The UK House of Commons has highlighted the need for clarity of website terms and conditions in order to allow users to provide their "informed consent" to the terms. Social media providers were cited as the key focus of this need by virtue of the vast amounts of personal data they collect and store about their users and the increased privacy law burden that comes with the associated value and risk of that personal data.
The report acknowledged that consumers frequently either do not read, or do not understand terms and conditions even on the most user-friendly of sites, due to their often complex drafting. Those responsible for drafting terms and conditions have a difficult balance to strike between commercial protection in the event of litigation, and consumer friendly drafting. The report recommended that the Government should develop a set of information standards to which businesses sign up and commit to providing clear and accessible explanations of how they plan to use their customers' data. A useful litmus test for doing so is to require that businesses seek fully informed consent from their users, acknowledging that consent cannot be valid without informed understanding.
What is "informed consent"?
European data protection law requires that organisations collecting personal data must obtain an individual's prior consent to their data being collected and used in the manner and for the purposes in question.
The European Data Protection Directive defines an individual's consent as:
"any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."1
Those processing personal data must therefore ensure that an individual has been properly "informed" and has subsequently "signified" their consent in some way.
The need to obtain 'informed consent' from individuals to their data being collected and used for research, imposes a further burden on businesses and website developers beyond obtaining valid consent, but to demonstrate that the user understands exactly what they are consenting to. In the medical sphere (where consent is particularly crucial given the sensitive nature of the data being collected), informed consent is considered that:
"by a competent individual who has received the necessary information; who has adequately understood the information; and who, after considering the information, has arrived at a decision without having been subjected to coercion, undue influence or inducement, or intimidation."2
The value of data as an asset collected for research purposes by social media providers and other interactive websites which can determine the age, gender, location (and so on) of existing users is now widely acknowledged as a vast industry of its own, enabling businesses to learn about their consumers, target their advertisements and broaden their appeal to a wider market.
Consent cannot therefore easily be addressed with a check-box simply 'ticked' by the user. Businesses must attempt to get the user to engage with terms and conditions and overcome an overriding desire to join their peers and sign up to a service, such as a social media network. Although circumstances where a user has 'blindly' accepted terms and conditions is unlikely to ever be described as "coercion" or "intimidation", this could be considered a form of undue influence.
Too long, too complex, and too broad
The most common means of obtaining consent by social media platforms to collect and use personal data is in requiring users to agree to terms and conditions on the website when they register to use the service.
Two main problems have been cited with this method: the terms and conditions were generally too long for users to want to read. Secondly, even if they wanted to read them, the language used was too complex for users to understand the practical implications of their giving consent. As a result, any consent provided was not 'informed consent' and therefore insufficient. In 2010, GameStation temporarily added a clause to its terms and conditions stating that the company now owned the user's "immortal soul". Worryingly, only 12% of users noticed and clicked the opt-out box.
Another area in the spotlight is mobile device applications ("apps"), which frequently require users' permission for much broader access to an individual's data and device functionality than is strictly necessary to perform the apps' functions. A key aspect of consent under European law is that it is absolutely clear about the purposes of the processing of personal data. It is acknowledged that there is a distinction between consents to use personal data which are required to provide a service, and those which are requested (such as the difference between functional and analytic cookies). Companies should make it clear when non-mandatory information is requested of users, and explain why it is being requested. In a survey conducted by the Global Privacy Enforcement Network (GPEN) in September 2014 (from which the Information Commissioner's Office then reviewed the top 50 mobile apps developed by UK developers), 59% of the apps surveyed left users struggling to find basic privacy information, which would be considered non-compliant under the European data protection regime.
The EU and beyond…
It is no secret that several large providers of online services are headquartered outside the jurisdiction of the UK and EU, and are therefore subject to different data protection obligations. However, in the widely reported judgment of the Central European Court of Justice in relation to Google Spain in May 2014, it was held that the search engine company must comply with the EU Data Protection Directive (95/46/EC), despite being headquartered in California, because it was "established" within the EU, by virtue of the marketing and advertising activities it directed towards EU citizens. It is therefore important for foreign companies with UK or EU subsidiaries or bases of operation to ensure that their EU facing sites and services are compliant with European data protection law.
- Approach the terms and conditions as primarily a consumer focused explanation of both parties' rights and responsibilities, rather than an attempt to protect against all possible avenues of liability.
- Draft the terms and conditions in plain, simple language that can be understood by all users, including children, if the service will be used by them. If this is not possible, provide practical explanations alongside each condition. A good example is Twitter's Terms of Service which provides 'tips' which simplify or paraphrase the Terms such as "you are what you Tweet", or LinkedIn which uses a video to explain ownership of content in social media.
- Use headings to break up the terms and conditions into sections to make them easier to navigate and read. This may also help draw users' attention to the sections they are most concerned with e.g. privacy, use of content, or liability.
- When drafting privacy policies and/or explaining use of consumer data, provide clear and specific explanations about why the information is being collected, how it will be used, and distinguish between mandatory information, and that which is optional.
Top of the terms!
Some examples of terms and conditions which we think adopt some useful techniques for obtaining informed consent are:
The global nature of the internet can blur the traditional physical boundaries between legal jurisdictions and cause confusion when considering regulation. We would advise online service providers to seek data protection advice for each jurisdiction in which they operate in order to ensure they are complying with their various data protection obligations.
- Article 2(h), Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
- Council for International Organisations of Medical Sciences
- Joe Martin, GameStation: "We own your soul", Bitgamer, 15 April 2010, bit-tech.net. Accessed 3 March 2015.