If there was a prize for the most controversial provision in the draft EU Data Protection Regulation, it would probably be won by the article dealing with consent. From Member States' governments to
If there was a prize for the most controversial provision in the draft EU Data Protection Regulation, it would probably be won by the article dealing with consent. From Member States' governments to European Parliament's committees, everyone seems to have a very strong opinion of that article. A number of European governments have already used their representation on the Council of the EU to criticise the legal uncertainty created by the draft provision. The level of disagreement with the Commission's proposal is perhaps not surprising given the elevated and rather emotional role that consent has in privacy matters and the potentially catastrophic consequences of setting the bar for valid consent either too low or too high. But the point is that once again, the issue of individual's consent is proving to be an uneasy one, to say the least.
This controversy is not driven by a purely academic interest about what may or may not happen in a few years' time when the Regulation is adopted. Consent is a legal basis for collecting and exploiting personal information today, and in some cases, there is little or no option than to get people's permission to use their data. Without a doubt, the most vibrant and present legal dilemma regarding what qualifies as consent is taking place in the context of cookies and anything else that amounts to storing or accessing information stored on someone's device. If it wasn't for the innate human difficulty in establishing what kind of conduct may amount to consent, it would be odd to think that after more than 3 years of heated debate about the cookie consent rule, we still are nowhere near finding a solution that everyone is happy with.
Some attempts to find a middle ground between a rock-solid, unflappably demonstrable opt-in consent and the mere assumption that anything goes when people surf the net have been made in recent times but many of the approaches adopted by European websites fall short of the necessary standards. So how can consent be obtained on the Internet other than by ticking a box? Is the concept of implied consent – so commonly used and relied upon in our ordinary comings and goings in the offline world – a workable way forward online? There isn't a reason why it shouldn't but to achieve a reasonable degree of legal certainty, some minimum conditions ought to be met as otherwise, we will be back to the assumption that unless someone makes a big deal of it, anything goes when you go online.
One could probably write a long academic article about this, but at a practical level it is possible to distil the conditions for valid implied consent into four 'must have' elements:
* Deploying a visible and prominent cookie notice – For someone to be in a position to have a say on anything, they really need to know what's going on. So in the context of websites, that means that visitors must be presented with some kind of sufficiently clear and 'in your face' notice, so that it is obvious to the average user what is happening. That way, a visitor's indication of wishes is impliedly given when they see the cookie notice, understand its meaning and rely on the functionality available to make their cookie choices.
* Identifying the specific conduct that amounts to consent – Whether it is closing a box, opening a page, clicking on a link or continuing to use the site, the notice must spell out what specific action or conduct undertaken by a visitor will amount to consent to cookies being set or accessed. Otherwise, the website operator will never truly know whether the visitor accepts the use of cookies on their device. At the very least, if an assumption is being made that the visitor is happy to receive cookies, say so!
* Providing a mechanism for control and decision making – The flipside of agreeing to something is having the ability to object to it. Otherwise, there is no real choice. With cookies, a 'take it or leave it' approach is still a choice, but not a genuine one. Therefore, as part of the process of obtaining consent, website visitors should be able to make their choices freely and refuse the use of cookies (other than those that fall under the strictly necessary exemption) at any time and through simple means, even if it means that the site's functionality is limited for the user as a result. In an ideal world, these controls need to be sufficiently granular to allow visitors to accept the types of cookies they are happy to receive and to refuse those they are not.
* Spelling out what cookies are for – Finally, clear and comprehensive information about the use of cookies through the site must be continuously and readily available to satisfy the transparency requirements under European data protection law. The law is not prescriptive about the way that this information should be provided, but it should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing cookies in their devices.
The debate about whether consent should be a requirement to collect and use people's information will no doubt continue and intensify as that information becomes more and more valuable. Whether we will ever have a definitive answer is yet to be seen but in the meantime, let's try to look at technology as an enabler for individual choice. We may be surprised of what is possible.
This article was first published in Data Protection Law & Policy in September 2012.
This controversy is not driven by a purely academic interest about what may or may not happen in a few years' time when the Regulation is adopted. Consent is a legal basis for collecting and exploiting personal information today, and in some cases, there is little or no option than to get people's permission to use their data. Without a doubt, the most vibrant and present legal dilemma regarding what qualifies as consent is taking place in the context of cookies and anything else that amounts to storing or accessing information stored on someone's device. If it wasn't for the innate human difficulty in establishing what kind of conduct may amount to consent, it would be odd to think that after more than 3 years of heated debate about the cookie consent rule, we still are nowhere near finding a solution that everyone is happy with.
Some attempts to find a middle ground between a rock-solid, unflappably demonstrable opt-in consent and the mere assumption that anything goes when people surf the net have been made in recent times but many of the approaches adopted by European websites fall short of the necessary standards. So how can consent be obtained on the Internet other than by ticking a box? Is the concept of implied consent – so commonly used and relied upon in our ordinary comings and goings in the offline world – a workable way forward online? There isn't a reason why it shouldn't but to achieve a reasonable degree of legal certainty, some minimum conditions ought to be met as otherwise, we will be back to the assumption that unless someone makes a big deal of it, anything goes when you go online.
One could probably write a long academic article about this, but at a practical level it is possible to distil the conditions for valid implied consent into four 'must have' elements:
* Deploying a visible and prominent cookie notice – For someone to be in a position to have a say on anything, they really need to know what's going on. So in the context of websites, that means that visitors must be presented with some kind of sufficiently clear and 'in your face' notice, so that it is obvious to the average user what is happening. That way, a visitor's indication of wishes is impliedly given when they see the cookie notice, understand its meaning and rely on the functionality available to make their cookie choices.
* Identifying the specific conduct that amounts to consent – Whether it is closing a box, opening a page, clicking on a link or continuing to use the site, the notice must spell out what specific action or conduct undertaken by a visitor will amount to consent to cookies being set or accessed. Otherwise, the website operator will never truly know whether the visitor accepts the use of cookies on their device. At the very least, if an assumption is being made that the visitor is happy to receive cookies, say so!
* Providing a mechanism for control and decision making – The flipside of agreeing to something is having the ability to object to it. Otherwise, there is no real choice. With cookies, a 'take it or leave it' approach is still a choice, but not a genuine one. Therefore, as part of the process of obtaining consent, website visitors should be able to make their choices freely and refuse the use of cookies (other than those that fall under the strictly necessary exemption) at any time and through simple means, even if it means that the site's functionality is limited for the user as a result. In an ideal world, these controls need to be sufficiently granular to allow visitors to accept the types of cookies they are happy to receive and to refuse those they are not.
* Spelling out what cookies are for – Finally, clear and comprehensive information about the use of cookies through the site must be continuously and readily available to satisfy the transparency requirements under European data protection law. The law is not prescriptive about the way that this information should be provided, but it should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing cookies in their devices.
The debate about whether consent should be a requirement to collect and use people's information will no doubt continue and intensify as that information becomes more and more valuable. Whether we will ever have a definitive answer is yet to be seen but in the meantime, let's try to look at technology as an enabler for individual choice. We may be surprised of what is possible.
This article was first published in Data Protection Law & Policy in September 2012.