Consent Doesn’t Equal Protection: Congress, it’s Time for a Privacy Bill

Multiple times each day you click on a website and receive a banner message that reads something like: “This site uses cookies to provide you with a greater user experience.  By using (this site) you accept use of cookies.” By clicking on “use of cookies” you have agreed to the collection and use of your personal information while on that site.

Most consumers, after receiving one or two of these messages, go directly to “agree” or “yes” so that they can just get on with their lives.

Why this sudden increase in notices?  You can thank the European Union’s implementation of the GDPR, the General Data Protection Regulation, which became effective in the late Spring of 2018. As companies have scurried to comply, the steps they are taking to protect personal data overseas are having an impact here in the United States as well.  This request for “consent” is a direct result of the GDPR, so ask yourself, “Is my data more protected now that I am on notice, and my consent is required for its collection and use?”

Most likely not; consumers are not feeling any greater sense of privacy protections.  In fact, fatigue is building, and consumers are tiring of these constant “notice and consent” messages.

It’s time we took a more critical look at the “notice and consent” mechanism since it’s not actually placing protection for consumer data, or the subsequent handling of that data, in the hands of the consumer. Consumers want access to their websites, but also care about protecting their online privacy.  The paradox is that consumers may not be clear about what personal information is being collected, and what happens to that information after it is collected.

There has been extensive research conducted regarding consumer awareness of the online data collected about them, which reveals that there are significant misconceptions about data and privacy protections.  A study conducted by Pew Research a few years ago found that about 52% of internet users believed that the following statement is true: “When a company posts a privacy policy, it ensures that the company keeps confidential all the information it collects on users.” The internet users in the study incorrectly assumed that privacy policies actually ensured the confidentiality of their personal information, when in reality these policies are just a legal document to disclose how the customer data is collected and used.

It’s common knowledge that most of us just don’t read privacy notices or policies.  A survey conducted in late-2017 by Deloitte of 2,000 U.S. consumers revealed that “91 percent of people consent to legal terms and services conditions without reading them. For younger people, ages 18-34 the rate is even higher with 97 percent agreeing to conditions before reading.”

For most internet users, the current “notice and consent” approach is not an adequate solution to provide privacy protections. It may fulfill a legal obligation for internet companies, but most consumers still remain unaware about how their data is collected online and used.  With the implementation of the EU’s GDPR, actions being taken at the state legislative level and national privacy legislative proposals, there is an opportunity for policymakers to consider a better mechanism for data transparency.

Another factor to consider is that consumers may want to share their information in some cases but not others. How do we provide protection while also providing choice? One possible approach would provide reasonable prohibitions on the use of specific types of data (like race, ethnicity, gender, etc.) collected online with the goal of allowing consumers to access free services and other benefits while also bearing in mind that certain types of information can be used in malicious ways.

The best “opportunity” to address these protections will be in national privacy law, and all eyes are now on Congress to step up to the plate and pass legislation that will provide consumers with strong privacy protections.  These protections include rules of the road for data transparency beyond the inadequate “notice and consent” mechanism that has existed over the course of previous years. Data transparency is an important privacy protection for consumers’ best online experience.

Debra Berlyn is an advisory board member of the Future of Privacy Forum and president of Consumer Privacy Solutions.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult