Every now and again, I have an argument on Twitter with Eduardo Ustaran, Head of Privacy and Information Law at everyone’s favourite law firm Field Fisher Waterhouse (for some reason, I can hear John Williams’ ‘Imperial March’ playing somewhere). Ustaran believes consent is unsuited to the world that we’re living in now, and that for privacy laws to work effectively, different methods are needed to regulate and protect data. I think that consent is just fine, and the problem is that some organisations don’t like obtaining consent because people say no.
It’s obviously a matter of opinion as to whether privacy has to adjust to needs of the digital world, or whether the digital world has to make concessions to privacy. However, there is a point on which I am certain Ustaran is wrong. He’s far from being the only person who says it (I’ve even heard senior people at the ICO trot out the same nonsense despite what their own guidance says, and Which? do it all the time), but Ustaran is a highly respected figure in the Data Protection and Privacy world, and his views carry weight. Therefore, I think it’s necessary to challenge them. In conversation with someone else, but using the all important . at the start of his tweet to declare “hey all of my followers, come see this thing I am saying”, Ustaran said this:
You can’t give consent without knowing it, Eduardo. No. No, you can’t. Whatever the above scenario is, whatever the organisations who have a pre-ticked box on their website saying ‘I have read your 47 page privacy policy’ think they’ve got, consent isn’t it. If the law asked for meaningless tick box gestures, it would be fine, but it doesn’t.
Instead, the EU Data Protection Directive sets out a strict test for consent. To use consent as the justification for using, sharing or selling personal data, the organisation must have a ‘freely given, specific and informed indication’ of the subject’s wishes. This is a high bar to clear. You must have had a genuine choice (freely given), you must know what you’re agreeing to (informed), you must have agreed to something that has been properly defined (specific), and you must have done something active (indication). It’s entirely possible to do this without a tick box, but a tick box itself is nothing. There is no question that this makes life difficult for those who don’t have legal powers, obligations or contractual requirements. It makes the private sector’s ability to use data for purposes beyond those necessary for delivering a product or service quite tricky. This is why, years ago, the Information Commissioner’s old Legal Guidance to the Data Protection Act effectively told Data Controllers that consent was a last resort:
“The Commissioner’s view is that consent is not particularly easy to achieve and that data controllers should consider other conditions in Schedule 2… before looking at consent”
I disagreed with Ustaran’s tweetings, saying that consent couldn’t be consent if it wasn’t freely given. His response was “I know, but how many times do you click on ‘I Accept’ without reading the Privacy Policy or Cookie Policy?”. Of course, the answer to this is that I always read them, but if Ustaran really believes that the people who don’t read them have consented, I don’t see how he can be right. In fact, I think he proves my point for me. Pretending that you’ve read a long-winded, technical, jargon-ridden, legalistic privacy policy is not providing a freely-given, specific and informed indication of your wishes. It’s the opposite. Ustaran doesn’t think people read privacy policies, so he has to accept that by ticking the box to say that they have, they’re not consenting. They’re ticking a box to move on. That’s all. And you don’t have to take my word for it. Try this from the ICO’s recent ‘Direct Marketing’ guidance:
“Organisations must make sure they clearly and prominently explain exactly what the person is agreeing to, if this is not obvious. Including information in a dense privacy policy or hidden in ‘small print’ which is hard to find, difficult to understand, or rarely read will not be enough to establish informed consent.”
Ironically, a fair slice of the blame for the unreadable and therefore – in consent terms – useless nature of privacy policies comes from Ustaran’s profession, because lawyers clearly write the blasted things. Perhaps a privacy policy Ustaran would write would be a model of economy and simplicity, but most web-based T&Cs are written in congealed, prolix legalese. I wanted to use the WiFi in a hotel in Belfast yesterday, and I had to endure three pages of T&Cs and a linked Privacy Policy that had probably been written by Flywheel, Shyster, and Flywheel. If lawyers think that privacy policies are a legitimate way of getting consent, they need express themselves in plain English (or even better, have policies written by normal human beings) and find innovative ways of ensuring that the punter has read the policy. If organisations find it difficult to get the meaningful, legal consent that they need from people, this is neither the fault of Data Protection or the punters. Apply the notion of ‘don’t blame me, technically you consented’ to any other situation, and you’ll come out sounding like Roger Helmer.
There are several options. Rather than relentlessly blaming consent, those involved in obtaining it should look at what that consent is being sought for. Give people simple, meaningful choices. Level with the customer about how the internet is paid for, and how you expect them to pay for your part of it. Consider – and this still seems to be anathema to many – giving the owner of the data a cut of the money you intend to make. Tesco is the subject of much urban myth and paranoia about its ClubCard scheme (admittedly the T&Cs are far from perfect), and yet the business model is simple, sound and optional: they pay you with vouchers and offers for your data. Rather than rewriting reality in search of solutions to the consent problem that (I fear) might be more business than consumer friendly, this is the kind of transparency we should be looking for.