Technology has changed the world, and digital now sits at the heart of almost everything we do. As a result, the increasing digitalisation of our daily lives has resulted in large amounts of data being collected on a global basis, from multiple touchpoints, and then brought together and used for purposes which are not always obviously associated with the primary reason for collection.
Added to this already complex situation, new uses of data are constantly emerging, which could not have been known at the time of collection, and this makes the task of managing this data more challenging than ever before.
Technologies – such as digital platforms and the Internet of Things – often process personal data, such as age and income demographics, and so businesses need to ensure they have a legal basis to use this data in an open and transparent way. Consent is one such legal basis. However, getting meaningful agreement is challenging, particularly in an online context where people are surfing seamlessly from one site to another and do not expect their journey to be interrupted by numerous privacy consent mechanisms. After all, if someone has been given an opportunity to read a consent notice, but chooses not to read in detail and still clicks “I agree” anyway, can that really be considered consent?
In fact, we’ve actually seen a number of brands in recent years start to have fun with this concept by actually entering comical T&Cs into their policies, such as Amazon’s ‘Zombie apocalypse clause’. This has extended to the terms of use for a number of social media platforms, such as Pinterest, who have used humour to emphasise just how much of an issue lack of understanding of these (often hefty) documents can be.
For brands and marketers, it’s really easy to check how many people have clicked through to a privacy notice. It’s all available in the website analytics. So if a data collector knows only a very small proportion of people actually click through or scroll to the end, it poses the question ‘have they all provided consent?’ We have to proceed as if yes, but the question remains.
Another challenge with consent is that, even if someone clicks through to the notice, there is no guarantee they will actually have the technical know-how to understand it. A case in point is that not even basic use of cookie and device ID technology is all that well understood by most people. When you start to try to explain more advanced uses of cookies such as email retargeting on third party sites or the onboarding of offline data into the online world, then it becomes even more challenging to explain that to people in a way most would understand.
The consent provision outlined in the General Data Protection Regulation (GDPR) is more demanding than in the Data Protection Act it replaces, and can only be relied on if consent is unambiguous as well as freely given, specific and informed. The UK Information Commissioner’s Office has admitted in its recently published draft guidance on consent under the GDPR that “there is a tension between ensuring that consent is specific enough and making it concise and easy to understand”. Another way of putting this is to acknowledge that there might come a point when use cases become so complex that it is simply not always possible to obtain consent fairly.
Whilst consent certainly has its place in the toolkit of legal bases – acknowledged by its inclusion in the GDPR – there is another ground called “legitimate interests” which might be more appropriate, particularly in the online setting. This allows companies to use the data if their legitimate interests are not outweighed by the rights and legitimate interests of the individuals concerned. A level of consumer awareness is still required – as that is part of fairness – but individuals are not required to opt in. This balancing test encourages companies to develop an ethical framework as privacy enhancing measures, such as encoding someone’s name in the data set, can help cement the legitimate interests ground.
Whereas consent puts the onus on the individual to understand and then agree, with legitimate interests the responsibility remains with the company to ensure appropriate checks and balances are in place to tip the scales in favour of data usage. At the heart of both consent and legitimate interests is the concept of fairness which is linked to transparency. In other words companies still need to take into account the reasonable expectations of individuals when carrying out the legitimate interests balancing test. The idea that brands and marketers need to justify their actions in relation to the benefit of the customer, rather than just to the organisation, is a concept which should be at the heart of all good data practice to begin with. Controllers in this regard need to become deft at identifying any discriminatory practices and mitigating their privacy impact.
As GDPR beds itself in, the more scrutiny organisations will come under and the more consumers will have the right to demand answers from and be forgotten by organisations who breach the trust to handle their data with respect. This is on top of hefty maximum fines of at least €20 million which lie at end of the road for those who fail to comply. Businesses, in the UK and beyond, now face an increasing imperative to put individuals at the heart of their data management strategy and ask themselves, ‘will they really be interested in this?’ and ‘is this truly in the best interests of my customer?’