Laws Still Apply to Bad Ideas
On Monday, I posted that “[acp title=”Forcing Consent Is A Bad Idea” medium=”blog” url=”https://www.spamtacular.com/2020/01/27/forcing-consent-is-a-bad-idea/” year=”2020″ month=”January” day=”27″ author=”Mickey Chandler” id=”me-02″ day_access=”29″ month_access=”January” year_access=”2020″]{title}[/acp]”. The point was to tell say that, regardless of legal issues, there are very practical reasons in favor of setting a policy of not trying to force consent.
But, just because there are practical reasons for not forcing consent does not mean that there are not also legal considerations to be made. Sometimes, laws even prohibit ill-advised decisions outright. And, depending on the jurisdiction, those laws may apply to you.
For instance, the CRTC has stated with regard to the collection of express consent under CASL that “The Commission considers that requests for consent contemplated above must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale. The underlying objective is that the specific requests for consent in question must be clearly identified to the persons from whom the consent is being sought. For example, persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs” ([acp title=”Compliance and Enforcement Information Bulletin CRTC 2012-548″ author=”Canadian Radio-television and Telecommunications Commission” id=”crtc-01″ medium=”website” day=”10″ month=”October” year=”2012″ day_access=”29″ month_access=”January” year_access=”2020″]{title}[/acp] at ¶16). Thus, the forced creation of an account to view a website cannot provide the basis for an extension of expressed consent as that would subsume the consent into the general terms or the conditions of use.
The violation under the GDPR is even more evident. According to the GDPR, “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” ([acp title=”Regulation [EU] 2016/679″ publisher=”Official Journal of the European Union” day=”27″ month=”April” year=”2016″ url=”https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN” day_access=”29″ month_access=”January” year_access=”2020″ id=”gdpr-01″ medium=”post”]{title}[/acp], Article 7(4).) Further, Recital 42 says that “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” And, finally, Recital 43 states that “Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance” (emphasis added).
Thus, forcing consent would appear to be a GDPR violation in most instances. At the very least, a company would need to drop any reliance upon consent as their basis for controlling and processing data and find another basis.
But, even if these laws don’t apply to a given program, it’s still just a bad idea to do force consent. It’s asking for trouble in a number of ways, both reputationally and potentially legally.
- Help me see if there is a need for that I can fill - 23 September 2024
- Verkada: Data Protection Issues - 19 September 2024
- About Consent Decrees - 6 September 2024