A few weeks ago, Eduardo Ustaran author of the Future of Privacy by Dataguidance, shared an interesting (and dangerous) question on the IAPP LinkedIn group, which is mainly followed by Privacy professionals: “is Consent still the essence of Privacy?”. The first thing that came to my mind was “toxic question!”, followed by “yes but an interesting one!”. Since then, we’ve been following this, two months long thread, on a daily basis.
One of Privacy’s main challenges lies within the exact meaning of words used to describe facts, ideas and duties. This issue is emphasized when we deal with different cultural, social and historical approaches, which have shaped our respective legal frameworks. And this definitely becomes horrendous when you use a language that is not your mother tongue! For me, as a lawyer, the use of one particular word instead of another can make all the difference in the world.
What is the exact meaning of Consent? And what does your interlocutor think of when she hears the word “consent”?
According to Google, taking consent as a noun, it means “permission for something to happen or agreement to do something.” Synonyms are agreement, permission, and authorization.
The etymology of consent, again according to our friends at Google, lies within it’s Latin and Old French roots as depicted.
Comparing consent mechanisms between the EU & the US
To us, Spanish Europeans vested in legal matters and analytics, it is obviously the way to express agreement about data collection. Yet life is always complicated and thus:
The EU Data Protection Directive defines user consent as a “specific and informed indication of wishes by which the data subject signifies his/her agreement to personal data relating to it being processed”.
I won’t get into any boring legal descriptions, rest assured, yet it would be good to note that:
The user must know exactly how a company will use, process and share his/her data. Additionally, this user must be in agreement with each concretely specified purpose. An adequate choice mechanism must be in place at the moment of data collection.
In the US, Privacy professionals (and users) travel from Express Consent (opt-in) to Implicit Consent (opt-out) to no consumer choice what so ever.
Basically, for the US, the user is all in agreement, can disagree with some or “we don’t really care what the user thinks”, sums it up.
As American legislation related to Privacy is made out of a patchwork of legislation, we would have to check each specific law to know if and how user consent should be taken into consideration and at which level.
Opt-in, opt-out and the real world of Big Data
This initially insignificant detail about something as simple as Consent makes a huge difference, not only regarding the way data processors present information to users but what users actually expect.
In Europe, even if under certain very specific conditions opt-out is tolerated and accepted from a legal perspective, the user must express consent in an affirmative and explicit way aka opt-in! Additionally, such Consent must be explicit for each specific purpose. This means that Consent is intimately linked to the purpose for which data is collected in the first place.
How many of us, data scientists, actually know exactly what we want to do with the data in the long term, let alone the exact purpose for which we are collecting it in the first place? Additionally, in light of Big Data, new purposes are bound to arise. If data is to be used for a new purpose, a legal authorization is required: consent must be collected! Consent must be collected as they say in Spanish “si o si” or in French “oui ou oui”, explicit or implicit, depending upon the legislation but also customer expectations.
Example: Target and the pregnancy case or Is Big Data killing the Privacy Framework?
The ultimate bonfire of vanities in the legal world that dapples its toes into data science is proclaiming that Big Data is killing the Privacy framework.
And in this context, the Target fiasco related to identifying pregnant women through the use of Big Data is often cited. This is however a fallacious example to anyone who gave the issue any serious thought. Indeed, what Target initially succeeded in doing was to identify, with a probability deemed worthy and high enough, which women would be more likely to be pregnant. Moving from high likely hood towards certainty is however an entire other galaxy!
Wouldn’t any marketing/communication executive think about actually confirming, one-way or another that indeed, said customer ID# is pregnant? That’s interestingly enough also where most lawyers are confused between loyalty cards for example and digital analytics. While the first more often than not requires affirmative action from the customer to enter into such a program, the later, digital measurement, is mostly a by default tracking setting. And I won’t even get started on who actually defines but also agrees that variable X, Y or Z can indeed be tracked without any form of consent and uploaded onto your analytics tools, where ever it’s hosted.
In the United States of America however, the situation is quite different.
While some US privacy laws require affirmative consumer Consent (usually when sensitive data is involved and collected, the infamous PII), no consumer choice needs to be provided in a large range of situations.
Indeed, the FTC report entitled “Protecting consumer privacy in an era of rapid change” clearly stated that “Companies do not need to provide choice before collecting and using consumer´s data for practices that are consistent with the context of the transaction, consistent with the company´s relationship with the consumers, or as required or specifically authorized by law”.
The big current and global challenge, in our interconnected world, from Europe to the US while not forgetting Asia and other continents, is to adequately rise to the challenge of fulfilling user expectations.
We, at Mind Your Privacy, remain astonished at the pace of change for so many Internet related specializations. From the evolution of design to business models and data management, not a day goes by where new ideas, applications, IT infrastructures, ways of management are exposed as being the next big thing, the new hype and bandwagon everybody should be jumping upon. Yet legal notices have not evolved for decades, except for the addition of new clauses – more often than not in capital letters, certainly when translation into other languages is involved – to better hedge the company against any additional legal risk.
The consequence of this ever extending legal mumbo jumbo is that, when the user actually reads something like “when you interact with us, we may ask you to supply us with personal information so that we can provide, enhance and personalize our services and marketing efforts”, she will expect what your company was delivering 15 years ago in terms of personalization and marketing, totally unaware of technical possibilities induced by communicating systems that can now a days share data globally within milliseconds.
There is a clear disconnect between what technology and data can do today and what users imagine or expect a company does with their data. There is also a clear disconnect between the pace of change of technology and legislation.
The questions that should arise from these sad but true findings for any serious, forward looking and data driven company are:
Once you have assured you actually comply with what your policies state, ask your self this: Are my customer expectations related to how I handle the data aligned with reality, what I actually do with the data? If not, what to do?
- Say nothing and continue business as usual, hoping no one will notice? And have a plan in place in case of anyone finding out!
- Education in order to help social norms evolve?
- Put any (big) data initiatives on hold?
Align your legal notices with user expectations: plain language, feedback possible (don’t make it too easy, you don’t want your “freedom fighters” spamming you all over the place!), choice and how about a video explaining them?
- Is my data handling in line with legal requirements, throughout the continents my company does business, including addressing “foreign” customers that are not based in the same place as my HQ or any of my subsidiaries? Reminder: the EU Personal Data Protection has passed the LIBE committee last year and continues to make progress to defend the Privacy Rights of EU citizens
- Do I actually know how my data is being handled: what, where, when and by who? Reminder: this is a good time to start creating an inventory of the data you are managing, just so that you can be ready in case of breach or any other of the legal requirements such as data access, rectification, possible erasure etc. etc. etc.
- Do I actually know where Consent should be asked for? And how strong is this collected Consent is in order to allow me to undergo any processing of this data? What happens if a law changes and I suddenly need Consent?
The time is NOW to regain control of your data from collection to putting it to use to support your bottom line. Understand, centralize & harmonize your Consent mechanisms in order to gain agility. Try to understand your customer expectations in order to align your data use to it so as to avoid any “creepiness” backlashes. Last but not least, who has access to your data, both internally as externally? Try to find out, this is important as well.
Build your Privacy by Design data management processes.
It will allow you to hedge against the risk of any legal surprises but also allow you to build on top of these data processes information security measures to minimize data breaches, prepare for responses to customer enquiries and God forbid, any security issues.
Data is the new Oil, Privacy is the new Green. Prosper & be safe!
article co-written with María Gomez Moriano