Can I Opt Out of Opting In? Location Data and the Consent Conundrum
While consent is often seen as the "magic bullet" for use of personal data, location data, etc, companies seeking to offer services on mobile smartphones need to ensure that the consent they are relying on is "good consent" from a legal point of view.
Where a service provider ("SP") collects location data from a user, EU and UK law states that the SP needs the consent of the user to do so (in the majority of situations). Location data is any data that indicates the geographical position of the terminal equipment, for example a smartphone, of a user. Popular mobile applications such as Google Maps, Facebook Places and Voucher Cloud all request the user to consent to use by the SP of their location data, which the user may be happy to provide in order to take full advantage of the software. This relationship appears straightforward, but the question of how the user should grant consent can create great confusion. Does the wording of the consent have implications for how the data can be used? If the user fails to "opt out" of providing their location data, have they consented to providing it? How can both parties be certain they know how the data can be used?
There are some common misconceptions as to what constitutes valid consent from a user. One particular area of difficulty surrounds "opting in" or "opting out" of supplying data. A typical example of wording an SP could use to indicate "opt in" consent from a user would be:
"Please tick the box to indicate that you consent to Software X using your location."
A typical example of "opt out" wording would be:
"Please tick this box if you do not wish Software X to use your location."
Some believe that if a user "opts in" to using a service then they have, by definition, consented to providing their data to the SP and for the SP in question to then do with it as they wish. Traditionally, marketers have favoured "opt out" wording, presumably because they believed that most users didn't read such notices properly so, in not ticking the box, provided their consent by default.
In the above examples, do you think that "opting in" is more likely to evidence valid consent than "opting out"? Do they both show valid consent or could they both fail to indicate consent? The answer, as is unfortunately the case with many legal questions, is: "it depends".
The Information Commissioner's Office guidance to consent and "opting out" in particular states: "The fact that someone has had an opportunity to object which they have not taken only means that they have not objected. It does not mean that they have consented." Does this mean that SPs should instead use "opt in" wording and avoid "opt out" wording at all costs? Again, not necessarily. The ICO guidance states: "In context, failing to indicate objection may be part of the mechanism whereby a person indicates consent."
This may sound confusing, but in fact the concept of consent is quite straightforward. In common with use of other types of user data, consent from the user must be freely given, specific, informed and prior to the disclosure and use of data. As long as the SP can show that the user has freely given prior, specific and informed consent, phrasing the consent in terms of either "opt in" or "opt out" wording should not matter in practice. The overriding consideration is for the user to fully appreciate that they are consenting and to fully appreciate what they are consenting to.
What this means in practice is that "catch all" wording seeking general consent from the user is unlikely to constitute a valid indication of consent in the vast majority of cases.
For example, the following text is typically displayed the first time that iOS Apps are use:
"'XYZ' Would Like to Use Your Current Location"
The user is then presented with two buttons - "Don't Allow" and "OK".
The question as to what "Use" means in this context is an interesting one, and it is possible that the SP and the user may have differing views as to what the meaning they apply. Without further information the SP would be wise to draw a narrow interpretation of what has actually been sanctioned by the clicking of the "OK" button.
When considering whether a user has consented to the use of their data in a particular way, think: “would the consenting user be surprised to know that their location data is being used in this way?” For example, the user may have consented to their location data being used by an application that names nearby restaurants, but have they also specifically consented for this data to be used for targeted advertising about a special offer at a local clothing shop? It may be "obvious" that the SP should not collect and sell the data to third parties, but what may not be quite so clear is the extent to which the SP can use such data itself for purposes other than as strictly required for the provision of the particular service that the user has agreed to purchase. If the user knew that their user data would be used in this way, would they have provided their consent in the first place?
The user must also be able to withdraw their consent at any time. The SP is obliged to make the user aware of this fact and to make the process of withdrawal free and simple. The SP can also make provision for suspension of consent for a limited and specified period of time as long as there is an absolute termination right.
One surprising aspect of the law in this area is that, according to the Privacy and Electronic Communication (EC Directive) Regulations 2003, users must sometimes be provided with an opportunity to withdraw their consent on each connection to the network or each transmission of a communication. It is unclear how strictly this may be interpreted – for example, is it enough that users are made aware they can withdraw consent by turning off location data on their mobile device's settings or should they be prompted to confirm consent every time they launch the software? In practical terms this may be sufficient. However, as there is no specific guidance on this issue, SPs should consider how and when they request consent with caution.
Consequently, while SPs can largely put questions about whether it is better to "opt in" or "opt out" to the back of their mind, they should concentrate instead on specifically informing users about the types of location data that will be collected, the purposes for which it will be used and, where relevant, if data will be transmitted to a third party to provide the service. Only once the user knows this can they really be said to have given valid consent to use of their location data.
Users have their role too – read the notices from the SPs and if you're not happy, don't consent. If you do consent, don't forget that it can always be withdrawn.
"While the precise mechanism may be open to debate, companies seeking to rely upon user consent will need to ensure that they can genuinely show that any use of location data is sanctioned by the consent they have actually obtained. Where only limited information is provided this will be difficult to achieve."
"Do you think that "opting in" is more likely to evidence valid consent than "opting out"?"