TL;DR: Consent matters when it comes to cookies that could expose sensitive personal attributes (health, income, age, sexuality, religion, ethnicity), even if you don’t mean to collect them. Collecting these things could put the subject at a small but appreciable risk. The only person is a position to decide whether a personal attribute is sensitive is the subject (and even they may have trouble). Getting consent is different to getting someone to click the “I consent” button. People are irrational, don’t pay attention and are goal-focussed – It’s not OK to exploit that in order to get a meaningless but legally-acceptable “consent” signal.
Hand-Waving in the general direction of consent
Consent is one of those ideas that seems to permeate through every level of society. At a macroscopic level we talk of citizens being governed and policed by consent, and at a smaller scale consent underlies the relationships between individuals. It is only rarely that someone can be compelled to do something without their consent at some level – Whether that’s macroscopic consent derived from their participation in a democratic society or case-by-case consent formed through contract or interpersonal agreement.
What underpins the idea of consent, is that the entity giving consent (whether an individual or a group, and sometimes both) has a meaningful choice to make: Do I or do I not want to enter in a particular set of rules or conditions?
Consent and Cookies
So, what does consent have to do with cookies? An advertising network that tracks my visits over multiple sites isn’t compelling me to do anything, but it is taking decisions, the right to digital self-determination, away from me. As I’ll come on to later, people deserve a choice when it comes to data about them, and when an advertising network starts covertly collecting data that choice is taken away. Secondly, the EU 2009 e-privacy directive specifically requires that
“the storing of information, or the gaining of access to information already stored … is only allowed in the event that subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing.”
Consent vs “I Consent”
When piloting the study I’m working on at the moment, I spoke to several people about their experiences with cookies and asked most of them about the new “consent” dialogues that have sprung up on UK websites since May*. The overwhelming response seems to be that people have seen them, but don’t really pay attention to what they say or understand the decision that has to be made. That’s not surprising, people have been ignoring warnings about security certificates for years.
Here’s the difference between actually consenting to something and clicking on a consent button (or worse, “continuing to use this website indicates your consent”). The legal basis for determining whether a user has consented seems to be rooted in the same discredited notions that human beings are rational and self interested as Economics. More, it assumes that people will always read, understand and give proper thought to the information that they’re shown. We know that both these things are categorically not true. By relying on human psychology to trick users into “giving consent” whilst simultaneously pretending that such consent is in any way meaningful is ethically indefensible. What matters is not whether you can get a user to click a button (probably after having gone through a shallow heuristic evaluation rather than critical thought) but whether you can say with any certainty that users are actually happy for you to do what it is your doing; (and you can’t assume that they’d be happy if you haven’t actually told them).
If these techniques were proposed as “nudges” (and default options can be legitimate nudges) they would be rejected on the grounds that they’re not in the interest of the subject or even of broader society.
Why “digital self-determination” matters
By “digital self-determination” I mean the right to control data about oneself – Even in situations where it would be hard (although not impossible) to link that data back to the individual it relates to. Every time data about a person is stored, there is an unknown increase in the risk of harm to the data subject. It’s not the job of Bing, DoubleClick or Facebook to make risk decisions on behalf of the data subjects – The data subject is the best placed to know which personal attributes are potentially sensitive given their personal circumstances.
Why does it matter if a company collects data about the web pages I’ve visited? There’s no answer to that question. Some people have no reason to care, but others may have several. Advertising companies know that the web pages people visit can tell you something about them – They exploit that knowledge to target adverts based on what they think you’re likely to buy. What somebody’s likely to buy is not the only thing you can infer. Consider the following examples:
A web user searches for advice about problems with their eyesight and tremors. In the UK those web searches wouldn’t be too sensitive – Our health care is free at the point of use. In countries where people rely on private health insurance that web search could be construed as evidence of a pre-existing medical condition and preclude the data subject from appropriate care if they were later diagnosed with Multiple Sclerosis.
You could make a reasonable inference as to the sexuality of somebody who routinely visits PinkNews.co.uk. For some people that’s not a problem, but for some people such a revelation could cause family or employment difficulties.
What about the social stigma around depression and suicide that might be invoked by disclosure of visits to the Samaritans website? Or the consequences of an abusive partner finding that their victim was seeking domestic violence support? An employer that found out you’d been uploading a CV to Monster?
Shouldn’t those sites just stop using third party services that could track their visitors? Probably. But that’s not enough – Newspapers carry stories about these topics and links to those websites. Bloggers that rely on free services don’t have a choice which third parties get to track their visitors.
“We use behavioral advertisers – People can accept it or leave”
Do people have a choice of whether they take a risk with their personal information? Perhaps they do, but should people have to make a choice between risking personal data and using a website? That is surely a form of indirect discrimination.
So, what’s your point?
The current system of tracking, the paternalistic attitude that companies have to subject data and the technology that allows companies to do tracking with no consent from users is broken. Something has to give: Either data protection legislation needs to be strengthened (or just enforced – Yes, ICO, looking at you), companies that make money from surreptitiously stealing people’s data need to start behaving more responsibly or the technology needs to be tweaked to give web users a break.