One of the biggest areas of confusion in data protection law surrounds the role of consent. Put simply, does an organisation need somebody’s permission to collect their personal information? Many organisations think the answer to this question is necessarily ‘yes’. Whilst asking for consent may be the best way to develop an ethical and transparent relationship with someone – be it a customer or an employee – in many cases consent will not be feasible or appropriate.
What does the law say?
The way EU data protection law (the GDPR) is framed does not help here. It provides a number of conditions for legitimising the processing of personal information. ‘Consent’ is first on the list and is often considered to have primacy over the other conditions, which perhaps has led to the widespread belief that you should go for consent first and only rely on an alternative condition if you cannot obtain consent. Consent has become a ‘first amongst equals’ in data protection law. That is not how the law is meant to work.
Is consent always possible?
The perceived primacy of consent has led to consent being sought in very inappropriate circumstances. When the GDPR came in, some organisations hurriedly amended employee contracts so they would have their employees’ consent to keep their HR records. So what happens if an employee says ‘no’? Do you continue to employ them but not keep any records about them? Highly unlikely. A former colleague from one of the south European data protection agencies told me their police force routinely obtains consent from people they arrest to process their personal information.
Freedom of choice – or not?
This all comes down to freedom. We would all agree that consent is about choice and about being free to say ‘yes’ or ‘no’. That in turn depends on having sufficient information about the consequences of that choice, to be able to make an informed decision. So far so good. However, data protection regulators are not making this easy. They have a tendency to require organisations to obtain consent when the law may not require this. Or, they can have such a restrictive take on consent being ‘freely given’ that it can hardly ever be valid.
You always consent to something because you want something in return. One regulator argued that if someone is asked to consent to the collection of their personal information in order to use the wi-fi in a shopping centre, the consent cannot be valid because withholding consent would mean that they could not use the wi-fi. It seems odd that someone is free to give their consent to a life-saving operation but not to use the wi-fi in a shopping centre. If this approach prevails – as it probably will once the new European Data Protection Board gets going – then, ironically, there is the danger of individual consent being pretty-much written out of data protection law.
What’s special about consent?
There is something special about consent – if used in the right context. It can empower people and give them genuine control over how their personal information is collected and used. Maybe the best example of this is in direct marketing. Typically, the legal position is unclear. The GDPR says that direct marketing can be in an organisation’s ‘legitimate interests’, meaning that consent is not necessarily needed. However regulators have given fairly clear signals, even if they may be blurring the distinction between good practice and legal requirement, that marketing should only be carried out on the basis of consent.
Consent for marketing – or not?
Many organisations that carry out marketing have cut through the legal uncertainty, have bitten the bullet and have gone for a clear opt-in approach to marketing. This has on occasion caused civil war between marketing departments and the data privacy team. Certainly the marketing databases of companies we have worked with have shrunk by maybe 75%, but this leaves a residual 25% of people who actually do want to receive marketing. Apparently conversion rates on mail-outs are far better than before and most marketers seem happy with the result. Sending relevant offers to people who want to receive them is surely the way to go, as well as giving people an easy way to stop marketing if they change their mind. Also, a consent model is probably the best way to future-proof against the impending change to the rules on electronic marketing; changes to EU law rarely make things easier.
For consent to be valid, it has to be ‘informed’. On the face of it, understanding what you are being asked to agree to is a fairly straight forward proposition - “if you tick here you will receive marketing emails from us.” In other cases it’s far more complex. How informed does informed have to be? Think of the tech companies – search engines, social media etc. The moment you input a search query or click to download an app, a long, complex chain of information processing, involving multiple actors, is initiated. Also, look at how an ad network works. How do you explain that to Joe Public, so they know whether to give their consent or not?
What does the public want?
It seems that companies like Google are being criticised – and enforced against – for being insufficiently granular in the choices they offer their service users, but does the average internet user really want a long list of highly technical choices? Cookie fatigue is bad enough already. Maybe what the public wants is as simple and functional an online experience as possible, but with the knowledge that regulators are doing their job and protecting them from data misuse. The ICO was working on a kite-mark scheme intended to give people that reassurance but abandoned the project due to other pressures and a range of practical difficulties. Hopefully they will resurrect the idea at some point.
Too much information?
So what standards are Google and similar organisations meant to reach? Can they ever rely on consent to legitimise what they do? They are between a rock and a hard place. They are being told they need consent - when arguably the law provides alternatives to this, and even if they do need consent the standards they are expected to meet are either unclear or may be impossible to meet in practice, without confronting internet users with an impenetrable matrix of endless privacy notices (although the GDPR requires them to be ‘concise’) and ultra-granular choices that few people could be bothered to make.