(This is the fourth installment in an on-going examination of the first principles of data privacy and security. The first installment can be read here. The second installment can be read here. The third installment can be read here. These principles, often represented in regulations and privacy practices, form the foundation for how an organization should treat the customer data they collect.)
Consent is the most widely known principle of data privacy and security.
Please click [I AGREE] if you agree to continue reading.
If you do not agree to continue reading, please click [I DECLINE].
Just like the prompts a user sees asking for their User ID and Password, the [I AGREE]/[I DECLINE] buttons are well known to computer users. And at some level, we all understand what is happening when we click on one of the two buttons.
“No” means “no” and “yes,” means “yes.” Providing or declining consent is based on that simple idea. It seems obvious. Collectors, users and disclosers of data need permission from the subject of the data in order to collect, use and disclose the information about the subject. The conversation between subjects and data collectors (and subsequently users and disclosers) is actually the question: Are you ok with us doing things with the data we collect? The answer is often recorded on a form, on paper or electronically, called the “consent form.” It sounds simple. But many people who think about this conversation are uneasy about it.
Consent, after all, implies that the person consenting “owns” the data. In other contexts where consent is important, action in the face of consent-not-given is clearly “trespass,” “violation,” and “theft.” Ownership and control are clear: I did not give you permission to cross my property, to cut me open and remove my appendix, to cut down my tree, take my car, touch me, etc.
But it is sometimes unclear whether that data is exclusively one person’s property when it is collected during a transaction to which both parties consent. Even laws that define “privacy” and establish rules for using, collecting and disclosing data recognize that the entity that receives the data from the subject has some right to use it without the subject’s consent. Consent forms tell you that you control the use, disclosure and collection of data about you except in certain circumstances.
The most common exception is “as required by law.” But, as we have seen in recent cases where technology companies have shared data with government agencies, there is not universal agreement about what “the law” requires and there is a great deal of discomfort about the processes that have been used to define that.
The existence of “exceptions” is only one of the reasons that consent is the most disparaged of the principles of Privacy and Security. Users routinely make fun of the fact that they have no real idea to what they are agreeing.
As Daniel Solove, professor of Law at George Washington University, argues in “Privacy Self-Management and the Consent Dilemma,” that’s only part of the problem.
Dr. Solove writes about the “numerous hurdles for privacy self-management.” Anyone, who has ever tried to craft a consent form, and the process around it is familiar with the obstacles:
“(1) people do not read privacy policies; (2) if people read them, they do not understand them; (3) if people read and understand them, they often lack enough background knowledge to make an informed choice; and (4) if people read them, understand them, and can make an informed choice, their choice might be skewed by various decision making difficulties.”
At a recent Data Protection Congress hosted by the International Association of Privacy Professionals, Viktor Mayer-Schönberger, professor of Internet governance and regulation at the Oxford Internet Institute put it more strongly, “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” The professor pointed out in a keynote that declining the terms on a consent form is a choice to “remain outside modern society.”
In other words, while “yes” means “yes” and “no” means “no,” a choice is not a choice when someone feels they have no choice.
There are counter-arguments to all this skepticism. “Declining is a form of participation” is the most common, followed by “as users become more savvy, their consent is more informed.” These arguments hold up but have significant shortcomings. The subject of the data usually has to sacrifice access to goods, services and/or financial arrangements in order to decline. The user must make considerable effort and/or incur significant expense to meaningfully decline and then find providers who will provide them with the same goods or services AND the additional privacy they are looking for.
In America, for example, if you are covered by an employer sponsored health plan, you can choose to pay for medical services yourself and you can then choose to keep your employer from seeing the claims regarding those services. If you do not wish to agree to the terms and conditions for using ubiquitous e-mail services like Gmail and others, then you can seek out small providers that seek to adhere to different privacy standards.
As some of these providers have closed down rather than be the subject of law enforcement investigations, they are not necessarily easy to find. So, if you have the money, the knowledge and the time to decline to participate in a transaction that will result in data about you being collected, you can meaningfully decline and still enjoy the benefit of the service elsewhere.
Proposals to “fix” consent range from calls for more regulation, more education, stricter enforcement, more transparency, and making consent expire regularly. There is also the idea that “opt-in” is a stronger consent model than “opt-out.” In other words, if a data collector assumes the subject is not consenting to share their data and only then shares the data when the subject “opts-in,” then the consent model works better.
There are pros and cons to each proposal and it is often difficult to separate out the true merits of a proposal from the self-interest of its proponents (is that ever untrue?). I am not sure anyone involved with consent of data use, collection and disclosure is fully satisfied with the status quo.
If you work with consent and are honest about the state of things as they are now, you have to admit certain things. The first is that there are times when a user’s consent does not “feel” like enough. But conversely, there are times when you are equally sure that the user’s consent should free the data collector and the phrase “they knew what they were agreeing to when they signed the consent form” is a valid position to take. Finally, when it comes to the use, collection and disclosure of data, while there are countless consent givers and consent seekers, there are few if any advocates and enablers for the process of consent itself.