WHEN ASKING FOR CONSENT IS A BAD IDEA

Hear me out; you almost never need to ask for consent.
Now that I’ve got that off my chest, here are the times when asking for consent is a bad idea.

I can’t tell you how often I see a random ‘by using our services, you consent to our use of your personal information’. People, there isn’t a country in the world where this qualifies as valid consent.
Consent, as required by data protection laws like POPIA, must be a

• voluntary
• specific
• informed
• expression of will

General consent for processing personal information is neither specific nor informed. One can even say it is not voluntary because services that require this kind of consent won’t give you access without your agreement to this wording. I often wonder what would happen if I sign up for this service and two days later withdraw my consent. But who has the time, right? But I digress. For consent to be valid, you need to describe what you plan to do with the personal information in enough detail that the reader can make an informed choice.

In Re Spring College International Pte Ltd, Singapore’s Personal Data Protection Commission (“PDPC”) found that Spring College had failed to notify and obtain consent from students’ parents before disclosing the students’ personal data online for marketing purposes. In making its decision, the PDPC rejected Spring College’s argument that it could rely on a data protection clause which notified customers that one of the allowed uses for personal data collected was the “compilation and analysis of statistics for marketing purposes”. The PDPC found that the clause was not fit-for-purpose, because it was used for both statistical analysis to fine-tune marketing strategy (which was covered) and for marketing purposes (which was not covered).

First things first. The purpose of a privacy notice is to give readers the information they need to decide whether to give you their personal information. They can read it or not; it won’t affect any transaction. A notice is neither a contract nor something that requires a response or binds someone to something. It’s information. That’s it.

For consent to be valid, it must be an expression of will. That is, the person must indicate that they give their permission by taking a positive step like ticking a box or answering yes. No one has ever responded to a privacy notice to say, ‘Yes, I give my consent.’

“It is important to note that where consent is given, it should be an informed, specific, and voluntary expression of a data subject’s free will in terms of which they give permission to WhatsApp. As such, where WhatsApp forces its Users to accept certain terms and conditions or policy provisions without a lawful basis or other ground for lawful processing, such consent would be deemed invalid and any processing that is conducted pursuant to it would be in contravention of POPIA.

WhatsApp required its Users to accept the Revised Privacy Policy failing which, said Users would not have functionality of the platform. In other words, this appeared to be a form of obtaining consent and the consent was made a condition of the service by WhatsApp. This cannot be deemed as voluntarily given consent because any level of pressure to agree or disadvantage arising from a decision not to agree vitiates true consent. Consequently, our considered view is that WhatsApp’s approach to obtaining consent amounted to coercion and is deemed invalid in terms of POPIA and any processing conducted pursuant to it is in contravention of POPIA.”

Consent in the employment context is problematic. Because there is usually an imbalance of power between the employer and employee, it isn’t easy to prove that consent was voluntary and, therefore, valid. When you’re desperate for a job, would you say ‘no’ to a prospective employer? No.

However, there are certain specific use cases where consent may be appropriate, such as to retain recruitment records and to use biometrics. Biometrics are often used for time and attendance and two-factor authentication, but less intrusive methods are usually available to manage people’s attendance. If a less intrusive option is available, the employer will likely be unable to rely on its legitimate interests and will be left to ask for consent. Employees who refuse must be allowed to use other ‘old school’ methods for authenticating. Because consent must be voluntary, remember?

• Check out why PWC got fined for asking their employees’ consent.
• The UK ICO’s guidance on why consent is inappropriate when you’re in a position of power.
• The UK ICO’s guidance on employment practices and data protection: monitoring workers.

Have you ever read a contract and then… oh no wait. Nobody reads contracts. Imagine you’re reading the Ts&Cs to create an account on a community platform. You see all the usuals: the price, how and when you must pay, confidentiality, limitation of liability and so on. And then, hidden among the wall of text, there’s a sentence that says ‘By accepting these terms and conditions, you agree that we may share your personal data with our partners for marketing purposes.”

No sneaky hobbitses, this ‘consent’ will not fly. The EDPB Guidelines 05/2020 on Consent explains the concept of ‘freely given’ or ‘voluntary’ as follows:

“The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment.”

POPIA doesn’t apply to de-identified information at all. But what counts as de-identified information? The POPIA definition of de-identify states that it means to delete all information that:

• identifies the data subject;
• can be used or manipulated to identify the data subject; or
• can be linked to other information that identifies the data subject.

This is where things get complicated. De-identification is very difficult to achieve, and the methods by which it can be undone (i.e. re-identified), increasingly sophisticated. For instance, data scientists have demonstrated that 87% of all Americans can be identified if you have their birth date, gender and zip code. So, the legislature added that to meet a sufficient de-identification standard, there must be no ‘reasonably foreseeable’ method to re-identify the data subject. Once you’re certain you meet these requirements, no more POPIA compliance and consents are required! Yay!

If you need someone’s personal information to comply with legislation, you don’t need consent to collect or use that information to comply with the law. For instance, to comply with the Employment Equity Act, qualifying employers must submit reports to the Department of Labour about the race, gender and disabilities of their employees. Employers don’t need consent from their employees to collect this information or to submit their annual reports.

Asking for consent is bad because what would you do if an employee withdrew their consent? You’ll be unable to comply with the EE Act.

“Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.”

If you need help figuring out whether you need to ask consent and what that consent wording and mechanism should be, contact ilze@novcon.co.za. We love a challenge!