Notice and Consent Framework: A Meaningful Choice?

This part of article makes an argument that Notice and Consent Framework within the newly enacted legislation of DPDPA, 2023 may not help in alleviating issue of protecting individual data privacy on Internet. The article briefly introduces the reader to alternative frameworks that may be better equipped to deal with limitations of current framework.

Prithvi Raj Chauhan*

1.     INTRODUCTION

How do you feel when you encounter a long and complex privacy notice on a website or an app? Do you read it carefully and understand the implications of your consent? Or do you just click ‘I agree’ without thinking twice? If you are like most people, you probably belong to the latter group. But do you know what you are agreeing to? And what are the consequences of your consent?

Let us show you a few snippets we collected from Privacy Policy of Big Tech:

Figure 1: Google's Privacy Policy

Figure 2: A pre-ticked Identifier in your twitter account that takes information constantly outside your account

These excerpts may look normal, but if you attempt to read and infer the implications it can have on your personal information, it becomes clear that the Big Technology Companies are taking track of all Data and online activities that they possibly can though your consent.

The kind of approach that we are talking about above, is Notice and Consent Framework. Notice and consent framework is a widely adopted approach to regulate the collection, use, and disclosure of personal data by data controllers or fiduciaries. The framework is based on the premise that individuals have the right to control their own data and to make informed choices about how it is used. The framework requires data controllers to provide clear and conspicuous notices about their data practices before obtaining consent from data subjects to process their data.

The framework also grants data subjects certain rights, such as the right to access, correct, delete, or port their data, and the right to withdraw consent at any time, such as those seen under the recently enacted Digital Personal Data Protection Act, 2023 (“DPDPA, 2023”) and GDPR.  However, the notice and consent framework has been criticized by many privacy scholars and advocates for being ineffective, impractical, and even harmful in today's data-driven environment. In this piece, we will examine some of the main limitations of the framework, and explore some of the possible alternatives to the framework, based on the official data and arguments from privacy scholars.

2.     LIMITATIONS OF NOTICE AND CONSENT FRAMEWORK

How much control do you have over how your data is collected, used, and shared by the providers of these services or apps? This is the main question that the notice and consent framework tries to address. This framework is based on the idea that you, as a data subject, should be informed and empowered to make choices about your data. But is this framework really working? Or is it just a facade that hides the many problems and challenges that threaten your privacy and autonomy? In this piece, we will explore some of these problems, such as information asymmetry, consent fatigue, and externalities.

2.1.    Information Asymmetry

One of the major challenges of the notice and consent framework is the information asymmetry between data controllers and data subjects. Data controllers have more information and power than data subjects, and can use complex and obscure notices to manipulate or coerce consent. For example, a study by Acquisti et al. (2017)[1] found that data controllers can influence data subject’s consent decisions by framing the notices in different ways, such as using positive or negative wording, highlighting benefits or risks, or offering rewards or penalties. Moreover, data controllers can also exploit the cognitive biases and heuristics of data subjects, such as anchoring, framing, or default effects, to elicit consent (Sorries, 2023).[2]To explain this, let us look at an example of a typical privacy notice that data subjects encounter online. The following is a screenshot of the privacy reminder of Google, one of the largest and most influential data controllers in the world. 

Figure 3: Google Privacy Reminder

As we can see, the notice does not clearly explain the purposes, methods, and consequences of data collection and processing, nor does it provide meaningful choices or control to data subjects, rather just vaguely notes “improvement of services” as the ground of processing. The notice presents the consent as a take-it-or-leave-it option, implying that data subjects have to agree to the terms in order to use the service as part of Contractual performance. The notice is designed to persuade or pressure data subjects to consent, rather than to inform or empower them.

How do you feel about this notice? Do you think it is fair and transparent? Do you think it respects your privacy and rights? Or do you think it is confusing and deceptive? Do you think it exploits your ignorance and indifference? Do you think you have a real choice and control over your data?

2.2.    Cognitive Overload

Another challenge of the notice and consent framework is the cognitive overload that data subjects face. Data subjects are overwhelmed by the amount and frequency of notices and consents they encounter, and often lack the time, attention, and expertise to read and understand them. For instance, a study by McDonald and Cranor (2008)[3] estimated that it would take an average American about 244 hours per year to read the privacy policies of all the websites they visit. Furthermore, the notices and consents are often written in legal or technical jargon, and contain vague or ambiguous terms, making them difficult to comprehend and compare (Obar and Oeldorf-Hirsch, 2018).[4]

How do you cope with this overload? Do you try to read and understand every notice and consent you receive? Or do you ignore or skip them? Do you have enough time and attention to devote to them? Or do you have other priorities and interests? Do you have the necessary skills and knowledge to comprehend and compare them? Or do you feel confused and frustrated by them?

2.3.    Consent Fatigue

A third challenge of the notice and consent framework is the consent fatigue that data subjects experience. Data subjects become desensitized and indifferent to the notices and consents they receive and tend to click “I agree” without considering the consequences. For example, a survey by Rainie and Duggan (2016)[5] found that 55% of online Americans have accepted privacy policies without reading them. Additionally, the notices and consents are often presented as take-it-or-leave-it options, giving data subjects little or no choice or control over their data (Nissenbaum, 2011).[6]

2.4.    Lock-In Effect

Another challenge of the notice and consent framework is the lock-in effect that data subjects suffer. Data subjects have limited or no alternatives to the data controllers they interact with, and may feel compelled to consent to unfavourable terms in order to access essential services or platforms. For instance, a study by Kariryaa et al. (2021)[7] found that e than 60% of the participants in the survey reported that they did not read the privacy policy or the terms of the installed browser extensions. Moreover, the data controllers or fiduciaries often have market dominance or network effects, making it hard for data principal to switch or opt out of their services, thus resulting in privacy cynicism by Online service providers (Lutz, 2020).[8]

How do you deal with this lock-in? Do you have any alternatives to the data controllers you use? Or do you depend on them? Do you consent to their terms willingly or reluctantly? Or do you feel coerced or trapped? Do you enjoy the benefits of their services or platforms? Or do you suffer the costs or risks?

2.5.    Data Externalities

The externalities that data subjects may not be aware of or account for. Data subjects may not be aware of or account for the potential harms or benefits that their data sharing may cause to themselves or others, such as discrimination, profiling, or social good. For example, a study by Cate and Mayer-Schönberger (2013)[9] found that data subjects often underestimate the value and sensitivity of their data and overestimate the privacy and security of their data. Furthermore, the data controllers often use the data for secondary or unforeseen purposes, or share the data with third parties, without the knowledge or consent of data subjects (Barocas and Nissenbaum, 2014).[10]

How do you think about these externalities? Do you know the value and sensitivity of your data? Or do you undervalue or oversimplify it? Do you trust the privacy and security of your data? Or do you doubt or question it? Do you know the purposes and consequences of your data sharing? Or do you ignore or overlook them? Do you consider the impacts and risks of your data sharing on yourself or others? Or do you neglect them?

3.     ALTERNATIVE TO NOTICE AND CONSENT FRAMEWORK

The notice and consent framework, which relies on the data subject’s informed and voluntary choices, has been criticized for being largely involuntary and burdensome. The framework often fails to account for the externalities of data sharing, such as the harms or benefits to the data subjects or others, or the secondary or unforeseen uses of data by the data controllers or third parties. Therefore, there is a need to adopt better and alternative frameworks that can better uphold the privacy rights and interests of data subjects or principle and balance them with the legitimate and beneficial purposes of data collection and processing. Some of the possible alternatives to Notice and Consent Framework are:

3.1.    Privacy-By-Design

One of the possible alternatives or improvements to the framework is the privacy by design approach. Privacy by design is a proactive and preventive approach to privacy, which requires data controllers to embed privacy principles and safeguards into the design and operation of their systems and services, and to minimize the collection and processing of personal data. For example, the General Data Protection Regulation (GDPR) in the European Union mandates data controllers to implement privacy by design and by default, by applying the principles of data minimization, purpose limitation, and data protection impact assessment (DPAs, 2010).

What do you think of this approach? Do you think it is more effective and practical than the notice and consent framework? Do you think it respects your privacy and rights more? Or do you think it limits your choices and controls more? Do you think it reduces the risks and harms of data collection and processing? Or do you think it hinders the benefits and opportunities of data collection and processing?

3.2.    Privacy By Default

Another possible alternative or improvement to the framework is the privacy by default approach. Privacy by default is an approach that requires data controllers to set the default settings and options to the most privacy-friendly ones, and to allow data subjects to change them if they wish, rather than requiring them to opt out of unwanted data practices. For example, the Federal Trade Commission (FTC) in the United States recommends data controllers to adopt privacy by default, by giving data subjects meaningful choices and control over their data, and by limiting the collection and retention of data (FTC, 2012).[11] As seen in Figure 2 above, Twitter pre-ticks your choices to track your activity across browser which may not be considered a good practice in Privacy by default framework.

What do you think of this approach? Do you think it is more user-friendly and convenient than the notice and consent framework? Do you think it empowers you more? Or do you think it restricts you more? Do you think it enhances the privacy and security of your data? Or do you think it diminishes the value and utility of your data?

3.3.    Privacy Impact Assessment Approach

A third possible alternative or improvement to the framework is the privacy impact assessment approach. Privacy impact assessment is an approach that requires data controllers to conduct regular and systematic assessments of the potential impacts and risks of their data practices on the privacy and rights of data subjects and other stakeholders, and to take measures to mitigate or eliminate them. For example, the Organisation for Economic Co-operation and Development (OECD) advises data controllers to conduct privacy impact assessments, by following the guidelines of transparency, accountability, and proportionality (OECD, 2013) which has now been incorporated into DPDPA, 2023 for Significant Data Fiduciaries.[12] 

What do you think of this approach? Do you think it is more comprehensive and rigorous than the notice and consent framework? Do you think it protects your interests and rights more? Or do you think it burdens you more? Do you think it prevents or reduces the negative externalities of data collection and processing? Or do you think it impedes or undermines the positive externalities of data collection and processing?

3.4.    Privacy Education and Awareness Approach

A fourth possible alternative or improvement to the framework is the privacy education and awareness approach. Privacy education and awareness is an approach that requires data controllers to provide clear and concise information and guidance to data subjects about their data practices and rights, and to use interactive and engaging methods to communicate and obtain consent, such as icons, videos, or quizzes. For example, the Office of the Privacy Commissioner of Canada (OPC) supports data controllers to provide privacy education and awareness, by using the Privacy Toolkit, which consists of tools and resources to help data subjects understand and protect their privacy (OPC, 2014).[13]

What do you think of this approach? Do you think it is more informative and helpful than the notice and consent framework? Do you think it educates you more? Or do you think it annoys you more? Do you think it improves your knowledge and skills on privacy? Or do you think it wastes your time and attention on privacy?

3.5.    Privacy Accountability and Enforcement Approach

A fifth possible alternative or improvement to the framework is the privacy accountability and enforcement approach. Privacy accountability and enforcement is an approach that requires data controllers to be accountable for their data practices and comply with the applicable laws and regulations, and data subjects to have effective and accessible means to exercise their rights and seek redress for any violations or harms.

For example, the Asia-Pacific Economic Cooperation (APEC) promotes data controllers to adopt the Cross-Border Privacy Rules (CBPR) system, which is a voluntary and enforceable mechanism to ensure the accountability and compliance of data controllers across the region (APEC, 2011).[14]

What do you think of this approach? Do you think it is more reliable and trustworthy than the notice and consent framework? Do you think it enforces your rights more? Or do you think it imposes more obligations on you? Do you think it increases the responsibility and liability of data controllers? Or do you think it creates more loopholes and exceptions for data controllers?

4.     CONCLUSION

In this piece, we have discussed the limitations and challenges of the widely adopted notice and consent framework for privacy regulation in the digital age. We have also explored some alternative approaches that aim to shift the focus from individual choice to collective responsibility and empowerment. These approaches include privacy by design, privacy by default, privacy impact assessment, privacy education and awareness, and privacy accountability and enforcement. We will argue in upcoming pieces that these approaches or combination of them can help to create a more human-centric and ethical data culture, where data subjects and data fiduciaries are respected and protected, and data fiduciaries are held accountable and compliant for privacy-diminishing practices. 

We hope you have found this article informative and insightful. We would love to hear your views and experiences on this topic.

Do you agree or disagree with our analysis and arguments? Do you have any examples or stories to share with us? Do you have any suggestions or feedback on how to improve the notice and consent framework or the alternative approaches? Or do you have any questions or queries about the privacy issues we have raised? Please share your thoughts and opinions with us on our social handles or at mail us at team@legalverse.in. Your input and insight are valuable to us and the community. Thank you for reading!

*Prithvi Raj Chauhan is a 5th-year Constitutional Law (Hons.) student at National Law University, Jodhpur. He serves as the Senior Advisor at Centre for Research in Governance, Institutions, and Public Policy at the same university.

PDF Version below:

(The next article in series will explain how Notice and Consent Framework operates within the recently enacted DPDPA, 2023 and how alternative privacy framework may be better equipped to deal with issues that may arise within DPDPA, 2023 Framework.)

References:

[1] Acquisti, Alessandro & Grossklags, Jens. (2007), What Can Behavioral Economics Teach Us about Privacy? The same can be accessed from here:https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=a25970a6f0e1539bdad01286b6850c5eb6c499c7 

[2] David Leimstädtner, Peter Sörries, and Claudia Müller-Birn. 2023. Investigating Responsible Nudge Design for Informed Decision-Making Enabling Transparent and Reflective Decision-Making. The same can be accessed from here: https://dl.acm.org/doi/pdf/10.1145/3603555.3603567 

[3] Mcdonald and Lorrie F. Conor, The Cost of Reading Privacy Policies (2008), The same can be accessed from here: https://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf 

[4] Obar, J. A., & Oeldorf-Hirsch, A. (2018). The biggest lie on the Internet: ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society, 23(1), 128–147. The same can be accessed from here: https://www.tandfonline.com/doi/full/10.1080/1369118X.2018.1486870 

[5] Rainie, Lee, Duggan, M. “Privacy and Information Sharing” Pew Research Center (2015). The same can be accessed from here: http://www.pewinternet.org/2016/01/14/2016/Privacy-and-Information-Sharing 

[6] Barocas, Solon and Helen Nissenbaum. “On Notice: The Trouble with Notice and Consent.” (2009). The same can be accessed from here: https://www.semanticscholar.org/paper/On-Notice%3A-The-Trouble-with-Notice-and-Consent-Barocas-Nissenbaum/9ccb6630d3ee7dceafbbf5c54cb88ff885362248 

[7] Ankit Kariryaa, Gian-Luca Savino and Carolin Stellmacher.    Understanding Users’ Knowledge about the Privacy and Security of Browser Extensions (2021). The same can be accessed from here: https://www.usenix.org/system/files/soups2021-kariryaa.pdf 

[8] Lutz, C., Hoffmann, C. P., & Ranzini, G. (2020). Data capitalism and the user: An exploration of privacy cynicism in Germany. New Media & Society, 22(7), 1168-1187. The same can be accessed from here: https://doi.org/10.1177/1461444820912544 

[9] Fred H. Cate & Viktor Mayer-Schönberger, Notice and Consent in a World of Big Data, 3 International Data Privacy Law, (2013). The same can be accessed here:  https://www.repository.law.indiana.edu/facpub/26622 

[10] Barocas, S. and Nissenbaum, H. (2014) ‘Big Data’s End Run around Anonymity and Consent’, in J. Lane et al. (eds.) Privacy, Big Data, and the Public Good: Frameworks for Engagement. Cambridge: Cambridge University Press, pp. 44–75.  The same can be accessed here: https://www.cambridge.org/core/books/abs/privacy-big-data-and-the-public-good/big-datas-end-run-around-anonymity-and-consent/0BAA038A4550C729DAA24DFC7D69946C 

[11] Privacy in an Era of Rapid Change; Recommendations for Businesses and Policy-Makers, FTC Report (2012). The same can be accessed here: https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf 

[12] OECD Guidelines Governing protection of Privacy and Trans-border flow of Personal data, OECD (2013), The same can be accessed here:  https://www.oas.org/es/sla/ddi/docs/OECD%20Guidelines%20Governing%20the%20Protection%20on%20Privacy%20and%20Transborder%20Flows%20of%20Personal%20Data.pdf 

[13] Privacy Toolkit (2014), https://techsafety.ca/resources/toolkits/the-technology-safety-and-privacy-toolkit 

[14] Data Protection in Asia-Pacific Region and Cross-Border Privacy Rules, APEC (2011). The same can be accessed here: https://mddb.apec.org/Documents/2021/CTI/WKSP9/21_cti_wksp9_010.pdf