Man check mark on document showing privacy notices and consent forms

Privacy Notices and Consent Forms: Why, Even Though They Are Unwieldy, They Will Most Likely Stay With Us in the Years To Come

For a very long time, if not from the very beginning, privacy notices and transparency, as well as consents and individual choice, were cornerstones and main tenets of data privacy.

They seem to be omnipresent, no matter what type of services or activities are at play and, obviously, this is especially the case for anything online or connected to technology.

Some say, though, that this is not necessarily in the best interest of individuals concerned.

When it takes, for example, more time to actually scroll-down, not to say read, privacy related communication, which is almost identical for each and every company and full of legal terms, and to set your choices, than it is to actually choose and download the app, then clearly user-friendliness falls behind.

The original idea, simple yet powerful, was of course that individuals being duly and sufficiently informed can make free and conscious choices about how their personal data is to be used. This notion was obviously based on some assumptions which are not always fulfilled.

First of all, it is not always possible to provide a truly meaningful transparency into how data is used and not, as some might think, only because of the complicated legal terms, but because of the context and surrounding facts. In order to understand how the data is used, you have to understand how to company operates and interacts with other members of the data-drive ecosystem and not just in general terms but with regard to very specific operations. This is, in real life, very difficult to find out even for the people working in such organizations themselves, and, practically, only achieved on a collective level, where different people know different chunks of information and together are able to take business decisions. The legal aspects are still valid, as processing of personal data is massively intertwined in plethora of local and extraterritorial laws, likes taxes, customs, labour, ant-bribery etc. just to name a few. There is an inherent difficulty for such a complex information to be summarized into short and simple words and still be informative. This results in privacy notices being long, complicated, conditional, relative and very general at the same time, which is kind of against the original idea that they are to be short and provide a meaningful information. Secondly, the notion of consumers and individuals being able to decide about how their personal data is used is also problematic. Almost everyone wants to be able to have access to services, use technology and at the same time know that her privacy is duly protected and data is not misused or kept without an end and without a good reason. Scrolling through privacy documents and deciding about e.g. apps permissions is taking sometimes much longer than to actually find and download an app or access the service you want to use.

In conclusion, it is obvious, that often times productivity and user experience are hampered by requesting users to read privacy notices and accept consent forms. This is also caused by the fact that many companies feel more comfortable when they can rely on users actively giving their acceptance to their terms, including the privacy notice. At the same time, this is not always required, on the contrary, reading a privacy notice should be made easy for the users, but this is their right and not an obligation. In contrast to that whenever consents are needed, they should be primarily, based on an active consent. Still, consent should be generally used for purely optional things, and not the core services based on terms and/or contracts. This, however, may differ for certain jurisdictions. With all this in mind it is important to remember that privacy related documents do not exist in isolation. Our entire system, and this is true for probably almost all legal frameworks in the world, is based on written documents, freedom to sell and to purchase services, as well as parties being responsible for understanding and consciously deciding about contractual terms. Simultaneously, rising protections for consumers are to prevent some of the most unjust and fraudulent practices making use of inherent imbalance of power between companies and individuals. In this regard, data protection law is obviously not a contract or civil law as such, more a public law providing protections for consumers and individuals in general, as well as corresponding obligations to companies, governments and persons processing personal data. On the flip side, we have not yet reached a stage where all consumer protections can be based on common standards and the consumers would benefit from more or less the same and stable situation with regard how their data is being used and thus there would be no requirement for their active participation and decision-making, for example by being aware about what happens with the data and making specific choices. Probably we will never reach this point, but this is, nevertheless possible to imagine.

First of all, however, it should be acknowledged that it is not appropriate to require individuals to read privacy notices, and/or accept consent forms, for standardized services, consumed on a mass scale and actually something of a primary need and human expectation at the same time: like access to the internet and browsing, media and news, medical services, education etc. For such services, apps and tools, we should strive for a human-centric, value-driven, yet flexible and business friendly standards. Such standards should be backed by the laws and regulatory enforcement. Whereas privacy notices and consents are primarily based on trust you place in the company providing the document itself, standard is something which can be much easier audited and certified.

We are seeing the same trends with AI frameworks and laws under development, where it is clearly taken into consideration that there are important limits to what can be communicated and understood by the individuals themselves and what are the practical restrictions regarding their right of choice and how they interact with the technology.

We should not be asked to read #privacy notices and/or accept consent forms for standardized services. We need a human-centric, value-driven, yet flexible and business friendly standards backed by the laws and regulatory enforcement. #respectdataClick to Tweet

With all this, most probably abandoning the old ways of relying on notices and consent forms will remain contentious, controversial and, if it happens, probably it will take still a lot of time. Thus, it is unlikely it will happen any time soon.