One of the most common elements of compliance in data privacy laws and regulations around the world is a mandatory consent requirement. Clearly, given the legislative landscape, the consent requirement is growing and trending toward increasing stringency and complexity. But how to avoid consent fatigue?
Consent requests, combined with the obligation of transparency, aims to give back control to individuals over the use of their personal data. They have to reasonably understand why their information is to be collected, its purpose and who will access it, and the amount of the information exchanged.
The frequency of interactions with organizations that collect personal data makes it tedious, if not practically impossible, for individuals to process the information contained within a consent format, in particular, where organizations unduly use bundled consents to a broader range of operations.
Aleecia McDonald and Lorrie Faith Cranor from Carnegie Melon University estimated in an exhaustive survey in 2008 that U.S. individuals are likely to encounter an average of 1,462 privacy policies a year, representing costs in time of approximately 244 hours a year worth about $3,534 annually per American internet user. These figures have only risen since.
On the basis of these findings, in a preliminary report released by the Australian Competition and Consumer Commission into Google and Facebook, the authority found that each digital platform’s privacy policies, which include the consent format, were between 2,500 and 4,500 words and would take an average reader between 10 and 20 minutes to read.
In addition, since the EU General Data Protection Regulation entered into effect in May 2018, several data protection authorities have clarified the requirements for valid consent. In particular, the French CNIL has reminded that consent has to be given at the time of data collection, has to be specific, and cannot be passed to another controller through a contractual relationship; it could not be bundled.
Furthermore, the consent-based regime creates an obligation to document that consent was lawfully given.
In this context, organizations must find solutions that ensure that individuals are making an informed decision over the use of their personal data. This will avoid overburdening with too much information every time they access a website, navigate across the internet, download an application, or purchase goods and/or services. This may result in a certain degree of consent fatigue.
To remedy to this consent fatigue, four solutions can be suggested:
First, organizations must identify the lawful basis for processing prior to the collection of personal data. Under the GDPR, consent is one basis for processing; there are other alternatives. They may be more appropriate options.
Processing can be based on the ground of the execution of a contract, legal obligation, vital interests, legitimate interests or public tasks. In the first of a series of blog posts, U.K. Information Commissioner Elizabeth Denham clearly states that consent is not the "silver bullet" for GDPR compliance.
In many instances, consent will not be the most appropriate ground — for example, when the processing is based on a legal obligation or when the organization has a legitimate interest in processing personal data.
However, there is often a wrong assumption that without requiring and obtaining formal consent, the processing of personal data is doomed.
The U.K. Information Commissioner’s Office suggests in its guidelines on consent to carefully evaluate the most appropriate lawful basis of processing that reflects the true nature of the relationship between the organization with the individual and the purpose of the processing.
Second, organizations may require consent from individuals where the processing of personal data is likely to result in a risk or high risk to the rights and freedoms of individuals or in the case of automated individual decision-making and profiling. Formal consent could as well be justified where the processing requires sharing of personal data with third parties, international data transfers, or where the organization processes special categories of personal data or personal data from minors.
Data protection authorities may as well establish which processing operations are subject to the requirement for consent.
Outside of these exceptions, data processing limited to purposes deemed reasonable and appropriate such as commercial interests, individual interests or societal benefits with minimal privacy impact could be exempt from formal consent. The individual will always retain the right to object to the processing of any personal data at any time, subject to legal or contractual restrictions.
Privacy impact assessments or data protection impact assessments under the EU GDPR, before the collection of personal data, will have a key role. If the PIA identifies risks or high risks, based on the specific context and circumstances, the organization will need to request consent.
This way, personal data is more effectively protected allowing individuals to focus on the risk involved in granting authorization for the use of their personal data and to take appropriate decisions based on the risk assessment. Consequently, the burden and confusion generated by systematic consent forms is constrained.
Third, the focus should be centered on improving transparency rather than requesting systematic consents. Lack of transparency and clarity doesn’t allow informed and unambiguous consent (in particular, where privacy policies are lengthy, complex, vague and difficult to navigate). This ambiguity creates a risk of invalidating the consent. On the other hand, improving transparency helps to build trust.
The European Data Protection Board recommends that the provision of information be concise, transparent, intelligible and easily accessible throughout the whole processing cycle. Additionally, the information should be clearly differentiated from other non-privacy-related information, such as contractual provisions or general terms of use.
Finally, from a practical point of view, we suggest the adoption of "privacy label," food-like notices, that provide the required information in an easily understandable manner, making the privacy policies easier to read.
Through standard symbols, colors and feedbacks — including yes/no statements, where applicable — critical and specific scenarios are identified. For example, whether or not the organization actually shares the information, under what specific circumstances this occurs, and whether individuals can oppose the share of their personal data.
This would allow some kind of standardized information. Some of the key points could include the information collected and the purposes of its collection, such as marketing, international transfers or profiling, contact details of the data controller, and distinct differences between organizations’ privacy practices, and to identify privacy-invasive practices.
Ultimately, it is clear that organizations cannot process personal data without individuals’ knowledge. Currently, there is a high frequency of consent requests, privacy notices, cookie banners or cookie policies on every visited website. As a consequence of consent abuse, individuals resent a fatigue, resulting in consent loosing its purpose. In addition, as mentioned above, the cost of reading consent formats or privacy notices is still too high.
Accordingly, it would be appropriate to incentivize organizations to evaluate the proposed remedies for processing personal data, including, for example, requesting consent for cookies in all transparency, where it is truly needed and appropriate, in order to avoid the risk of consent fatigue and privacy carelessness.