CLICK, CLICK, DID YOU REALLY AGREE? The EU GDPR and the need for a Uniform Format for Privacy Policies

Meera Manoj, Intern at Cyril Amarchand Mangaldas – Advocates & Solicitors.

The recent outrage over Cambridge Analytica’s alleged profiling of Facebook users to influence elections has led to a curious situation. There was no breach of Facebook’s privacy policies at the time in regard to collecting data of users and their friends by third-party applications.[1] In fact, profiling users and selling their information to third parties is essentially Facebook’s business model.  Yet, consumers were left reeling with a sense of betrayal. The inescapable conclusion is that no one really reads online privacy notices.  In fact, this has already been well documented.[2] The reasons for this are quite clear. In the absence of a specific format for privacy notices, they tend to be complicated, lengthy and at times, misleading.[3] In such a scenario, users’ consent to online agreements is neither genuine nor informed.

However, the coming into force of the General Data Protection Regulation (“GDPR”) in the European Union (“EU”) may herald an era of change.[4]

The GDPR defines “consent” to mean any freely given, informed and unambiguous indication of the user’s wishes through a statement or by a clear affirmative action to signify agreement to the processing of personal data.[5] A clear affirmative action here could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates acceptance.[6] Consent can, however, not be construed to have been given in cases of silence, pre-ticked boxes or inactivity or where the user has no free choice or is unable to withdraw consent without detriment.[7] While collecting personal data all disclosures must be easily visible, intelligible and clearly legible.[8] The United Kingdom Information Commissioner’s Office has recommended several opt-in measures that privacy policies can follow, such as, prominent ‘yes’ or ‘no’ options and creating preference dashboards.[9]

Thus, an interesting point that emerges is that, whether or not true consent has been obtained, would often depend on the design of the privacy notices.

In fact, jurisprudence in the United States (“US”) echoes this observation. In Feldman v. Google Inc,[10] the court, whilst enforcing an online agreement, observed that it was in a readable 12-point font, only seven paragraphs-long and printer-friendly, which thereby ensured that notice could reasonably be presumed to have been given.  In Rudder v. Microsoft Corporation,[11]   it was held that the presence of a scroll bar afforded reasonable opportunity to read the complete set of privacy disclosures. Further, in Specht v Netscape,[12] it was observed that where it is not clear that clicking on a particular icon would translate into formation of the contract, it is unenforceable.

Moreover, US courts have also looked at a variety of factors to determine consent, based on the design of the webpage and hyperlinks. The hyperlink for the terms must be conspicuous, as determined by size, color, typeface, and placement.[13] For instance, in Pollstar v. Gigmania,[14] the   court found that the visitors of the website were not adequately alerted that the use of the information was subject to a license agreement because the notice was in small grey print against a grey background, and the text was not underlined to indicate that it was a hyperlink, contrary to the common internet practice.

Thus, jurisprudence in the US indicates that questions of enforceability may often depend on how a privacy notice is designed. The GDPR, by codifying the requirements of legible and clear notices, may result in the evolution of similar interpretations centering on questions of fonts, colors, etc. to ascertain true consent.

While this would be a consumer-friendly shift in discourse, it would greatly alleviate uncertainty if the EU simply prescribed mandatory formats for privacy notices with specifications of font, layout, etc. In fact, this is comparable to the rationale used by governments to mandate layouts for the framing of a prospectus in order to ensure that investors are providing informed consent. Similarly, uniformizing privacy policy designs would not only make it easier for consumers to read them but also eliminate uncertainty that companies may have regarding the enforceability of their online agreements. Moreover, studies have found that users are more likely to use a service or provide personal information when they are clear on how it will be used.[15] Further, in the long-term, it can prevent loss of consumer trust and market valuation created by controversies such as the one involving Cambridge Analytica.

Thus, while the EU is a far cry away from prescribing formats for privacy policies, it appears likely that due to the terms of the GDPR, it will follow the US with judicial precedent guiding companies on how to design their privacy notices.

 

[1]AL Jazeera, What happened in the Cambridge Analytica- Facebook Scandal? (27 Feb, 2018, 7:20 PM) https://www.aljazeera.com/news/2018/03/cambridge-analytica-facebook-scandal-180327172353667.html

[2] Daniel J. Solove, Introduction: Privacy Self-Management and the Consent Dilemma, 126 HARV. L. REV. 1879, 1885 (2013).

[3] “Mobile Apps for Kids: Disclosures Still Not Making the Grade,” Federal Trade Commission, Washington, DC, December 2012.

[4] European Union General Data Protection Regulation (2016).

[5] ibid art. 4(11).

[6] ibid 32.

[7] ibid 42.

[8] ibid 60.

[9] Information Commissioner Office, GCDPR Consent Guidance (25 March, 2018, 3:00PM) https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf

[10] Feldman v. Google, Inc., 513 F.Supp.2d 229 (E.D.Pa. 2007).

[11] Rudder v. Microsoft Corporation, [1999] OJ No 3778 (Sup Ct J).

[12] Specht v. Netscape, 306 F.3d 17, 22 (2d Cir. 2002).

[13] Be In v. Google, Inc., 2013 U. S. Dist. LEXIS 147047 (N.D. Cal. 2013).

[14] Pollstar v. Gigmania Ltd., No. CIV-F-00-5671, 2000 WL 33266437 (E.D.Cal. Oct.17, 2000).

[15]AARP, Improving Mobile Policy Privacy Disclosures, (20 March, 2018, 6:18 PM) http://www.aarp.org/content/dam/aarp/research/public_policy_institute/cons_prot/2014/improving-mobile-device-privacy-disclosures-AARP-ppi-cons-prot.pdf