TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout


One of the most common elements of compliance in data privacy laws and regulations around the world is a mandatory consent requirement. Clearly, given the legislative landscape, the consent requirement is growing and trending toward increasing stringency and complexity. But how to avoid consent fatigue? 

Consent requests, combined with the obligation of transparency, aims to give back control to individuals over the use of their personal data. They have to reasonably understand why their information is to be collected, its purpose and who will access it, and the amount of the information exchanged.

The frequency of interactions with organizations that collect personal data makes it tedious, if not practically impossible, for individuals to process the information contained within a consent format, in particular, where organizations unduly use bundled consents to a broader range of operations.

Aleecia McDonald and Lorrie Faith Cranor from Carnegie Melon University estimated in an exhaustive survey in 2008 that U.S. individuals are likely to encounter an average of 1,462 privacy policies a year, representing costs in time of approximately 244 hours a year worth about $3,534 annually per American internet user. These figures have only risen since.

On the basis of these findings, in a preliminary report released by the Australian Competition and Consumer Commission into Google and Facebook, the authority found that each digital platform’s privacy policies, which include the consent format, were between 2,500 and 4,500 words and would take an average reader between 10 and 20 minutes to read.

In addition, since the EU General Data Protection Regulation entered into effect in May 2018, several data protection authorities have clarified the requirements for valid consent. In particular, the French CNIL has reminded that consent has to be given at the time of data collection, has to be specific, and cannot be passed to another controller through a contractual relationship; it could not be bundled.

Furthermore, the consent-based regime creates an obligation to document that consent was lawfully given.

In this context, organizations must find solutions that ensure that individuals are making an informed decision over the use of their personal data. This will avoid overburdening with too much information every time they access a website, navigate across the internet, download an application, or purchase goods and/or services. This may result in a certain degree of consent fatigue.

To remedy to this consent fatigue, four solutions can be suggested:

First, organizations must identify the lawful basis for processing prior to the collection of personal data. Under the GDPR, consent is one basis for processing; there are other alternatives. They may be more appropriate options.

Processing can be based on the ground of the execution of a contract, legal obligation, vital interests, legitimate interests or public tasks. In the first of a series of blog posts, U.K. Information Commissioner Elizabeth Denham clearly states that consent is not the "silver bullet" for GDPR compliance.

In many instances, consent will not be the most appropriate ground — for example, when the processing is based on a legal obligation or when the organization has a legitimate interest in processing personal data.

However, there is often a wrong assumption that without requiring and obtaining formal consent, the processing of personal data is doomed.

The U.K. Information Commissioner’s Office suggests in its guidelines on consent to carefully evaluate the most appropriate lawful basis of processing that reflects the true nature of the relationship between the organization with the individual and the purpose of the processing.

Second, organizations may require consent from individuals where the processing of personal data is likely to result in a risk or high risk to the rights and freedoms of individuals or in the case of automated individual decision-making and profiling. Formal consent could as well be justified where the processing requires sharing of personal data with third parties, international data transfers, or where the organization processes special categories of personal data or personal data from minors.

Data protection authorities may as well establish which processing operations are subject to the requirement for consent.

Outside of these exceptions, data processing limited to purposes deemed reasonable and appropriate such as commercial interests, individual interests or societal benefits with minimal privacy impact could be exempt from formal consent. The individual will always retain the right to object to the processing of any personal data at any time, subject to legal or contractual restrictions.

Privacy impact assessments or data protection impact assessments under the EU GDPR, before the collection of personal data, will have a key role. If the PIA identifies risks or high risks, based on the specific context and circumstances, the organization will need to request consent.

This way, personal data is more effectively protected allowing individuals to focus on the risk involved in granting authorization for the use of their personal data and to take appropriate decisions based on the risk assessment. Consequently, the burden and confusion generated by systematic consent forms is constrained.

Third, the focus should be centered on improving transparency rather than requesting systematic consents. Lack of transparency and clarity doesn’t allow informed and unambiguous consent (in particular, where privacy policies are lengthy, complex, vague and difficult to navigate). This ambiguity creates a risk of invalidating the consent. On the other hand, improving transparency helps to build trust.

The European Data Protection Board recommends that the provision of information be concise, transparent, intelligible and easily accessible throughout the whole processing cycle. Additionally, the information should be clearly differentiated from other non-privacy-related information, such as contractual provisions or general terms of use.

Finally, from a practical point of view, we suggest the adoption of "privacy label," food-like notices, that provide the required information in an easily understandable manner, making the privacy policies easier to read.

Through standard symbols, colors and feedbacks — including yes/no statements, where applicable — critical and specific scenarios are identified. For example, whether or not the organization actually shares the information, under what specific circumstances this occurs, and whether individuals can oppose the share of their personal data.

This would allow some kind of standardized information. Some of the key points could include the information collected and the purposes of its collection, such as marketing, international transfers or profiling, contact details of the data controller, and distinct differences between organizations’ privacy practices, and to identify privacy-invasive practices.

Ultimately, it is clear that organizations cannot process personal data without individuals’ knowledge. Currently, there is a high frequency of consent requests, privacy notices, cookie banners or cookie policies on every visited website. As a consequence of consent abuse, individuals resent a fatigue, resulting in consent loosing its purpose. In addition, as mentioned above, the cost of reading consent formats or privacy notices is still too high.

Accordingly, it would be appropriate to incentivize organizations to evaluate the proposed remedies for processing personal data, including, for example, requesting consent for cookies in all transparency, where it is truly needed and appropriate, in order to avoid the risk of consent fatigue and privacy carelessness.

photo credit: quinn.anya Yes or No via photopin (license)


If you want to comment on this post, you need to login.

  • comment Emma Butler • Jan 30, 2019
    The article quite rightly emphasises that in the EU you have different lawful bases and therefore consent is only one of those options. Most business processing is done on another lawful basis. However, the US and other countries do not take this approach and even though consent is often not the same thing as an 'EU consent', it is still the only option for companies.  EU law also forces companies to use consent for many sensitive data processing activities, where it is not actually appropriate in the specific context.
    My own view, which I appreciate may be controversial, is that consent in its current form is actually pointless. I have no issue with the notion that you should have genuine choices for whether to take part or not in some activities. But when you consent to something, what are you actually agreeing to? You have no choices at all with regard to the set up of the data processing in question. You don't get to choose how the company does the processing, where they store the data, what third parties they use, and so on. So your consent is really just you choosing to take part in something, get a product, receive information or use a service, and then all the data processing that happens is necessary to deliver what you have chosen.  
    There is also an increasing gap between the reality of data processing and individuals' expectations that you have to ask their permission to do anything. Reframing consent to recognise where individuals actually have choices would go some way to addressing that. It would also allow processing that is currently unfairly prohibited without a 'consent'. An example: I have a fitness tracker. The entire point of a fitness tracker is to track and measure things like daily step count, exercise done, calories burned, sleep and so on. I bought one because I wanted to track and measure those things. To provide me with all these things it has to collect and process a range of data, some of which is considered 'sensitive' (under EU law definitions). I have to 'consent' to this processing, which is a nonsense. The choice I had was getting one in the first place and deciding which elements I want to track and measure. Now I have one, the processing is necessary to deliver the product features I want to use. How the fitness tracker company manages all that on the back end is not something I have any say in, nor should I. They are legally obliged to set it all up properly (privacy by design, security, transparency, third-party diligence, transfer measures and so on).
  • comment Alexa Romero • Jan 30, 2019
    A good article, I agree, the data protection authority must define the data operations wich implies  personal data treatment by default, in this way we can assume there are a implicit consent at moment that the dat owner take the service or product.
    This article provide us good reason to evaluate the future of technology advances and the scope of this regulations.
  • comment Christina Kougia • Feb 19, 2019
    Under EU GDPR, data processing, has indeed different lawful bases. Chosing a lawful base for the processing, no matter how obvious it may seem to the DPO or the controller isn’t always similarly obvious to the individual submitting its data, the controlling authority or the courts judging a case of data privacy violation.
     A very interesting example of this is the frenzy of contradictory court decisions in Greece concerning the data processing of Financial institutions’ clients by debt collection agencies (processor). 
    Financial institutions base the processing in legitimate interest (ie the bank has the right and the legal option to pursue the outstanding debt from the debtor and the legal obligation to pursue first, an out of court settlement through the legally established debt collection agencies). However , the debtor pursue this processing as violation of his/her rights, claiming that he doesn’t  wish x or z debt collection agency to receive his/her data and objects such processing. 
    Surprisingly, Greek civil courts have recently issued a variety of decisions ranging from lawful basis for such processing, being: i) the consent of the debtor which should be “free” and implicit and include each specific debt collection agency receiving the data, or  ii)  the bank’s legitimate interest which is not however superior to the individual’s right of privacy and therefore the individual may object to such processing, or iii) the execution of the loan agreement, yet the individual need to be informed prior to sending his/her data to each specific debt collection agency, in order to have the right to object to such processing. 
    As per article 29 data protection working party, legal basis for such processing is the financial institution legitimate right. Still, in such a case the bank should establish prior to sending to a debt collection company, the “sensitive” data of its debtors, if such legitimate interest overrides the freedoms and privacy rights of each debtor. 
    When a Bank transfers such information collectively to a debt collection agency is it ever possible to make an assessment of each individual s rights being superior or inferior to the right of the bank to collect its debt? Is the collection of a debt of 50 euros superior to the right of the individual to have its sensitive information not exposed to several debt collection companies calling him/ her to remind him the overdue payment ? Greek civil courts seem to believe that it is not and already grant compensations to individuals complaining for such violations, even though, contactual clauses specifically stipulate and inform debtors of the right of the bank to send the debtor s data to debt collection companies. 
    To sum up, consent, seems to be the only « safe » choice controllers have to proceed with the processing that they consider obviously being part of the execution of the contract or within their « superior » legal interests. Yet, even with a consent in hand, the caracteristics of such consent being free and implicit, are always subject to dispute and the controller might find itself realizing that no matter how diligently it proceeded with dealing with the issue of lawful basis, has finally nothing in hands but an obligation for compensation of the individual!
  • comment Aradhna Sharma • Feb 20, 2019
    please correct the broken link for  preliminary report shared by ACCC.
  • comment Leslie • Feb 21, 2019
    Thank you for letting us know. The link is working now.