Empowered by consent

Danica VranjaninDanica Vranjanin
Written by
Danica Vranjanin
Kiril Kalev
May 16, 2023

Recent enforcement actions, such as Irish DPC & EDPB v. Meta and FTC v. Epic Games, have brought back into the spotlight the complexities revolving around the use of consent as a legal ground for personal data processing and the efficiency of consent as a mechanism for data subjects’ empowerment. Consent as a concept has slight nuances in the various jurisdictions worldwide but at its core, it inherently aims to empower individuals by giving them control over the processing of their personal data.

In this article, we analyze the current notion of consent and examine its effectiveness, specifically in relation to whether:

  • consent provides the individuals with the promised empowerment and enhanced control over the processing of their personal data, respectively;
  • it gives the companies more certainty when processing the personal data (because of the seemingly indisputable legitimacy of consent-based processing) or, to the contrary, more struggles with the practical application of consent requirements; and finally whether
  • the concept and its practical application need to be rethought.

Informed consent? Yes, provided that…

When individuals are presented with a choice to make their personal data subject to certain processing, based on all necessary information and, even more importantly, where they can change their mind, i.e. withdraw (or opt-out of) previously provided consent at any time in the future, they get the impression that they are in control over their personal data and are empowered to make a free and informed decision as to whether the processing will happen in the first place, will personal data be retained, and for how long. In its Guidelines 05/2020 on consent under Regulation 2016/679 (1), the European Data Protection Board clarifies that “if obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed”.

Under Regulation (EU) 2016/679 (GDPR), a fully compliant consent must be freely given, specific, informed and unambiguous (exhibited by an individual’s statement or a clear affirmative action). In the U.S., a so called “notice and choice” approach is predominantly present – a “free choice” to decide whether to keep using (or not) the service which requires processing of personal data is provided to individuals based on the information provided in a company’s privacy notice (sometimes also referred to as privacy policy). This often results in companies conveniently interpreting inaction as implied consent to any type of processing of personal data envisaged in the company’s privacy notice.

Other jurisdictions have a slightly nuanced concept (e.g. Canada) but on a high level, consent has one and the same underlying goal: to give individuals control over the use of their personal data.

On the one hand, there are individuals “empowered by consent” while on the other, there are companies obtaining such consent that feel they are free to legitimately use personal data for just any business purpose. It’s therefore no wonder that consent is often considered a first-choice basis for processing.

What is promised to individuals when processing is conducted on the basis of their consent can only be fulfilled provided that conceptual and statutory consent requirements are in fact met.

Regardless of the obvious differences between the different approaches to consent, the “informed consent” requirement remains as the common denominator and may be the most challenging one to accomplish. Furthermore, it is important to keep in mind that while the GDPR approach indubitably offers increased protection through additional requirements, nonetheless consent remains valid and legitimate only if all requirements are cumulatively met.

The clash between theory and practice becomes obvious when we consider the fact that informed consent is conditioned by a few key assumptions:

  1. choice is made on the basis of information individuals actually read;
  2. individuals understand the information accurately; and
  3. information provided to individuals enables them to assess and accept the actual risk behind the processing they consent to.

Practice v. theory 

Already the first assumption raises reasonable doubt in the probability of achieving consent validity in practice.

Given the frequency and complexity of personal data processing activities, as well as the scope of required information, the notices the average Internet user encounters keep increasing in quantity and length – and consequently, so does the time necessary to read them. Studies have shown that not many people are ready to spend a long while on such a reading exercise. Furthermore, under the notice and choice approach, there is an additional assumption that someone has made the effort to look for a privacy notice prior to using the service. A study carried out in 2017 (2) indicates that not only less than 0,1% of visitors ever open the pages with the privacy notices but also that especially when it comes to the longer notices, the average user leaves the page long before having spent enough time on it to be possibly able to read the full text.

Even if there was a significantly larger number of eager privacy notice readers, protection would not increase much. Given the mentioned complexity of contemporary processing operations, understanding a privacy notice and especially the risk associated with the described processing requires substantial existing privacy knowledge. In addition, the concept of “consent fatigue” (3) has been introduced to describe the overwhelming amount of consent-related decisions the average Internet user needs to make. All that makes assumptions 2. and 3. introduced above hardly sustainable.

Based solely on the above arguments (and more can be brought), it seems fair to say that in most cases “informed consent” in reality is more close to a fiction, as prof. Daniel J. Solove compellingly argues in one of his latest articles, “Murky Consent” (4).

Similar arguments may also challenge what is recognized as the privacy paradox (5). While most individuals are indeed unwilling to invest the time or necessary effort to become informed and in better control of processing of their personal data, it is also obvious that the privacy awareness of the average Internet user has significantly increased over the past years – and as a result so have the expectations of the individuals about how companies will treat their personal data. However, what may seem as an obvious paradox, may also be a result of the actual limited ability of individuals to exercise their rights, as well as a consequence of the limited effectiveness of the consent mechanism in its current form. Therefore, it seems that what was intended to empower has become burdensome to individuals.

Companies on the dark side of Consent

When it comes to companies’ use of consent as a legal basis for processing individuals’ personal data, there is quite a difference between Small and Medium Enterprises (SMEs) and the position of so-called Tech Giants.

For Tech Giants, consent is often a preferable option as it provides superior legitimacy and when its form (and alas often solely its form) is satisfied, it represents a clear “blessing” from individuals for their personal data to be used for companies’ business activities. Challenges imposed by privacy regulations (primarily, the GDPR) on SMEs appear to be less burdensome for the big tech players. Tech Giants, when there is a good-faith will to do so, generally have plenty of resources to invest in ensuring compliance, since unlike the SMEs they can afford engaging highly-qualified privacy teams, implementing different automation tools to manage various privacy requirements with significantly less human intervention, commissioning third-party audits to identify gaps and improve processes, as well as obtaining industry-recognized certificates proving their compliance. Having said that, we will further focus on Tech Giants’ position to point out that regardless of the available resources and options, they too often fail in meeting compliance beyond a very superficial level – and sometimes not even that.

Pricey software tools are available to provide Tech Giants with automated consent management, making compliance with legal requirements in relation to obtaining and documenting formally valid consent almost effortless. However, there are obvious pitfalls when it comes to relying too much on such tools:

  • On the technical side, as described in the recent IAPP article “The mismanagement of user consent data and its consequences” (6) by Dan Frechtling, what happens is a leakage and failed deliveries of consent signals, which are caused by errors in integrations with companies’ websites, sites using methods that aren’t universally adopted throughout the digital ad ecosystem, or code patches and other updates by tool vendors accidentally breaking or causing downstream issues, etc.
  • From a perspective focused on ethics, these tools provide, in the best case, only formal compliance in absence of digestible and comprehensible information on the respective processing operations. This leads to the practice of putting form over the substance and risking individuals’ trust: if consent should be the ultimate mechanism providing individuals with control, can it be degraded to a checkbox exercise and considered to be genuine and not just a fiction from a legal standpoint?
  • Tempting legitimacy provided by consent often leads companies to use the so-called dark patterns as a way to obtain the desired consent from individuals. Does that end really justify the means? Use of dark patterns puts companies at major risk of non- compliance, irrevocable loss of individuals’ trust and damaged reputation, respectively. It is worth to note that regulators on both sides of the Atlantic, the U.S. FTC (7) and the EU EDPB (8) indicated through their recent guidance and enforcement actions (9) strengthened focus on this issue as part of their enforcement priorities.

The way forward

The call for a consent concept change is getting louder, coming from academics, regulators and privacy professionals – however we are still far from the change realization. Therefore, let’s summarize from the perspective of the status quo the possible ways in which the practical application of consent under the current frameworks may be improved to overcome some of the issues analyzed above:

  • specific consent issue – just-in-time notices (and consent acquisition, respectively) should be more widely adopted which will increase the likelihood of consent being more granular and, thus more specific;
  • informed consent issue – strengthened focus on a more appealing form and simple language for privacy notice through gamification, video or audio notification for IoT, etc.;
  • free consent issue – while that will undoubtedly disrupt certain business models even further, the adoption of industry-standard automated means of pre-defined choice indication (similar to the Do Not Track standard) will increase the volumes of freely given meaningful consent at the expense of coerced consent obtained through the use of dark patterns;
  • trust issue – companies should be truly transparent by outlining what they do in the privacy notice and, vice versa, by in fact doing what is described in the privacy notice. They should also always respect individuals’ choice even if that means losing certain valuable data at the moment, as that brings long-term benefit through an increased chance of obtaining a genuine enduring consent.

Reference list:

(1) https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf

(2) https://www.linklaters.com/en/insights/blogs/digilinks/does-anyone-read-privacy-notices-the-facts

(3) https://iapp.org/news/a/how-to-avoid-consent-fatigue/

(4) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4333743

(5) https://theprivacyissue.com/privacy-and-society/decoding-privacy-paradox

(6) https://iapp.org/news/a/the-mismanagement-of-user-consent-data-and-its-consequences/

(7) https://www.ftc.gov/reports/bringing-dark-patterns-light

(8) https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-deceptive-design-patterns-social-media_en

(9) https://www.ftc.gov/business-guidance/blog/2023/03/ftc-says-online-counseling-service-betterhelp-pushed-people-handing-over-health-information-broke