Consent, Choice and Online PrivacyBy: Richard Beaumont | Tuesday, August 14, 2012 | Tagged: Online Privacy | 4 Comments
We have already seen over the last few months how difficult it can be to relate the word of law to the practical reality of life online.
There can be little doubt that the way many website owners have chosen to comply with the changes in the law on cookies, at least in the UK, is a long way from what was almost certainly originally intended by the law makers themselves.
It is no surprise really that without more obvious regulatory or consumer pressure, website owners did not want to make significant changes. We may never know how much lobbying by big data companies had an influence in last minute changes to guidance, but we can be sure that such lobbying went on.
So we have notices that people don't read, and links to sites about deleting cookies with clumsy browser settings, and the reality is consumers are no more protected than they were before from having masses of data being collected about them without their knowledge. Much of which is sold on, re-processed, and served back to them in the form of targeted advertising.
I think to understand why this could happen - you have to go back to the law itself - and in particular the gaps in it. There has been much talked about the issue of consent and whether it need be explicit or obtained prior to processing or not. This was always a crucial issue because it is the neeed for consent that drives requirements for disclosure about the data being processed, so that people can be assumed to be sufficiently informed for their consent to become valid - you cannot in law consent to something you do not understand, or have not been given sufficient opportunity to understand.
However by focussing so exclusively on consent, what gets lost is the idea of choice. On most sites that have 'complied', people are not being given any choice except the starkest - to continue or leave. Yes, they can change their cookie settings in their browser, but this effects all sites not just the current one. Also, depending on the settings one chooses - the browser controls can fail to block the activity you want to prevent, or stop some functionality that you would like to have.
Visitor choice, especially dynamic and adaptive choice, should be at the heart of the drive for protecting online privacy. Without choice, consent is a meaningless concept.
It's the same with sites that say 'by continuing, you are giving your consent' - the choice being presented is both empty, and more often than not removed before you have a chance to evaluate what kind of choice you want to make.
And yet choice has to be key to both a real increase in privacy, and the perception from visitors that their privacy is respected.
We have seen recently that giving people choice increases trust, and if people trust you, they are more likely to allow you to collect data about them. Of course it is also true that increased trust results in increased business.
At the same time, the exercise of choice is also an act of giving consent - as long as it is made clear from the start of the online relationship what the options and consequences are.
I hope that the people working on and contributing to the new EU data protection framework can learn from the experience of the cookie law, and switch their prime focus away from arguments about the meaning of and mechanisms for consent - and instead promote a requirement for privacy choices. Ideally choices that can be made, changed, and unmade depending on the services on offer, and who is providing them.
Sadly, reading the recently leaked feedback from EU member states - I fear this opportunity might be lost.