Save over 40% when you secure your tickets today to TNW Conference 💥 Prices will increase on November 22 →

This article was published on December 20, 2018

Why GDPR pop-ups could actually violate your privacy


Why GDPR pop-ups could actually violate your privacy Image by: Song About Summer/Shutterstock

Have you noticed the increasing number of pop-ups asking you to consent or “agree” when you visit a website? Do you find these annoying and tend to just click accept without reading the policies? So do most people, and here’s why that’s a problem.

By “agreeing” to any of these particular policies, you are effectively allowing a website or app to collect various types of data on you that could violate some of your human rights, such as your right to privacy.

To control what data the website or app can gather about you, you have to go through the tedious process of reading long, complex terms and conditions. Sometimes you might have to un-tick a few hundred boxes and navigate through complicated menus to choose your preferences.

This places a burden on you to become your own data manager. It would be much easier and quicker if there were standardised or comparable consent forms that would allow you to quickly identify processes or uses for your data that you may not want.

But first, why should you care about data collection in the first place? You might think that you are not doing anything illegal online and that therefore it doesn’t really matter if someone knows that you read certain kinds of articles or order from a certain restaurant every night.

This is a dangerous way of thinking. Our internet data becomes valuable when it is collected to form a profile of us that can allow companies to infer other things about us – and open us up to manipulation, for example with targeted advertising. Seeing ads that are more relevant to us and show us things we really might be interested in buying might be convenient.

But this kind of targeting can also enable companies to discriminate against people and deny them an equal chance of accessing basic human rights, such as housing and employment.

While this paints a grim picture of the collection of your data, there are ways to minimize the data collected about you and limit how it could be used against you.

Online data profiles can be used to reject people for housing or jobs (Credit: Rawpixel/Shutterstock)

One step forward is the recent EU General Data Protection Regulation (GDPR). This demands that you must give free, informed, specific and unambiguous consent before anyone can collect your data.

The immediate result has been the proliferation of pop-up consent boxes on websites you’ve probably noticed.

GDPR also comes with specific guidance about how consent requests should be designed and what information they must provide. But in practice when it comes to the design of genuinely user-friendly consent requests, too many website aren’t implementing this guidance properly.

Skewed language

One of the major problems is the skewed language that is used for different options to consent. You may see a huge “I agree” button and in tiny letters underneath “select preferences” or “edit settings.”

This incentivizes users to simply click “agree” and move on, rather than select their preferences in regard to the data they are comfortable sharing.

At the outset, users should be given a clear indication of what data is collected, how it will be processed and for what purposes. There should be no pre-ticked boxes, no clumping together of different data processes and no need to opt-out of anything. All consent that you give online should be by clear affirmative action by you, based on your informed preferences.

Another main component of the GDPR is the freedom of an individual to withdraw consent and the “right to erasure” of their data. That means you should be given the option to withdraw your consent at any time and it should be clear from the outset how to do this. Yet websites and apps rarely do this.

Part of the problem is that, after your data is collected, it is often anonymized and aggregated with that of thousands if not millions of other people, and might be sold to third parties for a variety of purposes. This can make it impossible to track or extract individual data points, although anonymization does not mean that you cannot be identified another way.

Possible solution

One solution to the endless process of trying to understand tricky consent requests is for different websites and apps to standardize their requests. This would be in line with the UN Guiding Principles on Business and Human Rights on creating comparable rules between companies in order to create better overviews for consumers.

This way, users can more easily familiarize themselves with the information that can be expected in consent request and quickly identify oddities or problems.

Among the important aspects to ultimately consider is whether the data requested is really necessary to serve the particular objectives of the website or app, which must be disclosed to you clearly beforehand.

So, when your Sudoku app requests access to your location, perhaps it’s time to rethink giving consent.The Conversation

This article is republished from The Conversation by Sabrina Rau, Senior Research Officer, University of Essex under a Creative Commons license. Read the original article.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top