Last updated on 25 May 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
Consumers are finding that a host of new realities are inundating their lives. Big tech, online commerce sites, mobile devices, apps, social media, they've all had a hand in flooding consumers with literally billions of images and messages while at the same time urging them to give up private information.
Since the internet took off in 1991, it's been something of a quid pro quo. Businesses granted consumers the use of their websites and the information they provided in exchange for sensitive data.
Sometimes that included login information, having the user fill out a questionnaire that asked for private demographic data, and more. Sometimes it was a simple trade of one piece of data for another.
For instance, the consumer gives an email address, and the business provides them with a .pdf document they can download.
Fast forward to today.
Intelligent personal assistants, smart home speakers, connected devices all collect and share data in a way that wasn't even dreamed of back in 1991.
With hackers employing cyberattacks, which resulted in horrific data breaches along with irresponsible and unethical business owners and corporate executives who didn't care what happens to a user's data as long as they're making a profit, the need for privacy regulation rapidly became apparent.
It all comes down to an individual's right to decide what businesses can do with their data and whether companies violate that right. This is where the subject of consent comes in and the need for businesses to obtain it. Not all laws require firms to acquire specific consent from consumers, but some do.
Europe put the issue of consent squarely in the public's eye when it fined Google €50 million when the tech giant failed to obtain legitimate consent for its ad personalizations. The fine delivered by the French regulator, Commission nationale de l'informatique et des libertés (CNIL), became the first in a long line of actions against bad corporate actors.
British Airways was hit with an even larger penalty than Google, and the U.K. said it intended to fine the company £183 million, but ultimately only fined the company £20 million. That's obviously a significant drop, but officials suggested the fine was smaller due to the "economic impact of Covid-19."
Since CNIL penalized Google in 2019, some U.S. states began working on passing privacy legislation that includes the need for businesses to gain consumer consent in one way or another before collecting, using, sharing, selling, and storing sensitive data.
The most comprehensive of these in the USA is California's CCPA, which still doesn't go to the lengths of the GDPR. For example, the CCPA doesn't require companies to obtain a specific "opt-in" from consumers, but the GDPR does.
In fact, consent in the CCPA arises as a concept only if the sale of consumer information is part of a company's business practices. Moreover, the definition of "sale of information" under the CCPA is vague at best.
The bottom line is that consent isn't demanded by the CCPA except under three very specific circumstances.
A business cannot knowingly sell the private information of anyone under the age of 16. The only exception to this rule is if the minor (between the ages of 13 and 16) or the minor's parent (if the minor is below the age of 13) has "affirmatively authorized the sale" of personal information.
From the CCPA itself:
(c) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer's personal information. A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age. This right may be referred to as the "right to opt-in."
Suppose someone decides they don't want to allow a business to sell their private data, and they expressly "opt-out" (as opposed to "opting-in") through a button or link that gives them the option to do so. In that case, a company is prohibited from soliciting that individual's consent (through an opt-in, etc.) for "at least 12 months."
This might sound weird to some, but if a consumer opts-in, or gives their consent, then information transfers aren't considered "sales" under the CCPA. Simply put, while the CCPA doesn't demand consent or an opt-in in most situations, it kind of provides an incentive for businesses to obtain it from consumers.
That's because when a consumer opts in, that individual has directed the business to "disclose personal information" to a third party:
(2) For purposes of this title, a business does not sell personal information when:
(A) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party.
While there isn't any specific demand under the CCPA for a business to gain a specific opt-in before collecting or sharing data, it does require that companies provide consumers with the ability to opt-out.
To ensure compliance with the CCPA, you'll need to "provide two or more methods for submitting requests to opt-out, including, an interactive form accessible via a clear and conspicuous link titled "Do Not Sell My Personal Information," or 'Do Not Sell My Info,' on the business' website or mobile application."
Opt-out forms should:
In contrast to the CCPA, the GDPR dictates a broad range of circumstances under which a business must gain a consumer's consent, which is defined as:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
The first thing that must be stated clearly is that consent is only one of the six legal bases in the GDPR.
In other words, a company doesn't have to acquire consent from individuals before it can use their personal data for business uses as many believe. What businesses actually have to do if they're processing information, according to the GDPR, is to identify their legal basis for doing so.
With that said, if a business gains consent, then it can do pretty much as it pleases with that information. As long as the business in question explains what it's going to do with the consumer's private information and gains explicit permission, then that business is in compliance with the GDPR's consent requirements.
However, you can't cut corners. Google learned that the hard way. In the complaint filed by CNIL, they wrote that Google's methods for gaining consumer consent were neither "specific" nor "unambiguous" nor "informed."
In order not to cut corners, if you plan to gain consent instead of basing the legality of your data processing on one of the other means outlined in the GDPR, then your efforts must be explicit.
You can't leave room for misinterpretation, and that means you need to provide an explicit consent statement, whether spoken or written. That statement will need to be super specific about the element of data processing that demands explicit consent.
For instance, the ICO's guidance says that, "the statement should specify the nature of data that's being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer."
Some of the specific requirements for explicit consent requests according to the ICO are the following:
A great example of a company providing consumers with an explicit consent request as required by the GDPR, is this cookie's popup notice from the European Central Bank:
The CCPA doesn't specifically require businesses to obtain consent for data processing although there are a few exceptions. The GDPR requires consent in just about all circumstances if one isn't using one of five other legal bases for legitimately processing data.
At the end of the day, business owners may want to opt for obtaining consent whether they do business in Europe or not. Even though the CCPA doesn't demand that business owners obtain explicit consent right now, American laws are evolving and could rapidly change to follow Europe's lead.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
25 May 2022