Problems with consent

Age verification, Consent, Internet governance, Regulation, Self-regulation 6 Minutes

Elizabeth Barrett Browning wrote a wonderful sonnet which opens with this famous line

“How do I love thee? Let me count the ways”

She then lists eight or nine.

Here is the Oxford English Dictionary definition of “consent”

Permission for something to happen or agreement to do something.

I tried to concoct a Browningesque rhapsody to consent but my muse deserted me. Instead, as I often do at such moments, I turned to the GDPR. When describing the lawfulness of data processing, in Article 6 there appears to be three different sets of words  in play, all of which describe what is essentially the same thing, namely

Permission for something to happen or agreement to do something.

Common or garden consent

Article 6(1)(a) refers to situations where the data subject consents to their data being processed. No issues there. A widely and well understood idea. Elsewhere there are references to informed consent but that is really only a way of emphasising what is anyway implied. However, Article 6(1)(a) also has an important tie in with Article 8.

Under the GDPR a child is anyone below the age of 18 but Article 8 lays down conditions which apply to children aged 15 or less.  Here, in a given country, if 6(1)(a) is relied upon the only consent actually required is that of the child’s parent or carer. Such consent must be verified. Expensive? Messy. Troublesome, although some would say not a bad thing because it seeks to engage a parent or carer in their children’s online life.

Only in those countries that have adopted 13 as the minimum age is there no prima facie  reason to obtain the consent of a parent or carer. The UK is one of those, along with nine others e.g. Denmark,  Sweden, Estonia and Poland.

Contracts

Article 6(1)(b) refers to contracts or steps taken preparatory to entering into a contract. As far as I know in every jurisdiction consent is an essential component of a contract.  In fact in some contexts the word “consent” and “contract” can be interchangeable.

The striking thing about using 6(1)(b), however,  is it allows the company to sidestep the necessity to obtain parental consent, verifiable or otherwise.

It also opens up the intriguing possibility that if the service on offer does not specify a minimum age or, even in a “13 country” like the UK, if the minimum age  stated by the service is below 13, which it could be for any service that is not US-based, any child with a way of paying could properly engage with the service without even a theoretical GDPR legal requirement for there to be any form of involvement by the parent or carer.

There are other aspects of using 6(1)(b) which raise interesting questions. These are discussed below as a footnote.

Legitimate interest

Article 6(1)(f) refers to situations where the company judges it has a legitimate interest in  processing your data and it simply asks you to agree to their stated terms as the basis on which the service is offered. Note that word. “Agree” is  a synonym for “consent” according to the English language’s most authoritative source.

Again the notable consequence of using 6(1)(f) is it, too, allows the company to avoid having to seek the consent of a parent or carer. Facebook have used legitimate interest to create what is, in effect, a whole new class of membership – one that does not require a parent or carer to agree to anything.

US companies appear always  to be governed by COPPA, with its floor of 13, but non US companies have no such constraint.

Narrowing the scope for parental engagement

On one reading of children’s rights it is possible to see how, where legitimate interest or contract are the basis for data processing, children are being given greater agency but I have yet to hear a company argue that as a reason for going down either of those paths. That is probably wise because most people will see it as an undesirable, even surprising, route by which businesses are allowed to reduce the scope for parental involvement in the online lives of their children.

To put that slightly differently, I doubt many people will readily believe that online businesses were intentionally striking a blow for children’s rights when opting for legitimate interest or a contract as the basis of processing children’s data.

Ambiguity as irony

The simple truth is Article 6 delineates three different types of consent and anyone who wishes to argue otherwise has to embrace a series of linguistic contortions. Am I alone in thinking there is something mildly ironic about this in an instrument that enjoins the rest of us to use clear and accessible language?

Do we have a hierarchy of consent from a child protection perspective?

Is it the case that under 61(a), (b) and (f) the child should receive an identical and high level of protection? I raise this point in part because in (f), uniquely,  the data controller needs to consider whether anything they are doing could

(override)…. the interests or fundamental rights and freedoms of the data subject…. in particular where the data subject is a child.

Every data controller is required to carry out a risk assessment for every part of their data processing activities but as far as I can see where legitimate interest is used as the basis of processing data the burden placed on the data controller to “get it right” is higher.

If that is a correct reading of the regulation could someone explain what is the justification for having lower child protection standards which apply to the other two categories?  And why is it that the GDPR only requires parental consent in one out of the three methods by which a child can engage with an online service? What was the thinking behind that?

And is it allowed for a company just to say they are using all three bases allowed in Article 6, without being more specific than that? Don’t they have to explain what the legal basis is for them processing your data? Can they just say “here is a list of laws which allow us to process your data but we are not sure, or we are not going to tell you which one we are using to process this particular piece of data?”

Is consent all it is cracked up to be anyway?

Lots of people in the privacy community argue that consent has been hugely abused by commercial entities. It sounds great – who could be against asking for someone’s consent in respect of anything which affects them? However, the argument goes that “consent complexity” and “consent fatigue” have  actually made “consent” a refuge for scoundrels. Look at  the number of fifty thousand word Ts&Cs in dense legalese that no one does, and very few can, read or understand. The GDPR is an attempt to smoke out the scoundrels. We will see in the coming years how well it succeeds.

Thus, while of course always preserving a person’s right to object to or withdraw from all or part of a service,  or to withdraw their consent from anything they previously agreed, perhaps what we should be looking towards is a law, for both free and paid for services, which says companies are allowed to collect defined categories of data and are allowed to process the data in defined ways. That sets the default. Any deviation from the default would only be lawful if the company can show it has engaged directly with the individual concerned. Tick boxes not allowed. Special attention would need to be given to the ways in which trackers and third party apps operate.

Some companies have always been transparent, some achieve transparency, the rest, the majority, have transparency thrust upon them.

Footnote

Contracts present a particular source of  potential confusion

Very large numbers of children now have their own means of paying for things, online and off, so it is wholly illusory to believe that parents are involved in making a great many purchasing decisions with or for their children.  Whether or not we wish it were otherwise is another matter. It is nonetheless the reality.

Yet if you were to ask someone  if they knew the age at which a young person can enter into a contract,  in three out of the four countries that make up the UK most would say 18 straight away. As far as I can tell the same is pretty much true in most EU Member States.

But in England, for example, while there are some  legally binding contracts  (for “necessities”) which persons below the age of 18 can enter into, most of the contracts a minor is likely to enter into online will be what lawyers call“voidable”. That means the child can enforce them if it is to their benefit but they cannot be enforced against the child. Again most EU jurisdictions have similar provisions.

Anyway my point is that the common understanding is that 18 is the age for  “proper”contracts so I think many parents will be astonished to discover that the “voidable route” is being used by companies under Article 6(1)(b) of the GDPR. They will think it is a sneaky lawyer’s trick which they will resent, particularly when they learn that, in practice, it also cuts them out of a particular aspect of their children’s online lives.

We would all benefit from greater clarity and certainty about the scope companies have to enter into  commercial relationships with minors in the online world. When we have got that perhaps we will want to amend Article 6(1)(b).

Published by John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), UNODC, the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised. http://johncarrcv.blogspot.com

Published