Choice and Consent

The development of information privacy and data protection laws has sought to give data subjects greater control over their personal information. The concepts of choice and consent have been key to granting data subjects such control by allowing them the opportunity to make informed choices regarding who has access to their information and how it may be used.

What is Choice/Consent?

Choice/Consent is the second of five Fair Information Practices published by the FTC to guide the collection, use and disclosure of personal information. The FTC states,“At its simplest, choice means giving consumers options as to how any personal information collected from them may be used.”

There are two forms of consent exercised by individuals.

Opt-in requires the affirmative consent of the individual. The user must take action to allow a business to process their information and provide a product or service. For example, a user may visit a website and submit their email or check a box with their registration to receive the site’s email newsletter.

Opt-out requires the implicit consent of an individual. Since a user has not taken action to stop the processing of their information, they are said to give implicit (unspoken or assumed) consent. When a user receives marketing messages in their mailbox they no longer wish to receive, they may unsubscribe from the newsletter. This is consider opting-out.

The use of the choice/consent mechanism as the main regime for protecting personal information has been widely criticized. It is believed that many consumers are not aware or educated enough in privacy law to understand their rights and ability to control information.

Secondary Use of Information

The FTC defines secondary use as “uses beyond those necessary to complete the contemplated transaction.” Companies are required by law to state in their privacy policies any secondary uses of information including whether it may be disclosed to third parties.

The control of personal information with regard to marketing is the most common implementation of choice/consent. It is used to control the receipt of marketing messages, the use and disclosure of information to third parties, and the collection of information through cookies in order to create tailored advertising. Though the disclosure of information may be necessary to complete a transaction with a company, an individual is allowed to object to any and all secondary use or disclosure of their information.

Mandatory vs. Optional Data Collection

Mandatory is any information that is necessary to complete the immediate transaction. Optional information includes any information an entity may wish to collect about an individual for internal purposes, but is not required to complete the immediate transaction. In a web form, mandatory field must be filled in before the form can be submitted. Optional fields may be left blank or unanswered and the form will still process. By completing optional information fields, an individual is giving their consent to the collection and use of such information.

Businesses practicing responsible information privacy will limit the collection of information, especially that which is optional because the more information collected, the greater the risk to privacy.

Choice/Consent and Regulations

The CAN-SPAM Act of 2003 regulates email marketing messages in the U.S. In addition to content regulations, the CAN-SPAM Act requires all marketing messages to have an unsubscribe mechanism at the bottom and that consumer requests be honored with ten days.

The European Data Directive addresses consent in Article 7 which requires data subject consent for the processing of data, though consent is not required for a few, specific situations. It is also addressed in Article 14 which guarantees the data subjects right to object to the processing of data. Furthermore, Article 8 requires the explicit consent of a data subject to process sensitive information such as racial or ethnic origins, political or religious beliefs, sexual orientation, health information, or trade union membership.

Almost all data protection laws allow individuals the opportunity to make choices regarding the use of their personal information.

In Conclusion:

Choice/Consent deals with an individual’s ability to control the use of their information. Because, as of now, the choice/consent regime is the major framework for protecting privacy in many industries, it is the duty of the consumer to read privacy practices and make informed decisions regarding how they wish their information to be used.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

  • The Collective View of Privacy Principles: Choice/Consent (I.E.ii)
  • Privacy Considerations Online including choice and consent, secondary use of data and mandatory vs. optional information. (III.B.c.i-iii.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>