Privacy body backs ‘explicit consent’ rules in data protection reforms

The Article 29 Working Party has released an opinion concerning the requirements for consent in the upcoming GDPR.

I’d agree that it’s important that there is no doubt as to the subject’s intent to consent – That is fundamental and arguably a good definition of what we try to encapsulate through the term “meaningful”.  Their use of the word “explicit” seems problematic, to me, though.  For a start it isn’t really clear what that means – to me explicit consent means an act that ONLY creates consent, with not other meaning or effect.  That feels like overkill, and will constrain innovation around genuinely consentful interactions.  My view is that we should be able to measure if an interaction really embodies consent, and it’s clear (to cite the common example of holding our your arm to give blood) that consent CAN be both intended, meaningful and implicit. That is to say, the act of holding out my arm intuitively gives consent to phlebotomy but also makes my arm physically available for the procedure.

Uploading a photograph by clicking “upload”, in the clear presence of an appropriate notice, is not necessarily explicit consent, but it does to me embody a signal of consent that is unambiguous and meaningful. The act of transmitting the photograph may not be an explicit consent signal, but it clearly does embody consent to the same extent that ticking a box would.

My own feeling is that we should really be talking in terms of whether or not consent signals are intended and unambiguous rather than whether they are “opt-in” and “explicit”.  Opt-in and explicitness clearly are ways to reduce ambiguity, but they just become box-ticking requirements for interaction designers that constrain us to a subset of meaningful consent interactions and which rule out some interactions that actually would fulfil our desires and which actually reinforce some of the extant problems with consent, like user-bother and consent fatigue.

Have a read of the Article 29 opinion, and maybe watch my recent WSI talk for more about my thoughts on taking a broader, more innovative approach to consent.

Source: Privacy body backs ‘explicit consent’ rules in data protection reforms