83d17b22

Opinion piece on dark patterns in 'Het Financieele Dagblad'

Mon, 31 Aug 2020 10:54:10 GMT

Dark patterns

More and more websites have employed new tricks to get users to consent to the placement of tracking cookies on their devices. These tricks are often called dark patterns .

An common example of such a trick is an easy one-click button for the acceptance of cookies and a complex settings page for the refusal thereof. Another trick that is often used is a large button for the acceptance of tracking cookies, but a small button for the refusal of cookies. A dark pattern that is also often employed is the use of the color green, which is associated with safety, for the acceptance of cookies. And of course the color red, which is associated with danger, for the refusal of these cookies.

Opinion piece in Het Financieele Dagblad

Our consultant David wrote an opinion piece on this subject, which has been published in the Dutch financial newspaper ' Het Financieele Dagblad ' on August 20th. You can read it here (in Dutch): Privacywaakhond moet dark patterns aanpakken

Can dark patterns be used lawfully?

Users need to consent to the placement of tracking cookies on their devices. According to the General Data Protection Regulation (GDPR), consent needs to be freely given, specific, informed and unambiguous. Freely given consent implies that a user has an actual choice, which the user does not have if he or she has no choice but to accept tracking cookies in order to access a website.

The European Data Protection Board has expressed in May of this year that making consent a condition for the access to a website, often called cookie walls , cannot amount to freely given consent. The Dutch Data Protection Authority had already expressed the same opinion last year.

Dark patterns will probably not amount to freely given consent in most cases. You need to provide users with a way of withdrawing consent that is just as easy as providing consent. It is only logical that the same applies to the refusal of consent; refusal should be just as easy as acceptance. If you provide the user with an almost hidden option for the refusal of cookies, does that user have an actual choice if he or she does not know that cookies can be refused? And do you provide the user with an actual choice if the acceptance of cookies can be done in one click, whilst the refusal of these cookies can only be done by navigating through a complex settings page?

Obtaining proof of consent can be difficult if you are using dark patterns

If you employ dark patterns for the placement of tracking cookies, you will run into another problem. Consent needs to be unambiguous, which means that it needs to be clear that a user has consented. You will also need to proof that users have consented to the placement of tracking cookies. How are you going to proof that users have freely consented to the placement of tracking cookies, if they are misled into accepting them?

If you want more information on how to use tracking cookies on your website in a GDPR-compliant manner, be sure to contact us at info@interfyde.com .

Your privacy statement is not a contract or: how to ask valid consent online

Wed, 29 Jul 2020 19:29:29 GMT

You have probably seen this pop-up message before when you were browsing on the internet: ‘By clicking here or by continuing on our website, you accept the terms in our privacy statement ’ . Usually, the acceptance of the terms in the privacy statement is a condition for making use of the website or a certain service.

There are at least two things that are wrong with this pop-up message. First, having data subjects agree to the processing of their personal data in such manner does not result in obtaining valid consent under the General Data Protection Regulation (GDPR). Second, a privacy statement does not require any acceptance by data subjects.

There seem to be misconceptions among some organisations regarding the purpose of a privacy statement. In this article, we will explain the purpose of a privacy statement and how this relates to obtaining consent.

The purpose of a privacy statement

The GDPR requires you as an organisation to be transparent about the processing of personal data. You therefore need to inform data subjects about the processing of their personal data. You must provide them with certain information such as the purposes for processing. The exact information that you need to provide depends on how you have acquired their personal data (articles 13 and 14 GDPR).

The purpose of a privacy statement is to fulfil your transparency obligations by telling the data subjects how you are processing their personal data. A privacy statement is nothing more than a description of your personal data processing activities in a language that is clear and understandable for the data subjects.

Having data subjects “agree” to your privacy statement does not mean that every personal data processing activity that you have described in there suddenly becomes lawful. You should first make sure that all your personal data processing activities are lawful (which might require obtaining consent). Once you have done that, you should describe the data processing activities in your privacy statement.

Obtaining consent

If you want to lawfully process personal data, you will need a legal basis for processing. One of the six (and perhaps the most important) legal basis for the processing of personal data is consent (article 6 par. 1 under a GDPR). According to the GDPR, consent must be freely given, specific, informed and unambiguous. If you rely on consent for the processing of personal data, you must be able to demonstrate that the data subject has provided his or her freely given, specific, informed and unambiguous consent.

Freely given

'Freely given' means that data subjects have a genuine choice when providing their consent. You should keep in mind that consenting to the processing of personal data cannot be a counter-performance of a contract. Consent cannot be freely given by data subjects if their consent is bundled up as a non-negotiable part of your terms and conditions. You must be able to demonstrate that data subjects are able to withdraw or refuse their consent without any detriment. Withdrawing consent must be just as easy as providing consent. If you require data subjects to “accept” the “terms” of your privacy statement as a condition for providing them your services or access to your website, you are not able to proof that they can refuse consent without detriment. Not being able to make use of your services or accessing your website clearly has a disadvantage for the data subject.

An example of consent that is not freely given is how the Dutch video-streaming service Videoland (which is owned by RTL) asks for consent for the processing of personal data consisting of monitoring behaviour on their platforms (at least at the time of writing this blog post). If you want to purchase a subscription to their platform, you will need to “agree” with their privacy statement. This privacy statement states that your behaviour on RTL websites may be monitored for targeted advertising purposes. As you are not able to purchase the Videoland service without consenting to the processing of your personal data, this cannot amount to a freely given consent.

Specific

Consent must be 'specific'. This means that you should clearly specify the purpose(s) for which the personal data is processed. You must make sure that data subjects can provide their consent for each individual purpose for processing if the consent relates to multiple purposes. This relates to the condition of 'freely given', as a take-it-or-leave-it choice, where you have to consent to everything or get nothing, is not a genuine choice and therefore not lawful. Furthermore, consent can only be specific if the consent-related information that you provide is clearly separated from information about other matters.

Informed

You should also keep in mind that consent must be 'informed'. Informed means that data subjects can understand what they are agreeing to and what their rights are. You should at least provide information on:

the controller’s identity;
the purpose of each of the processing operations for which consent is sought;
the type of personal data that will be collected and used;
the existence of the right to withdraw consent;
(if applicable) any information about the use of the personal data for automated decision-making, and;
(if applicable) information on the transfer of personal data to a third country.

Although information on the processing of personal data must be provided to data subjects in the context of article 13 or 14 GDPR anyway, it is not advisable to refer to a privacy statement when obtaining informed consent. If you are reading a lengthy privacy statement that covers much more than processing based on consent, it might not be easy to understand to which categories of personal data or to which purposes the consent that is being asked relates. This is linked to the condition of 'specific', as consent-related information should be separated from information about other matters.

You should provide data subjects with "layered and granular information" at the moment of obtaining consent. That means that when obtaining consent, data subjects should first be provided clear and concise information that only relates to the processing based on consent. After the first layer of information has been provided, you can provide a link to the second layer of information which can be more extensive. This second layer can be your full privacy statement. In the above mentioned example of Videoland, the layering of information has been done correctly, although no information on the existence of the right to withdraw consent has been provided.

Unambiguous

Consent must be a clear affirmative act, otherwise it would not be 'unambiguous'. Obtaining consent by showing a message such as ‘By continuing on our website, you agree to our privacy statement ’ can never result in valid consent, as continuing to browse on a website is not a clear affirmative act. It would also be difficult to provide the data subject with an option to withdraw his consent in a way that is just as easy as providing consent. How would a data subject be able to withdraw his consent in a way that is just as easy as continuing to browse on your website?

Conclusion

A privacy statement is a tool for providing information to data subjects, not for gathering information from them. You should not regard a privacy statement as some sort of contract with data subjects. Having data subjects “agree” to any “terms” in your privacy statement does not ensure that the described processing of personal data is actually lawful. Make sure that your processing activities are lawful, which could require obtaining valid consent. Once you have ensured that, you should describe this in your privacy statement as a way of fulfilling your transparency obligations.

Are you not sure if your data processing activities are lawful or how to describe them in a privacy statement? Make sure to contact us !

Privacy Shield is down! Be careful with transferring personal data to the United States

Thu, 16 Jul 2020 12:51:56 GMT

Today, the Court of Justice of the European Union has declared the Commission's decision regarding the Privacy Shield mechanism invalid

Today on July 16th 2020 , the Court of Justice of the European Union (the Court) has declared Commission Decision 2016/1250 (Privacy Shield adequacy decision) invalid in its Schrems II decision . In this blog post, we will explain when you are allowed to transfer personal data outside of the European Economic Area (EEA) , what Privacy Shield is , why it was declared invalid by the Court and whether you can still rely on Standard Contractual Clauses for transferring data to the United States and other countries outside of the EEA .

You can find the full judgement here: Judgement in Case C‑311/18

Curious about the consequences of the Court's decision for your organisation or about transferring personal data to a receiver in a country outside of the EEA? Contact us now!