Recent enforcement actions, such as Irish DPC & EDPB v. Meta and FTC v. Epic Games, have brought back into the spotlight the complexities revolving around the use of consent as a legal ground for personal data processing and the efficiency of consent as a mechanism for data subjects’ empowerment. Consent as a concept has slight nuances in the various jurisdictions worldwide but at its core, it inherently aims to empower individuals by giving them control over the processing of their personal data.
In this article, we analyze the current notion of consent and examine its effectiveness, specifically in relation to whether:
When individuals are presented with a choice to make their personal data subject to certain processing, based on all necessary information and, even more importantly, where they can change their mind, i.e. withdraw (or opt-out of) previously provided consent at any time in the future, they get the impression that they are in control over their personal data and are empowered to make a free and informed decision as to whether the processing will happen in the first place, will personal data be retained, and for how long. In its Guidelines 05/2020 on consent under Regulation 2016/679 (1), the European Data Protection Board clarifies that “if obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed”.
Other jurisdictions have a slightly nuanced concept (e.g. Canada) but on a high level, consent has one and the same underlying goal: to give individuals control over the use of their personal data.
On the one hand, there are individuals “empowered by consent” while on the other, there are companies obtaining such consent that feel they are free to legitimately use personal data for just any business purpose. It’s therefore no wonder that consent is often considered a first-choice basis for processing.
What is promised to individuals when processing is conducted on the basis of their consent can only be fulfilled provided that conceptual and statutory consent requirements are in fact met.
Regardless of the obvious differences between the different approaches to consent, the “informed consent” requirement remains as the common denominator and may be the most challenging one to accomplish. Furthermore, it is important to keep in mind that while the GDPR approach indubitably offers increased protection through additional requirements, nonetheless consent remains valid and legitimate only if all requirements are cumulatively met.
The clash between theory and practice becomes obvious when we consider the fact that informed consent is conditioned by a few key assumptions:
Already the first assumption raises reasonable doubt in the probability of achieving consent validity in practice.
Given the frequency and complexity of personal data processing activities, as well as the scope of required information, the notices the average Internet user encounters keep increasing in quantity and length – and consequently, so does the time necessary to read them. Studies have shown that not many people are ready to spend a long while on such a reading exercise. Furthermore, under the notice and choice approach, there is an additional assumption that someone has made the effort to look for a privacy notice prior to using the service. A study carried out in 2017 (2) indicates that not only less than 0,1% of visitors ever open the pages with the privacy notices but also that especially when it comes to the longer notices, the average user leaves the page long before having spent enough time on it to be possibly able to read the full text.
Even if there was a significantly larger number of eager privacy notice readers, protection would not increase much. Given the mentioned complexity of contemporary processing operations, understanding a privacy notice and especially the risk associated with the described processing requires substantial existing privacy knowledge. In addition, the concept of “consent fatigue” (3) has been introduced to describe the overwhelming amount of consent-related decisions the average Internet user needs to make. All that makes assumptions 2. and 3. introduced above hardly sustainable.
Based solely on the above arguments (and more can be brought), it seems fair to say that in most cases “informed consent” in reality is more close to a fiction, as prof. Daniel J. Solove compellingly argues in one of his latest articles, “Murky Consent” (4).
Similar arguments may also challenge what is recognized as the privacy paradox (5). While most individuals are indeed unwilling to invest the time or necessary effort to become informed and in better control of processing of their personal data, it is also obvious that the privacy awareness of the average Internet user has significantly increased over the past years – and as a result so have the expectations of the individuals about how companies will treat their personal data. However, what may seem as an obvious paradox, may also be a result of the actual limited ability of individuals to exercise their rights, as well as a consequence of the limited effectiveness of the consent mechanism in its current form. Therefore, it seems that what was intended to empower has become burdensome to individuals.
When it comes to companies’ use of consent as a legal basis for processing individuals’ personal data, there is quite a difference between Small and Medium Enterprises (SMEs) and the position of so-called Tech Giants.
For Tech Giants, consent is often a preferable option as it provides superior legitimacy and when its form (and alas often solely its form) is satisfied, it represents a clear “blessing” from individuals for their personal data to be used for companies’ business activities. Challenges imposed by privacy regulations (primarily, the GDPR) on SMEs appear to be less burdensome for the big tech players. Tech Giants, when there is a good-faith will to do so, generally have plenty of resources to invest in ensuring compliance, since unlike the SMEs they can afford engaging highly-qualified privacy teams, implementing different automation tools to manage various privacy requirements with significantly less human intervention, commissioning third-party audits to identify gaps and improve processes, as well as obtaining industry-recognized certificates proving their compliance. Having said that, we will further focus on Tech Giants’ position to point out that regardless of the available resources and options, they too often fail in meeting compliance beyond a very superficial level – and sometimes not even that.
Pricey software tools are available to provide Tech Giants with automated consent management, making compliance with legal requirements in relation to obtaining and documenting formally valid consent almost effortless. However, there are obvious pitfalls when it comes to relying too much on such tools:
The call for a consent concept change is getting louder, coming from academics, regulators and privacy professionals – however we are still far from the change realization. Therefore, let’s summarize from the perspective of the status quo the possible ways in which the practical application of consent under the current frameworks may be improved to overcome some of the issues analyzed above:
Get the latest updates about legal and privacy from experts in the field.
In 2019, the European Court of Justice (CJEU) made it very clear that a pre-ticked consent box is illegal. What has happened since? And what mistakes do people still do when implementing cookies?
How do lawyers in today's corporate landscape navigate the tension between growth and compliance to foster sustainable business expansion? Continue reading and find out.