TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | It’s 2019, so why are we still talking about opt-in consent? Related reading: One law firm's take on the new draft CCPA regulations

rss_feed

""

Once again, legislators are touting their opt-in consent bills as the revolutionary solution to all our privacy woes. Once again, they could not be more wrong. At a time when even our toasters are online, opt-in consent is a horse in a self-driving car world.  

State Rep. David Santiago, R-Fla., announced in September 2019 that he is introducing a privacy bill that calls for opt-in consent because the “basic framework should always start with the opt-in option. All too often, and somewhere in small print, consumers may not realize the automatic default is to use your information as these companies and governments see fit unless you opt-out. It should always be the other way around. They should not be able to use your information unless they have your express consent by opting-in.”

And he’s not alone. The proposed federal Consent Act, which aimed to change the current regime of opt-out to opt-in, would prohibit companies from barring services if consent was not received. The California Consumer Privacy Act allows a business to provide a different service or charge a different price in exchange for an opt-in collection of data if that difference is related to the value the data provides to the business, which — spoiler alert — is always.

Bill drafters and the privacy advocates who support them assume that opt-in consent is inherently better for consumers without asking the right questions. Instead, taking into account consumer expectations and experience, they should be asking:

  • What is the benefit?
  • Who is benefitted?
  • Is privacy enhanced?

Opt-in consent is worse for consumers for three reasons. First, it stifles innovation and competition, as smaller businesses and start-ups, which are more likely to innovate, receive fewer and less diverse datasets, leading to fewer choices for consumers in the market. Second, it disincentivizes companies from creating additional privacy controls because of the presumed additional protections of opt-in. Third, it lets legislators off the hook for finding interesting and meaningful solutions to our privacy problems without addressing the real issues of lack of accountability of data use and collection.

Opt-in consent does not benefit consumers or enhance consumer control

The supposed advantages of opt-in are that it allows consumers to make informed decisions and gives them greater control over who gets their information and when. Make no mistake, both opt-out and opt-in require the same amount of disclosure on the collection and use upfront. The consumer is not any more informed or empowered by the distinction, and the prohibitions on collection can occur at the same time. But there is a real difference in the consequences for businesses and consumers alike.

Consumers and businesses are harmed when innovation is stifled

Opt-in does not provide greater privacy to consumers, and in an increasingly digital economy, it harms smaller or start-up businesses. The biggest draw of having a singular data privacy law is to provide a level-playing field so that all companies — and consumers — can work against the same expectations and requirements. Larger companies are then more likely to enhance their privacy controls and design products in a way that differentiates them from the privacy practices of their competitors because they are more likely to have the resources to go beyond mere compliance.

Having a law hinge on default opt-in consent for data collection defeats that purpose in many ways. Smaller businesses and start-ups innovate faster and find new solutions because they are able to take on more risks and expand resources on those ideas than established larger brands are. However, those smaller shops are already strapped for resources and data, even though they need to rely on it to product test and innovate the most. Having access to smaller pools of data or not being able to collect any without prior opt-in would put them at an even greater disadvantage to larger companies that are going to have their historic data stores grandfathered in. This means the majority of innovation will have to come from larger companies, resulting in less competition in the industry and less choice for consumers. The sheer number of available products and content will change because smaller businesses will not be able to undertake the cost of compliance the same way that a larger institution can with an opt-in law that otherwise treats all businesses the same, lessening competition and limiting consumers in their ability to choose. 

Further, provisions in bills — like the Consent Act — that tie opt-ins to payments or additional benefits may have the unintended result of skewing the type of data fed into AI algorithms because, as was pointed out during the U.S. Senate Committee on Banking, Housing, and Urban Affairs’ Oct. 24 hearing on data ownership, those with lower income may be more likely to take advantage of those cost-savings or payments. With artificial intelligence being increasingly involved in processes determining employment, loan eligibility, parole decisions based on recidivism statistics and facial recognition in law enforcement, homogeny in data sources can only hurt those most vulnerable in society toward discrimination already and potentially create a new class division of those who can buy additional privacy protections or benefits compared to those who cannot.

Consumers are harmed when the buck is passed

Opt-in laws also have the undesirable effect of passing the responsibility for data sharing and use on to consumers instead of forcing accountability onto the company to enhance its practices or designs to keep that user and their data safe. For example, in 2017, WikiLeaks revealed that Samsung TVs could be turned into a listening device. As a result, Samsung provided complicated instructions on virus scanning that begged the question of why such scans weren’t automated by the company.

This was clearly a huge privacy flaw in the design, but an opt-in privacy law would not have changed the outcome. A person who did not want or need to connect to streaming services through the television would not purchase a smart TV. They have, in their purchase, already opted in to the use. Asking them beforehand, even with the disclosure of the vulnerabilities, does not make the product more secure because the user has no meaningful choice.  They either keep this TV or buy another smart TV that has the same features and vulnerabilities. Because there is no competitive advantage (or regulatory mandate) to changing your data source, there is no incentive in creating a more safe product. In other words, had this feature been opt-in instead of -out, how would that knowledge protect consumers, particularly if the industry designs the product in a similar manner across the board? Opt-in will become even less connected to meaningful choice as traditional network channels and companies move the availability of their content to streaming platforms.

Opt-in consent stifles innovation in privacy law

As with Samsung, the same is true for Amazon’s Alexa, where by default, Alexa can listen to the conversations in your home. Amazon confirmed to CNN that it hires people to listen to what customers say to Alexa in order to improve the software. If prior to using Alexa you had to specifically sign something to opt in, even with this disclosed possibility, would you give up all the perks of the device, i.e., the reason you bought it in the first place, in order to do so?

Studies show that consumers will (and often must) give companies their data if they get a benefit in return. This, combined with opt-out rates that typically hover around 1-2% of overall traffic, indicates that when given the choice, consumers will provide information to utilize the most enhanced version of the product. As such, adding opt-in to a privacy law and calling it a day isn’t addressing the actual root of the problem.

That is what privacy legislation should be focused on: finding different and meaningful ways to hold companies accountable for how they can use the data that consumers have shown they will willingly provide, taking into account that not all companies or industries are created equal in the kind of limitations and controls needed for use and reuse. Facebook is not Amazon is not JP Morgan, and they shouldn’t be treated the same.

But that, in essence, is what happens with an opt-in law.

Once the company discloses its purpose, and you agree, it can meet those purposes — including its self-selected broad definition of the service, as evidenced by Facebook this past year — without any limitations. The risks of that data “misuse” are not the same for all companies. If Facebook misuses information, it can skew public opinion and election results. While it has its dangers, the risk of Amazon’s misuse of your purchasing history for recommendations has less severe consequences. The same is true for an already highly regulated entity, like a bank — and its necessary data uses.

I’m not saying that default opt-out should be a stanchion of any privacy law. However, both the practical reality of how we do business now and where we want to go is not furthered and may actually be harmed by any regime that holds up opt-in as a cure-all to all our privacy concerns. We can do better.

Opinions expressed in this article are those of the author and not of her firm, investors, clients or others.

7 Comments

If you want to comment on this post, you need to login.

  • comment Mark Little • Nov 13, 2019
    Polina - very thought provoking article. I agree that Opt-in does have the risk of those unintended consequences. To the extent you are right, opt-out does potentially have some merit instead. A viable alternative argument though is that opt-in likely results in fewer people having their data collected/used, which would in theory put more pressure on the data collectors/users to change their behavior. The real root though is the fiction we are telling ourselves that consent is really meaningful in any way. There is a real power imbalance in terms of knowledge and expertise that suggests consumer really aren't informed as to what they are consenting to and how their data is being used. The real issue is as you suggest the need for better legislation that puts the accoutability for protecting and respecting privacy on the users of data - along the lines of Legitimate Interest processing under GDPR where additional technical controls that protect data in use are necessary to justify using it as legal basis for processing.
  • comment Mila Dimitrova • Nov 14, 2019
    Agree with Mark, provoking piece form an opinionated professional. I agree that opt-in is not safe haven stand alone. Agree that accountability should be provisioned in a law as well. 
    However, I just want to point out another aspect which is essential in my understanding for the privacy legislation and operational practices - transparency. If we consider the opt-in requirement as consent form that not only distributes responsibility but also educates the user to close the knowledge gap this might be the right path. What is more important is that even the consumer in the case of Samsung TVs, for example, has already made the purchase his/her personal data is not yet processed from a factual stand point (has not plugged it and the profiling based on personal data has not started). So just-in-time consent is justified as an addition to a Privacy Notice provided in advance and/or the time of purchase. We should always look at the big picture: digital is another environment in which more and more people are living in and digital skills including personal data protection should be built. All the above-mentioned is  along with collective protection exercised though accountability.
  • comment Brian Mahoney • Nov 14, 2019
    Polina, thank you for the interesting article. I'm actually a proponent of opt in, as there is currently a significant unregulated data company ecosystem. My other note is around your assumption that opt in penalizes smaller, more innovative companies. One interesting capability of cloud services is that they can scale up and down quite easily, so small companies can grow and shrink quite easily from a technical perspective to the size of large companies as needed, without a significant investment.  Thus not being blocked from innovation due to size.
    
    In re behind the scenes data brokers, do a quick search for    secret data company brokers     and you can see a number of articles such as the following from Fast Company :      https://www.fastcompany.com/90310803/here-are-the-data-brokers-quietly-buying-and-selling-your-personal-information.
    
    In Washington state there is a push for increased privacy similar to GDPR and California Privacy. 
    
    Regards
    Brian Mahoney
  • comment Polina Arsentyeva • Nov 15, 2019
    Thank you everyone for your perspectives and adding to the discussion; it's exactly what is needed around data privacy laws as recent bills try to simplify it to the issue of consent, even for "sales." The greater point that I was trying to make - to echo Mark - is that having any privacy law tied to consent, in or out, without addressing the larger issue of accountability and limitations on use regardless of consent. Those bills should also be more conscious of the differences amongst industries and how they use data, and not attempt to regulate data brokers within the same parameters as banks and restaurants.
  • comment Jun Qu • Nov 15, 2019
    Pointing out the core accountability issue is of no use, everybody knows it. Try to solve it, and let's see if you can work out a better solution than opt-in. Claiming "both opt-out and opt-in require the same amount of disclosure on the collection and use upfront" just shows you're living in Utopia, but I'm living on Planet Earth.
  • comment Emma Butler • Nov 18, 2019
    Couldn't agree more with the article. We need legislators and regulators globally to wake up and stop trying to fix privacy with consent. The majority of business data processing is necessary to provide the product / service or to run the business. There is very little data processing where an individual genuinely has a choice and so consent would be appropriate. In the EU, raising the standard of consent in GDPR was supposed to stop companies from using consent inappropriately, which is what had been happening. Unfortunately, it hasn't worked and now we see the same inappropriate use of consent, only it's more ludicrous given the conditions for consent to be valid. While there are many aspects of the EU approach to privacy law I would not recommend other countries follow, I do think the 'lawful bases' approach is a sensible one as it recognises the various valid and legitimate reasons for data collection and use. And despite some thinking 'legitimate interests' is a get out, it isn't. The assessment you have to do to use it is thorough and not taken lightly.
  • comment SANDEEP SANGWAN • Dec 6, 2019
    Polina, this is very interesting with a multi-dimensional way of looking at laws that hinges on "consent" for processing data. Since the privacy world in the recent years has seen an upsurge in the need to allow individuals to have more control of data that businesses and governments hold about them, and more and and more jurisdictions following the trend of "opt-in consents" as a way to justify such control, the legislators need food for thought such as your article, to have a balance in privacy rights and freedom to do business.