdrawal of consent and paid subscription workflow - the withdrawal workflow should not directly and immediately trigger a payment process. Instead, users should be informed about the consequences of withdrawing consent first, and only then offer a clearly separate, voluntary subscription option.

4. Consent withdrawal should be free of charge.

Implement 1^st layer Utiq opt-out function

A function to open the second layer of the CMP where the end users can granularly reject the activation of the Utiq technology (using the Utiq custom purpose) will be made available to end users in the “Accept” part of the CMP (within the Utiq consent text).

1. The word “reject Utiq now” in the Utiq consent text 1st layer sentence “You can reject Utiq now” triggers a function to open the second layer of the CMP where the end users can granularly reject the activation of the Utiq technology (using the Utiq custom purpose).

It must be possible for users to view the purposes in a granular way. Specifically, users should be able to make granular choices for Utiq via distinct tick boxes.

Utiq technology purpose included in 2nd layer of CMP (as Utiq custom purpose)

1. Utiq 2nd layer consent text must be added in an appropriate location (as Utiq custom purpose).

2. Where technically possible, Utiq logo must be placed next to Utiq 2nd layer title.

3. Specific accept and reject options must be placed next to Utiq consent (Utiq 2nd layer text).

4. No reliance on deceptive design patterns [1] and [2] that could compromise the visibility of Utiq consent.

Implement hyperlinks in clickable elements within Utiq consent text (1st layer and 2nd layer)

The Utiq consent text contains clickable elements:

• consenthub

• Utiq's Privacy Statement

• supported internet connection

• for advertising or analytics activities

• across our property(ies)

• reject Utiq now (“You can reject now”)

Implement hyperlinks that open in a new page for clickable elements within Utiq consent text:

• consenthub → https://consenthub.utiq.com/

• Utiq’s privacy statement → https://consenthub.utiq.com/pages/privacy-statement

• supported internet connection → https://consenthub.utiq.com/pages/privacy-statement#telecom-operators. The reference to supported internet connection of participating telecom operators in scope within the Utiq consent text must be correctly hyperlinked and direct the user to the relevant section within the Utiq privacy statement which contains the list of all participating telecom operators per country.

• for advertising or analytics activities → this function will open the Advertiser/Publisher’s own privacy statement.

• across our property(ies) → https://consenthub.utiq.com/pages/digital-properties?domain=[INSERT DIGITAL PROPERTY] with already pre-filtered the digital property (e.g. website/app) the user is coming from. This page lists the cross domain websites in scope (i.e., all digital properties that would make use of the same martechpass value), providing transparency also on Group of companies and Data Controllers.

• You can reject Utiq now → a function to open the second layer of the CMP.

Configurable elements within the Utiq Consent text must be populated with the Data Controller information

The Utiq consent text (1st layer) contains the following configurable elements:

• [DATA CONTROLLER]

• [BUTTON WORDING FOR PAY OPTION]

• https://consenthub.utiq.com/pages/digital-properties?domain=[INSERT DIGITAL PROPERTY]

Populate dedicated configurable elements with your details:

• [DATA CONTROLLER] → Data Controller’s name and legal form (i.e. the legal entity that owns the website as mentioned on the website’s Privacy Policy page)

• [BUTTON WORDING FOR PAY OPTION] → label/wordings used for the “Pay” option button

• across our property(ies) → https://consenthub.utiq.com/pages/digital-properties?domain=[INSERT DIGITAL PROPERTY] with already pre-filtered the digital property (e.g. website/app) the user is coming from (e.g. example.com - without www).

The digital property's main CMP must be easy to locate and resurface to facilitate withdrawal of consent at any time

You must give people an easy way to withdraw their consent and you must make this easily accessible on your service at all times.

1. The option to resurface the website main CMP shall be located in an easily visible place for the user to find. Usually, this will be at the bottom of the page.

2. The option must be present in all the pages of the website (i.e. not only in the Homepage).

3. The name of the functionality (e.g., link or icon) should use clear wording to enable the user to make use of the functionality to manage their consents.

4. The wording used must not reference only cookies, but also other similar technologies (in case such wording is used).

5. No reliance on deceptive design patterns [1] and [2] (e.g., different size, font, colour or inappropriate location), accessible with 1 click, not hidden by other banners in the websites, colour of text contrasts sufficiently with the background)

The website should make its “Privacy policy/notice/statement” easily accessible at the bottom of all pages

As per core requirement.

1. The option to open the Privacy Statement shall be located in an easily visible place for the user to find. Usually, this will be at the bottom of the page.

2. The option to open the Privacy Statement must be present in all the pages of the website (i.e. not only in the Homepage).

3. No reliance on deceptive design patterns [1] and [2] (e.g., different size, font, colour or inappropriate location, accessible with 1 click, not hidden by other banners in the websites, colour of text contrasts sufficiently with the background).

Consent validity timeframe (the time after which consent should be re-requested)

The consent validity timeframe (the time after which consent should be re-requested) for Utiq consents is aligned with your CMP consent validity timeframe and up to a possible 13 month maximum period.

martechpass TTL is 90 days.

Main CMP’s consent validity timeframe is no longer than 13 months.

Utiq shall not be enabled for users that have already consented unless consent is refreshed to cover Utiq consent

As per core requirement.

1. Utiq technology must be activated only to new users accepting Utiq consents. Utiq technology cannot be activated for users who previously “accepted” with another consent model before Utiq was implemented.

2. If the website/app was already live with Utiq technology with another consent model (e.g. standard “Integrated Model” or “Utiq Separate pop-up”) and then it moves to “Consent or Pay Model”, a refresh of consent collection/reprompt of consent banner to all users is required.

Evidence of consent

It should be technically possible for the Advertiser/Publisher to provide evidence of Utiq consents captured.

It should be technically feasible for Utiq to monitor that each consent has effectively been provided.

1. Ensure that you are keeping track of the version of your Consent Notices that includes Utiq consent.

2. Ensure that the Evidence of Consents feature in your CMP console is correctly capturing the user’s preferences for the Utiq consent.

Utiq consent withdrawal mechanism are in place

As per core requirement.

1. The following 3 ways for users to withdraw Utiq consents should be in place:

   • CMP: by re-opening the CMP and changing the Utiq preferences, the users can withdraw Utiq consent.

   • Manage Utiq via the consent revocation dedicated functionality: users can revoke their Utiq consent directly through your site. The revocation will only apply to your site in this case.

   • consenthub.

2. The above should be implemented in accordance with Utiq technical requirements to ensure correct synchronisation with consenthub.

Vendor name

Utiq

Privacy Policy

https://consenthub.utiq.com/pages/privacy-statement

Purpose based on consent

→ 2nd layer Utiq consent text