Reasonable Consent?


“Finally, the Times says it is not a job that anyone is likely to want, but reading the terms and conditions of Britain’s most popular websites would be almost a full-time occupation.

“The paper has been doing a bit of research and discovered that if the average Briton wanted to read the small print of every website they visit in a typical year, it would take 124 working days. This is equivalent to about six months of full-time employment.

“The Times says the T&Cs of the country’s 10 most-visited websites amount to more words than Romeo and Juliet, Macbeth, Hamlet and The Tempest put together.”

“Anonymous” app funded by DfE stores IP address for 5 years

(via @digitalmaverick)


This story raised a few issues for me…

Firstly, the appeal to the status-quo, “standard for any business” to justify a practice. This sort of unthinking doing-what-everyone-else-does would maybe be OK if the status quo weren’t so awful, but in this case an anonymous app in a world of over-tracked technology should probably be using the status quo as an example of what NOT to do.

Second, the idea that if something is “clearly stated” (in a privacy policy) then it must be fine. That’s obviously not true. It reminds me of an episode of Panorama in which they created a product called “Fit and Fruity” then crammed as much sugar into it as possible, to demonstrate how misleading food labelling is allowed to be. An “anonymous” app that stores a poster’s IP address is not anonymous, and hiding the truth in a privacy policy is not disclosing information it’s burying it.

The issue of mergers and bankruptcy. I’ve suggested, in conversations over the last few years, that personal data should probably be considered by competition regulators when deciding whether mergers and acquisitions should be allowed. More broadly, I think we need better guidelines around personal data when the controller is liquidated. We’re (slowly) recognising that personal data isn’t like other assets. Data subjects have a stake in personal data that simply doesn’t exist in fungible assets like gold, or furniture or even some non-fungible ones like intellectual property. There shouldn’t be market in trading consent – It should be like a parking ticket, non-transferable, whether through acquisition or liquidation. Who is processing data is a fundamental part of a decision whether or not to allow that processing and if the who changes, then the consent is no longer meaningful.

A rare example of a scenario where someone might actually need to think of the children!