Press "Enter" to skip to content

Tag: consent

“We take your privacy very seriously”

….says the intrusive ‘cookie consent’ popup which requires me to navigate through various pages, puzzle out the jargonerics and fiddle with settings before I can access the content I actually want to read on the site.

Here’s the thing. If your website is infested with trackers, if you are passing my data on to third parties for profiling and analytics, if your privacy info gets a full Bad Privacy Notice Bingo scorecard, then you DON’T take my privacy seriously at all. You have deliberately chosen to place your commercial interests and convenience over my fundamental rights and freedoms, then place the cognitive and temporal burden on me to protect myself. That’s the opposite of taking privacy very seriously, and the fact that you’re willing to lie about that/don’t understand that is a Big Red Flag for someone like me.

If you really took my privacy very seriously, you would use an analytics tool that doesn’t feed a huge surveillance behemoth – for example, Matomo instead of Google Analytics or Quantcast. Or just focus on producing high-quality, navigable content that makes me want to interact with you more without any of that stalkertech.

Your approach to consent would be discreet and respectful, allowing me to enable specific functionalities as and when they are needed, rather than demanding my attention immediately and trying to grab consent for everything straight away. Consent has to be obtained before cookies/trackers are placed/read, yes – but that doesn’t mean you should try and set as many of these as possible as soon as I land on your page.

There are several ‘consent management’ solutions popping up (literally) all over the place, interrupting people’s reading, rendering badly on mobile, requiring lowering of privacy protections to interact with, some even operating in a way which is contrary to law in the first place (I’m looking at YOU, website operators who remove the ‘Reject All’ button from the Quantcast dialogue). Everyone moans about cookie banners and consent dialogues, regarding them as an unwanted intrusion and a pain in the butt. They are both. But here’s the thing – the problem isn’t that site operators are required to inform you about tracking/profiling/mucking about with data on your device, the problem is that this is done at all – on such a large scale by so many and without accountability. Behavioural advertising, demographically-targeted marketing, personal profiling – all these are by nature, inimical to fairness, individual rights and freedoms. There’s a huge industry beavering away in the shadows trying to quantify and categorise and manipulate us for profit; and an even vaster network of ‘useful idiots’ capturing and feeding them the data they grow fat upon. Your data. My data. Your website? Your app?

Now, I accept that this is how much of the world works these days, even though I really don’t like it. I continue to campaign for change by supporting organisations such as the Electronic Frontier Foundation, Privacy International, NOYB, Liberty and the Open Rights Group, by giving professional advice based on ethics as well as risk and technicality (and making it clear which are which) and by doing as much work on educating the general public as I can spare time and energy for. I understand market[ing] forces. What I can’t bear is the slimy, self-justifying PR bullshit that’s spread like rancid butter over the surface of ‘compliance’.

Like saying “we take your privacy very seriously” while actively supporting an ecosystem which is privacy-hostile at best and privacy-abusive at worst. Like saying “we take your privacy very seriously” and then using meaningless copypasta template privacy info which bears no relation to the processing at hand. Like saying “we take your privacy very seriously” and not even bothering to take elementary precautions to limit or protect the personal data being snorted up at every turn.

One lesson I learned from my infosec days is one of distrust – the most likely time for you to hear or read “we take the security of your data very seriously” is in panicked press releases after an avoidable breach of that very data has occurred. Anecdotal, of course, but I see a very strong inverse correlation between loud blustering about how seriously security/privacy is taken, and how rigorously this is actually implemented. Its become a bit of a shortcut to analysis – anyone who feels they have to squawk about it probably shouldn’t be trusted to be actually doing it.

 

When you don’t “take privacy very seriously”, no amount of gaslighting PR camouflage is going to be a convincing substitute. So maybe just stop saying it eh? No-one believes you anyway.

It’d be so refreshing to see a statement like “There is often a compromise to be made between individual privacy and commercial advantage. We do it like this because it is more [cost]-effective for us to achieve our business objectives, even though it may have an impact on you. Here is all the stuff that the law says we have to tell you:…”. A while back, a bunch of privacy nerds were having fun with the #HonestPrivacyInfo hastag on Twitter – while amusing; this is also worth a read because many of the examples are actually much more transparent and accurate than anything you’ll read in a company’s official ‘privacy policy’.

Just be warned….if you’re going to claim you take my privacy seriously, then I will require you to demonstrate that. And I will make a fuss if you don’t.

Meme Frenzy

At some point, I’m going to try and make a privacy notice delivered through the medium of internet memes. While playing about with the possibilities of this, I got totally sidetracked and ended up data-protection-ifying a load of popular memes for my own nerdy amusement.

Here are the fruits of my misdirected labour. I think I might need to get out more

doge: dis policy, many data, such privacy, mor cookies, wow

We take your privacy very seri- Shut up!

One does not simply consent by reading a policy

Not sure if Controller or non-compliant Processor

I don't always need consent, but when I do it's specific, informed, freely-given and unambiguous

If you could actually take my privacy seriously that would be great

I read your privacy policy, it say's you're tracking me, ohhhh no, SAR TIME

Brace yourselves - ePrivacy Reg is coming

Y u no tell me legal basis for processing

They said they use my data for advertising purposes. I sent them a SAR

Sells you stuff online - doesn't make you create an account

Tea, sex and data

Comparing consent for processing personal data with consent for sexual activity.

Many laws, professional obligations, contracts and standards make reference to “consent” as a basis or requirement for something to be done. As I’ve mentioned before in an earlier post, “consent” is not a tick box or a signature, it is a state of relationship between two (or more) parties.

With this in mind, I’m going to write about something we’re almost all enthusiastic about (sexual activity) and something I’m [also] very enthusiastic about (data protection) in the hope that comparing the two will lead to greater understanding of how to manage consent as a legal basis for processing personal data, while keeping your attention for long enough to explain…

If you haven’t already seen this, it’s an excellent analogy between sexual activity and cups of tea – almost every point made can also be related to processing of data. The main difference here is that a cup of tea is unlikely to have a lasting and damaging effect, whereas both unwanted sexual contact and unfair/unlawful processing of personal data have the potential to cause serious harm to individuals if they occur.*

Before I get into the similarities though, there are two ways in which consent for getting sexy and processing data are totally different.

1. You don’t *have* to get consent for data processing (and shouldn’t try to, if consent is not the appropriate legal basis) but you always need to make sure that your sexual activities are with consenting adults only.

2. Consent for happy fun time can be implied or inferred (carefully). A long-married couple probably don’t need to have a detailed conversation about whether to take advantage of the kids being out that evening – a speculative look in the direction of the bedroom/kitchen/sofa and a twinkle of the eye in response is probably enough to communicate “shall we?” “Yes!” effectively.

No such parallel exists with data processing – either you have an unambiguous and specific response to “can we use your data in this way for this purpose” or you don’t have consent.

Ok, those are the significant differences. So, what are the similarities between consent for sexual activity and consent for data processing?

What it’s for: specifically

Consent is not “one size fits all”, if you consent to A (whether A is a cheeky snog behind the bike sheds, or being profiled on social media in order to be served targeted advertising), that does not mean you have also consented to B (which might be a hand up your shirt – or having your social media data sold to an insurance agency to calculate your risk of having a driving accident). It doesn’t even mean that you have consented to future As (snogs or profiling), especially if those future As might take you by surprise. It certainly doesn’t mean that having consented to A with one party, that anyone else can join in without having to ask permission separately (I’m looking at you, data brokers)

Whether you have it depends on how you get it:

Evidence of consent may be a legal requirement in some scenarios, but that evidence itself is not “consent”, just a record that something was asked for and an affirmation provided.

Obviously, if you have been misled or misinformed as to the activity, not given enough information to make an educated decision or if you don’t really have a choice, then no amount of tickboxes, signatures, “I agree” buttons or recordings will suffice. You have not consented.

Obtaining consent before/during sexual activity doesn’t usually involve either paper or electronic records, although there are apps which purport to fill that……er….niche (I’m in complete agreement with Girl On The Net’s views on these apps, by the way [warning also probably NSFW]). However, asking “would you like me to….” or “how about if we…..” rather than just diving in is the right thing to do and doesn’t have to kill the mood – in fact, that kind of conversation can be quite good fun…..

A positive response is an indication of consent. No response, or a negative response is very very unlikely to be consent. If someone is impaired in some way so they can’t a) understand the decision or b) communicate their decision then they cannot consent. Back off.

Obtaining consent for processing of personal data doesn’t necessarily need to involve tickboxes or signatures although as evidence of consent is a legal requirement, those are some mechanisms you might want to consider using.

What’s important in both circumstances is that you get consent before you start getting jiggy/processing data.

It doesn’t last forever:

Once you have consent, you can do whatever it is you have obtained agreement to do, for as long as that consent was agreed to last. “Yes” can turn to “No” at any time. If you don’t give the other party the freedom to change their mind, then you don’t have valid consent.

Regret does not retrospectively turn a ‘yes’ into a ‘no’. While many of us may have woken up and thought “Oops” when recalling the night before; this does not invalidate any informed, freely-given consent that was provided at the time. The past cannot be undone, only learned from. Likewise, if I give an advertising agency permission to use my photo, while I can tell them to stop using it later, I can’t make them recall every copy of the image that they published while my consent was in place.

Withdrawal or refusal is not an invitation to try to continue:

No means no. End of. Once someone has withdrawn their consent you must stop doing whatever it was you obtained their agreement to do. Pleading, bullying, coercing, forcing – these are violations of consent and could be very serious, both for you and for the person whose preferences you have ignored. Emotional blackmail to get sex is a favourite tactic of hormone-crazed teenage boys and has (superficial) parallels with companies that send emails to opted-out addresses offering incentives to resubscribe. Teenage boys might not realise that what they are doing is wrong (educate them please, parents!) but companies have no excuse whatsoever.

It doesn’t last forever:

“Yes” now does not mean “yes” to every future occurrence. “But you liked sucking my toes last week” does not mean that person wants to suck your toes right now, or at any time in the future. Put your socks back on. Similarly, asking an organisation to send you info about a specific event you’re interested in doesn’t mean they can send you messages about any other event they run.

It’s important to be clear:

Keep checking that ‘no objection’ has not turned into “no”. Consent must be informed to be valid, so if the other party has forgotten what they agreed to then you may not still have their consent – whether that’s the prospect of getting the silk scarves out, or tracking every location they take their phone to.

Proportionality is advised:

Signed agreements are not necessarily appropriate for either sexual activity or data processing (although they are relatively common in relationships that incorporate the exotic end of sexual activities [warning possibly NSFW] where the potential for miscommunication could have serious ramifications). Likewise, a signed declaration of consent to data processing is probably overkill for the majority of scenarios and is likely to increase both your administrative overhead and the annoyance you’re going to cause to the people who’s data you’re wanting to process. However, as with exotic sexual activities; if there is potential for a high impact, especially any kind of harm to the individual from your processing then it’s likely that you will need to make your consent evidence more stringent and robust. (note: if the processing is *required* in order to carry out a contract, then you should not be asking for consent in the first place as it cannot be freely-given separately to the contract agreement itself).

Lastly; don’t be a git:

If you’re looking for ways to evade obtaining proper consent in order to exploit someone then you are a Bad Person. This applies in any context. Even if you don’t see what you’re doing as exploitation, fiddling with either someone’s physical or intangible self has real consequences – it should only happen with care, respect and communication.

So if you are considering processing someone’s personal data, first check the appropriate legal basis. If that’s consent, then ask them for it – being clear about what you want to do and why. Keep a record of their response. Check in with them after a while to make sure it’s still OK. Don’t be sneaky/deceptive/coercive/vague/ask for more than you actually need.

And practice safe sex, mm’kay?

*NB: I am *not* equating data misuse with sexual assault in terms of seriousness! Lives can be ruined by unfair/unlawful/careless data processing (the construction industry blacklist, exposing vulnerable people to their stalkers, medication errors, inaccurate criminal records, credit rating errors….) – these are all Really Bad Things, but nowhere near the horror of being assaulted.

Consent or not consent?

Update: I’ve exported the tool as a PDF so you can see the questions and answers. It’s no longer interactive, but it may still be helpful.

Consent decision tree


Update: Sorry that the tool is not currently working – My supposedly ‘unlimited’ free Zingtree account has expired, and they want £984 a year for me to renew it, which I can’t afford. Currently looking for alternatives – if you know of one, hit me up! I’ll post a downloadable text version of the tool very soon.


Following on from some of the ranting I’ve been doing about the current unhealthy obsession with consent for processing, here’s a funky tool that I have created for determining whether consent is the appropriate legal basis for processing under GDPR.

At the moment, it only covers Article 6 but I’m working on another one that addresses special categories of personal data as well.

Please let me know what you think about this tool in the comments section!

What the GDPR does – and doesn’t – say about consent

Meme courtesy of Jenny Lynn (@JennyL_RM)

You may have noticed that the General Data Protection Regulation is rather in the news lately, and quite right too considering there is only a year left to prepare for the most stringent and wide-reaching privacy law the EU has yet seen. Unfortunately however, in the rush to jump onto the latest marketing bandwagon, a lot of misleading and inaccurate information posing as “advice” in order to promote products and services is flourishing and appears to be drowning out more measured and expert commentary. Having seen a worrying number of articles, advertisements, blog posts and comments all giving the same wrong message about GDPR’s “consent” requirements, I was compelled to provide a layperson’s explanation of what GDPR really says on the subject.

So, let me start by saying GDPR DOES NOT MAKE CONSENT A MANDATORY REQUIREMENT FOR ALL PROCESSING OF PERSONAL DATA.

and again, so we’re completely clear – GDPR DOES NOT MAKE CONSENT A MANDATORY REQUIREMENT FOR ALL PROCESSING OF PERSONAL DATA!!!

So what does GDPR say about consent? It says that to be allowed to process (i.e. do anything at all involving a computer or organised manual files) personal data, you must have at least one “legal basis” for doing do. Let’s call the list of legal basis “Good Reasons” for now, to keep the language friendly.

The Good Reasons are:

when you have consent to process personal data

when there is a contract between you and the individual (“data subject”) or between the individual and someone else which requires you to process their personal data in order to fulfil its terms. This also applies to any processing that is needed in order to prepare or negotiate entering into a contract. Example: buying a house

When there’s a law or legal obligation (not including a contract) that you can only comply with by processing personal data – example, accident reports for health & safety records

when someone’s vital interests are at stake unless personal data is processed (usually only applicable to life-or-death situations – e.g. the emergency services having a list of employee names to identify survivors after a building collapse)

In the public interest or when acting under official public authority – such as political parties being allowed to have a copy of the electoral register (providing they don’t take the mickey in their uses of it).

When personal data needs to be processed for an activity which is in the “legitimate interests” of the organisation (“Data Controller”) or the individual.

Now, just because consent is listed first does not mean that it is the most preferable Good Reason, the most important or the default option. It is none of those things – in fact, when considering which Good Reason applies to processing, the other options should be tested first. If you picked consent because it was top of the list and consent was later withdrawn, but you realised there was a legal obligation to continue to process the data, you would be in a pickle – either you’d be in breach of privacy law (continuing to process when consent has been withdrawn) or in breach of the other legal obligation.

Please note that opting for “legitimate interests” as the Good Reason is not a way of dodging around the prospect that consent may be withdrawn or refused, as there is anabsolute [edit; objection *can* be overridden by the Data Controller in some circumstances] right for the individual to object to the processing of their personal data when “legitimate interests” is the Good Reason for processing. All legitimate interests does is save you the effort of having to obtain and demonstrate specific, informed and freely-given consent before you can have or start using the data.

When it comes to special categories of personal data (formerly known as “sensitive personal data”), there is another set of legal basis (we’ll call these Damn Good reasons) which must also be met for the processing to be allowed. In fact, GDPR says that unless one of these Damn Good Reasons is applicable, then you’re not allowed to process special categories of personal data at all.

The Damn Good Reasons are:

When you have explicit consent

OR

When employment law, social protection law or social security law says you have to do something that requires the processing of special categories of personal data

When the processing is required in someone’s vital interests but the individual is incapable of giving consent

When the processing is necessary and carried out by a trade union, philosophical or religious non-profit organisation to administer their membership operations

When the individual has already and deliberately made the data public

When the processing is necessary to defend legal rights, legal claims or for the justice system to function

When the processing is necessary in the public interest (just like in the Good Reasons list)

When the processing is necessary in order to provide health care, treatment and management of health care services

When public health may be at risk if the processing isn’t carried out

When the processing is necessary for archiving, historical or scientific research, or statistical analysis

Again, although consent tops the list it does not mean that it should be the first choice of Damn Good Reason. As with the other list, it is wise to consider first whether there are other Damn Good Reasons that apply and only choose consent where there are no alternatives.

There is some confusion at the moment about the difference between “consent” (Good Reasons) and “explicit consent” (Damn Good Reasons), especially as GDPR says that for any consent to be valid, it must be “unambiguous”. I’m going to leave the dissection of that to greater minds than mine (see refs). However, I will say that when in doubt, go for whichever approach gives you the most solid evidence.

So that’s what GDPR says about whether and when you need consent.

HOWEVER – another law (the Privacy & Electronic Communications Regulations, aka “PECR”) says that you must have explicit prior consent before sending any unsolicited direct marketing by email. This is not the same as the Good Reason/Damn Good Reason “[explicit] consent for processing” but the separate requirements are often confused. It may be in your organisation’s legitimate interests to collect, store and analyse contact info but if you are emailing unsolicited direct marketing messages you will also need to have obtained consent for email marketing from the recipient.

A few words on mechanisms vs outcomes (if you’re still reading, congratulate yourself on your fortitude!)

‘Consent’ is an outcome – you and the individual have achieved a defined, mutually-understood, relationship in which you as a Data Controller can process their personal data for a particular purpose and in a particular way. This outcome needs to be an ongoing state of affairs. If the individual later decides to change the relationship and no longer allow you to process their data then you no longer have consent (and must stop and current or future processing).

Tickboxes, signatures and “click here” buttons are mechanisms for obtaining consent. However, if the agreement you have obtained using this mechanism is not specific, informed and freely-given then you do not have valid consent under data protection law.

Transaction logs, screen prints, signed documents and call recordings are evidence for the process of obtaining consent. These are only as good as the outcome that the process supports. If the individual has been misled, or they dispute that the processing you are doing is what they actually agreed to, or the processing purpose + Good/Damn Good Reason was not made clear to them, or they have simply changed their mind then you do not have valid consent even if you have evidence that consent was asked/supplied at one point in time. Consent is not a fire-and-forget activity, and consent obtained once is not set in stone forever.

So in order to be able to get and keep valid consent you need to have good processes for obtaining, maintaining and verifying the outcome, ie. the relationship between you and the individual. This means careful attention to training, customer service and content of privacy notices.

  • So, in summary (well done for getting this far!)

GDPR does not say “all processing requires consent”- and anyone who says that it does, clearly does not know what they are talking about. Ignore them.
GDPR says that sometimes you will need to get consent and when that is the case; it sets out the standards that you must meet.
Consent for unsolicited electronic marketing as required by PECR is not the same thing as consent for processing of data described in GDPR.

I hope that clears it all up.

More about consent under GDPR if that is the Good Reason/Damn Good Reason you need to use:

https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/23–guide-to-the-gdpr–consent.pdf?la=en
https://www.taylorwessing.com/globaldatahub/article-understanding-consent-under-the-gdpr.html
http://privacylawblog.fieldfisher.com/2016/the-ambiguity-of-unambiguous-consent-under-the-gdpr/
https://www.whitecase.com/publications/article/chapter-8-consent-unlocking-eu-general-data-protection-regulation

WARNING - this site sets cookies! Unfortunately, I am unable to disable some of the inbuilt tracking without killing the site content. tell me more

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close