Consent is not the way to handle data protection issues

GDPR, and the e-privacy directive before that, rely on consent (among other things) to allow data controllers to process data. There are somewhat strict requirements for a valid consent — that it should be freely given, users should not be tricked into it (e.g. by pre-ticked boxes, bigger and shinier buttons, etc.), and it should be possible to withdraw it at any moment, and then data processing stops.

This sounds great in theory — personal data is in the hands of the citizens, and companies only process it if allowed to.

The reality can’t be further from that. Facebook, for example, still collects our online behaviour even if you do not consent. They do it “for security reasons”. Cookie warnings are useless, as in many cases the data is already collected before you get to click “Accept”. Some companies (including facebook and my mobile carrier) relied on big, colored “Accept all” buttons and much less attractive “Review settings” button (which isn’t a “no”). They may be fined for that, but that would be a slow process.

Many, many companies didn’t understand the concept of consent at all. They thought they should ask consent for anything, even though it’s just one of the options under GDPR, and maybe one of those expected to be less frequently used.

A year ago I went through the consent forms, curious on how is the GDPR compliance implemented in practice, and I used my GDPR rights. A year on, I don’t bother to even look, I just click “Accept”.

I’m not sure there’s a term for that, but let’s call it “consent fatigue”. People are tired of all the consent dialogs and just click “Accept”, “yes”, “whatever, just let me read the article”. And one may argue that the news sites don’t even have to ask for consent in the first place (for what — storing data on behalf of Facebook; data that the sites themselves can’t link to your profile and so it’s not personal data from their point of view; and you’ve already consented or not to Facebook’s request, and they are collecting it anyway).

So now, when faced with a legit consent request from a fitness or geolocation app that has carefully worked with a regulator to phrase the most clear and compliant consent message, we just accept. Whatever. They’d do whatever they want with the data anyway, just get that stupid button off my screen.

The consent fatigue leads to the devaluation of consent. It doesn’t mean anything now. It’s by no means “informed”. And I’d argue that it’s not freely given anymore. It’s coerced by the sheer lack of point of it existing, for most people at least.

And you can’t control your consents — I have no idea which websites I’ve given my consent to. I don’t keep track, and there is no (popular) tool to do that. So my option to revoke the consent can’t be practically invoked, even in the rare cases where it’s actually implemented on the website/app.

So even though it sounded like a good idea, it ended up as pointless lines of code producing pointless, experience-breaking popups.

The upcoming new e-privacy directive aims to put cookie consent as a standard browser feature. And that’s a step forward, at least you’d have the control in one place, in your browser.

But consent has already become pointless. And few people care. The “users will eventually get educated and conscious about data” hope isn’t coming true in a way that they manage their consents (unfortunately I don’t have any statistics to back that claim).

So consent is not the way to handle data protection issues. Consent fatigue is here to stay.

But how do we handle the problem? The data breaches, the misuse of personal data? Surely companies should not be allowed to do whatever they want with our data, right?

The issue is rarely that they process data without our consent. It’s an ethical issue, yes, but not a practical one. And their legal teams would make it so that they process it anyway (as in the case of Facebook, for example).

The issue is partly the poor overall information security. Data leaks in all sorts of ways, and they are usually because of skipping most infosec best practices.

The main issue is, and will be in the foreseeable future, the lack of incentive to control our data. A few privacy activists (myself included) aside, people don’t see the value in investing effort into managing their data. Forcing them to consent with arbitrary stuff they don’t understand doesn’t solve that, it actually makes it worse.

We have an incentive to use a certain service. And we have an incentive not to have our data leaked. So whoever markets themselves as more privacy-preserving and more end-to-end encrypted, might score a few points.

So what are my public policy suggestions? Four things:

• Get rid of consent, except for really sensitive data like medical data (GDPR, Article 9)
• Require higher level of information security through soft measures (start with public procurement requirements).
• Penalize offenders. Not every breach is because of negligence, but most are.
• Incentivize data awareness. How — I don’t know yet.

I admit, I don’t have a solution. But we have to get to the drawing board and free the internet from pointless clicks.