The new EU General Data Protection Regulations, which go into effect on May 25, will make things even more complicated.
If you have any customers who are EU residents, the new GDPR will impact you.
What Happened to Facebook?
The GDPR, an overhaul of the 1995 European Data Protection Directive (Directive 95/46/EC), extends extraterritorial jurisdictions and unambiguously affirms certain decisions asserted by European case law.
Informed consent is specific under EU rules. Article 4(11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”Five criteria must be met to constitute consent:
- freely given
Unambiguous consent must include a statement or a clear affirmative action indicating agreement, which is primarily where Facebook ran afoul.
Facebook and many U.S. websites use default privacy settings. The German court found several of those settings were difficult for the user to find and change. By implementing default settings, Facebook had failed to get informed consent.
What Did Facebook Do?
The intent of this article is not to attack Facebook. In fact, Facebook has made several changes to the way it handles privacy protections since the German case was filed. It is meant to be a wake-up call to other companies that may have a similar approach to pushing privacy settings by default and assuming that privacy declarations buried in their terms-of-service will suffice.
“If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given,” states Article 29 of the Data Protection Working Party Guidelines on Consent under Regulation 2016/679.
Said another way, if a party cannot make use of a good or service without accepting terms of service that contain privacy declarations, the consent is not freely given and violates the elements of informed consent. This approach to security is contrary to the way many U.S. companies operate.
U.S. companies commonly include their data handling and protection terms within a long, legalese-heavy terms of service policy. These “click-through” terms, while commonly upheld in U.S. courts, likely would not pass muster in the EU.
“Blanket acceptance of general terms and conditions cannot be seen as a clear affirmative action to consent to the use of personal data,” states Article 29 of the Data Protection Working Party Guidelines on Consent. “The GDPR does not allow controllers to offer pre-ticked boxes or opt-out constructions that require an intervention from the data subject to prevent agreement (for example ‘opt-out boxes’).”
A U.S.-based company may use an alert box full of legalese and an “OK” box, but this is not considered an affirmative action under the EU rules.
So, what must an entity do to comply with the EU rules? This may be the most difficult part of compliance. The Article 29 guidelines propose a methodology that would impact most U.S. businesses:”The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.”Clearly, requesting a written statement from the data subject is well outside the normal business practices of U.S. companies and likely would be impractical for many online activities.
Online businesses, instead, likely would need to implement a multi-step approach to gaining consent. As an example, a data subject could be asked to fill out a form online, which would generate an email, which in turn would require the data subject to reply with specific text. That would allow the business to show — and maintain a record of — explicit consent.
Of course there would be shortcomings with this approach as well. How long would the consent be valid? How would a company update privacy terms? What if there were multiple components of personal information involved? Would a business need to develop multiple steps for each data value?
As court cases like the Facebook decision evolve and interpret the GDPR, businesses will have to stay nimble and responsive in their data gathering processes and procedures.