Article Preview
TopIntroduction
Gathering information about one’s behaviour is an important key to improving existing technology as it can provide an insight into behavioural trends (i.e., how and why individuals act in certain situations (Rodríguez et al. (2013), Štreimikienė (2014), Elbayoudi et al. (2016), Fotopoulou et al. (2017)). Such information has proven to be useful for large organisations in sectors such as insurance and online-advertising, who have started the trend of “behavioural targeting” (Jaworska and Sydow (2008); Zuiderveen Borgesius (2016)). Now, more than ever, personal data is being collected, analysed, and shared between multiple entities and, in most cases, the collection happens without one’s consent and knowledge about the implications that follow (Joergensen (2014); Bechmann (2014)).
In order to change that, in 2018, the European Parliament and Council of the European Union1 accepted the General Data Protection Regulation (GDPR)2. GDPR has led to a drastic change in how the personal data of European citizens is handled by introducing six lawful bases for the processing of personal data, one amongst which is consent. Consent has a crucial role since no data processing can begin without it. GDPR has set specific requirements for it (Art. 6, 7). Consent should be freely given, unambiguous, explicit, and most of all informed (Rec. 32). In order to have informed consent, a consent request, which is compliant with GDPR, must present information about what data is required, for what purposes, how the data will be processed, by whom, etc. (Art. 7, Rec. 32). However, presenting such information does not guarantee that one will be truly informed (i.e., aware of what it means to consent). There is a need for consent tools that focus on raising individuals’ legal awareness while being compliant with GDPR (McStay (2013)).
One of the main means of requesting consent online is via a User Interface (UI) - a prompt window asking one to “Agree” to the presented privacy policy and terms and conditions, which are rarely read and “when they are, they are hard to digest” (McDonald and Cranor (2008); Drozd and Kirrane (2020)). The option to “Not Agree” is also rarely present (Utz et al. (2019); Matte et al. (2020)). Options such as consent revocation are, in many cases, hidden from individuals (i.e., one needs to search and go through several screens to withdraw the given consent). According to Article 7 of GDPR, “it shall be as easy to withdraw as to give consent” thus such consent request UIs are in violation. Giving consent by selecting “Agree” to the presented privacy policy does not imply that individuals are aware of what their actions mean and the implications that follow (Byrne et al 1988). For example, individual’s vehicle sensor data such as fuel and speed can be used by insurance companies to make decisions about the value of the vehicle and for medical payments or personal injury protection coverage in the case of a car accident. Such data could be used to adjust a driver’s insurance premiums upwards or downwards depending on their driving habits, age, and health without the driver realising that this adjustment was based on continuously collected data. In most cases, one gives consent without questioning what is asked and for what purposes (Bechmann (2014); Joergensen (2014)). Bechmann (2014) defines this behaviour as a beginning of a culture of “blind consent”. Humans look for visual cues when presented with content (Clark and Mayer (2016); Brookhaven National Laboratory (2017)). Presenting individuals with long paragraphs of legal text does not ease comprehension (Wszalek (2017); Ericsson (1988); Kurteva and de Ribaupierre (2021)). Instead, it can lead to confusion and information overload (Gross (1965)), which can make one dismiss the process by giving consent without being informed.