Data Privacy, De-Mystified.
Consent is one of the most important legal bases for processing user data, and has a special place in digital privacy theory. Early privacy scholars like Alan Westin advocated for a “notice and choice” model of user privacy that’s still largely in use online today – users are notified of a data policy, and they consent to accept it. In this model, consent is the key that unlocks a processor (or businesses)’s ability to leverage user data.
It should be no surprise, then, that there is plenty of wrangling over what constitutes “consent”. In the past, simply visiting a website may have been taken as an implied form of consent for that website to use visitors’ data however they wished. No longer.
In GDPR Article 7, for example, consent is only considered valid if it is freely (ie voluntarily) given, specific, informed and unambiguous. In Canada’s updated PIPEDA, the law requires “meaningful consent” to be obtained and supplies guidelines with seven criteria that must be followed for meaningful consent to take place.
The “in a nutshell” takeaway is that it’s not enough to understand that consent is an important part of user data processing. It’s vital to understand that the nature of consent is complex and varies by region. Data processors must take care to ensure they’re satisfying the specific consent requirements of the territories where they operate.