Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

Click to consent? Not good enough anymore John Edwards
2 September 2019 at 13:08

click cursor 1922239 960 720

One of the most pervasive and persistent problems of privacy and data protection in the digital age is how to move the burden from consumers to read terms and conditions for services they are using, to the service providers to ensure they are clearly explaining the choices that consumers have, and the consequences for them.

We all know the problem, and it has been presented in a number of very striking ways.  We’ve seen researchers print out and measure the length of the privacy policies and terms and conditions of popular services.  Others have calculated the time it would take to read them all, if you started from 1 January.

Our Chief Justice believes that privacy consents will prove to be a significant issue. In her lecture commemorating the first New Zealand Privacy Commissioner, Sir Bruce Slane, she said:

There is good reason for proceeding with caution when weighing the significance to be given to consent when assessing whether the individual expected privacy or had waived it. These are standard contracts people must agree to if they are to access services, sometimes essential services. Most do not read the full content of any such contract. That is especially so with online service providers. Although the privacy policy must be agreed to before services can be accessed, acceptance is easy — simply click on the accept button.

 

Often the consequential authorised collection of data will occur in the course of a very low to no value transaction. Few would spend time reading a privacy policy before using a search engine or purchasing food to go. And yet by clicking accept, we are agreeing to all of the terms and conditions, if expressed in suitably plain English, contained in the privacy policy of the service provider. Even if we do read the privacy policy, it is doubtful we will have a full understanding of the implications of what we have agreed to. There is a very substantial asymmetry in technical understanding between the customer and most who operate business in an online world.

As with many problems that the digital age has created as a by-product of the convenience and access to services these products represent, the solutions need to be found in a range of different areas.

Yes, we need to change behaviours, both of consumers, and service providers, to make the former more curious, diligent, and perhaps willing to defer their digital gratification before “click(ing) to accept”. Industry needs to be both more transparent with consumers about the nature of the transaction that “click” involves, and more innovative in the ways in which it conveys that transparency.

Privacy by design will play a part. Ensuring that the most privacy protective options are obvious, and the default setting should become the industry norm. 

And regulation will play a part. I and my international colleagues need to grasp the nettle and ensure our consumer protective data protection and privacy laws do exactly that.

Labelling laws are a staple of consumer protection. There is a reason there are easy to understand graphics, prominently displayed on hairdryers warning of the dangers of exposure of the device to water. Would our product safety regulator colleagues allow those warnings to be buried on page 23 of a 26 page “consumer information notice”? I think not.

Here’s the approach I’m taking to our law. It is important to set this out now to ensure agencies know their obligations. When the Privacy Bill comes into effect in 2020 it has clear and explicit application to all agencies doing business in New Zealand, whether they have a physical base here or not.

The digital giants are addressing this issue in other parts of the world, it is important that I give clear notice of the law they are expected to comply with here, and how I apply it.

Consent

Unlike other parts of the world, New Zealand’s law does not depend on consent as the primary authority for collecting, using and disclosing personal information. Consent certainly has a role, but the main driver is the legitimate business purpose of the holder of the information. Here’s what this means in practice for complicated privacy policies, terms and conditions, and “click to consent”.

Information privacy principles 10 and 11 say that an agency that collected personal information for one purpose, should not use or disclose that personal information for any other purpose unless an exception to that overarching principle applies.

The exceptions require an agency to have a justifiable basis for relying on them. They need to have a belief on reasonable grounds that one of a set of conditions exist. For example, a novel use or disclosure of personal information will not be a breach of the principle where the agency concerned “believes on reasonable grounds that the use/disclosure”:

  • Is authorised by the individual concerned

This threshold belief is tested when we investigate complaints, and we examine the grounds on which an agency holds a particular belief. In the case of a “clicked consent” defence, we will enquire as to the basis on which the online agency believes that click actually conveys an authority to undertake the action complained of. What research have they done to establish the number of people who actually read the terms they are purportedly consenting to? How many times do their customers click the link to the terms and conditions or privacy policy before clicking the consent box? How long do those who do click spend on the privacy policy page long enough to actually read it?

We’ve already declined to accept an imputed authority for a disclosure, based on the continued use of services on the basis of broad and unexpected terms and conditions.

Purpose

Under New Zealand law, it’s the concept of purpose that plays a central role in authorising the collection, use and disclosure of personal information. The fact that your customer’s “consent” might not pass muster as an authority to use the information you’ve collected doesn’t necessarily mean you’re stuck. You need to look closely at the principles that prohibit novel uses or disclosures:

IPP 10

An agency that holds personal information that was obtained in connection with one purpose shall not use the information for any other purpose …

IPP 11

An agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds –

that the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained.

Consent or no, if you always meant to do what you are proposing to do with the personal information, and you’re clear about that, then that’s your purpose, so you don’t need any individual authorisation.

So, you can do what you want, right? Not quite.

In order for consumers to make informed decisions about who gets to see and use their personal information, agencies must, by information privacy principle 3 to take “such steps (if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of” a number of matters, including “the purpose for which the information is being collected, and the intended recipients of the information”.

If you are telling customers in the “click to consent” box that their information will be used to “enhance the services we can provide you”, and page 35 of the legalese-dense privacy policy says that all your transaction information will be available to US data brokers, I may well conclude that you have not discharged your obligation under information privacy principle 3 (and potentially IPP 4 for unfairness, in particular for children and other vulnerable consumers), and that you are therefore in breach of the Privacy Act.

So what, you say?

While it is true that neither the current law nor the Privacy Bill allows the Commissioner to issue the massive fines available to my colleagues under the GDPR or at the US Federal Trade Commission, you will be liable for damages for any harm caused by the deception or obfuscation of your purposes. 

In addition, when the Privacy Bill comes into force next year, I’ll have the ability to issue compliance notices to business to improve the digital environment for consumers, whether you are based here, or just doing business here.

It’s 2019, and time to raise your game.

Image credit: Free image by SugarandSkullDesigns via Pixabay

Back