Issues on Obtaining Users’ Consent to Privacy Policies

-- By MayaWakamatsu - 19 Oct 2021

1 Problems regarding Obtaining Consent to Privacy Policies

In some countries, data protection acts depend on the idea of individual consent to the collection of information. However, there are some problems regarding individual consent as follows.

1.1 Users consent to privacy policies even if they do not want to

Some people might consent to the privacy policy, even if they do not want to consent to the privacy policy, just because they want to use the service or they feel it is almost impossible to negotiate with companies to amend the privacy policy. As a result, even if users do not want companies to surveil their information, their information is controlled and surveilled by companies after users consent to the privacy policy, and it could endanger people’s freedom of thought.

1.2 Users consent to privacy policies without reading

The more detailed companies’ privacy policies become in an effort to obtain users’ valid consent, the more likely it is that users will tend not to read such long and detailed privacy policies, and, ironically, some users will consent without reading and understanding the whole content of the privacy policies. Some users may argue that while they consented to the privacy policy, they overlooked the specific contents of the privacy policy, and they may argue that the consent should ultimately be recognized as invalid. As a result, the validity of the consent will become questionable.

2 Possible Solutions

There are two main directions in which these issues can be addressed. The first is to make efforts to increase the effectiveness of consent. For example, in order to improve the rate of reading and understanding of the terms and conditions, there is an idea to further subdivide the documents and timing of consent. However, this will not solve the issues above fundamentally. Users might still consent to privacy policies without reading or they might consent to them even if they do not want to. The other direction is to give up on formal consent and seek other means as follows.

2.1 Procedural obligation

The first idea is to impose a procedural obligation to ensure that privacy policies are reported to personal information commissions and made public by the commissions, like a list of companies that are providing information to third parties by using the opt-out method in Japan. In Japan, those who intend to provide personal data to a third party are required to notify the Personal Information Protection Commission. When the Personal Information Protection Commission receives the notification, it shall make public the matters pertaining to the notification (https://www.ppc.go.jp/en/index.html).

Analysis:

This idea is to build or expand the public announcement system, and it may be realistic. Additionally, this idea will be effective for some companies which care about the reputation of potential users, and companies will not stipulate privacy policies that do not follow personal data protection laws. However, even if privacy policies are in public, there will be no way for users to amend the privacy policies. Eventually, users need to accept the privacy policy if they want to use their services.

2.2 Audit Obligation

The other idea is to impose an audit obligation. Services that handle the personal information of users should be required to have a professional third-party organization audit whether they are actually managing and operating the information in accordance with the privacy policies. This idea is similar to the audit obligation with regard to securities reports and financial statements of listed companies.

Analysis:

This idea would require an auditing firm, and the auditing firm will audit whether firms are managing the information in accordance with the privacy policies. As compared to the first idea (2.1 Procedural obligation), this idea will be effective because third parties will check companies’ privacy policies fairly, and it will be beneficial to users. Companies should make systems secure and secret for users, and if companies did not follow the standards, they should be strictly subject to penalties.

3 Conclusion

If we choose not to provide personal information to those who have a dominant position, we will be put in a disadvantageous position. I believe that we should pursue new directions as mentioned above instead of formal consent acquisition schemes.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.