poster
Privacy (GDPR)

Abusive by Design: Part 2. Make Consent Informed Again

Abusive by Design: Part 2. Make Consent Informed Again

In the previous article in the series, I wrote about the pros and cons of regulating design. Some points led to the problems design can create, but it remained unclear what could be wrong with design at all. I made it for a reason: this part of the 'Abusive by Design' series will address the content of requirements to design and gives a few tips on how to create a user-friendly legal framework on a website.

Let me start with the importance of the legal effect of a user agreement, then describe the way how to keep it legally valid, and end with the privacy design requirements.

Why Bother Reading Terms of Use?

The major concern for the way how providers design their services is the legal effects they create. When we visit a website or application with some functionality or contact forms, we enter into a contract with the platform controller.

The agreement sets the obligations on how to behave properly on the platform, to not conduct illegal activities, such as piracy, use of malware or hate speech. The platform provider covers its legal risks and tries to exempt itself from any responsibility connected to the possible damages to the end-user.

Also, policies and notices inform on the use of information about us online - how the provider collects data, what the purposes and what our rights regarding this are.

What is more interesting, those terms and conditions are legally enforceable. As a quick example, LinkedIn managed to sue a company Robocog for a $40,000 in damages for the violation of LinkedIn's Terms of Use in 2014. Robocog used to scrap the data from the business online network, which was prohibited by the Terms of Use. The prohibition helped Linkedin to successfully charge Robocog. If this isn’t the reason to read user agreements, what is?

However, ambiguous or unclear policies and design can create a problem for the provider. If the UI/UX and documents were designed poorly, its legal effects can vanish into thin air - no $40,000 check at the end of the day.

We are used to neglecting the User Agreement and Privacy Policy of online platforms. Partly this happens because the providers make us do so - nobody wants to get into details of the enormous legalistic documents before installing a simple piece of software.

Keep It Transparent

The task of keeping user agreement and notices legally enforceable turned out to be challenging. The main legal concerns that UI/UX is dealing with are:

  1. how a service provider informus about the services or features. This part deals with the transparency of online platforms and the fairness of its features. Are we aware of acceptable conduct on a platform? Do we know our rights? (Some people do not believe they have rights on websites at all)
  2. how we conclude an agreement with a services provider and give our consent to its activities. This part deals with checkboxes, location of the section 'Legal' on a website, and verification of the user. The agreement is closely linked to the first concern (information), which serves a core prerequisite for any consent or contract.

The activities we usually consent to can include email newsletters, online tracking by cookies, personalized advertising or downloading unnecessary software on your device 

A consent, even if verified by the proper signature, can be held invalid by the court under circumstances of pressure or lack of necessary information. Confirmed by Immanuel Kant back in the 19th century, the consent will be legally valid under two conditions: information and free will.

Information

User must be properly informed about all significant details of the service and its legal consequences.

The digital design should present important information in an easily accessible and intelligible form. Use of clear and plain language, which can be understood even by a child, becomes a core requirement. Unfortunately, there are not many existing Terms or Policies that I could refer to. Vague statements, which do not clearly explain the terms of the agreement and the person's capabilities, won't lead to a valid agreement.

On the other hand, misinformation spoils user consent as much as lack of information or its poor quality. There must be no actual or implied lie about the legal consequences of the agreement.

Often, User Agreements do not fully inform the user on all business intentions of the provider (e.g., to sell the customer data) to prevent users from refusing certain features. Moreover, there are some cases, where online platforms are willing to tell the customers about safeguards which they don't necessarily have.

There was a recent case in the U.S. with four companies targeting EU customers. To facilitate trust in the services, the companies put a specific seal on their websites and mentioned that they either got or underwent a specific data protection certification (EU-U.S. Privacy Shield). In fact, none of these companies actually did that. The case resulted in the enforcement action from the U.S. regulator, negative public attention to the companies and breach of trust between them and the EU customers. 

Another difficulty for providers is to keep the information plain and short and avoid misrepresentation or incompleteness at the same time. The severity of the problem increases with small screens of smartphones - you should set out a huge amount of information in a very limited space. In this case, the use of a layered format can help. While giving a user a few lines of the most important points (e.g., purposes of data collection and user rights), the design can provide a link for the full version of the legal statements.

Free Will

A freely-given consent means there was no physical or moral influence (at least, illegal) on the person's will.

Assume you, as a service provider, collect user data, which is not necessary for running the platform. You consulted a lawyer, and she told you that you had to obtain user consent for that. If you design 'pre-ticked' checkboxes or create a wall 'Agree or Leave' before the user can use your website to increase consent rate, the consent is not likely to be freely given. Especially in the EU, regulators see it as an illegitimate pressure.

A silent behaviour of a person entering the website does not necessarily mean she/he is happy with the legalese that the provider put on the footer. Often it requires an action from the user, an active indication of one's wishes.

At the same time, different service features might require several consents to be obtained from the user. Without a good design solution, this may lead to a catastrophic amount of consent checkboxes. The user will probably be dazed and simply give up the whole process of decision making. As a result, the company has reduced traffic rates and can be punished for failing to be transparent.

Things get more complicated with the use of dark patterns (also known as nudges). By using invisible psychological tricks, design can nudge us to consent to annoying advertising or even pay the subscription fee against our actual will or without reading carefully the conditions. There are several techniques to do that, which I will describe in detail in the next article.

Souce: https://pixabay.com

A common business practice can, in fact, be an illegitimate pressure on the user. Don’t you believe me? In its recent guidance on cookies, a British data protection regulator warned, that even emphasizing 'agree' over 'reject' button (e.g. by the contrast of green and grey colours, use of boldface, different font sizes or by hiding the negative option) will be a violation of freely given consent. 

Example of the EU

The European Union has a good example to follow: the General Data Protection Regulation (GDPR), one of the complex and detailed legislative acts that concern the digital environment. Digitally oriented, the GDPR creates a framework of robust transparency and accountability with implications for UX:

Fairness and Transparency

Fairness and transparency are entrenched as one of the core principles for customer data collection. In practice, this regulates how the design communicates with its users on legal details of personal data use and user rights regarding it.

Covert data collection practices are prohibited, as well as the use of sophisticated, vague terms or jargon. To facilitate understanding of company's practices, the EU data protection board explicitly suggests the use of icons, graphs, audio, and video forms, and even QR-codes for the cases where it is difficult to present text. It even shares its views on the accessibility of legal documents and data choices - the user should get them in two clicks.

The timing of notification is also important. As you may know, the data collection does not happen only once - it accompanies us through the whole use of the services. The GDPR requires informing the users at the time of collection, which implies an ongoing interaction with them.

To read more: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227

Consent and Data Rights

Consent requirements, which are similar to described afore, but are more detailed, and protection of 'data rights' of individuals call companies to develop specific tools for the users.

It can be a 'privacy dashboard' or privacy settings, which allow the user to simply and quickly withdraw his/her consent, access the data collected, adjust the publicly available information or erase unnecessary details.

To read more: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051

by Design

Finally, Art. 25 of the GDPR requires a provider to apply 'privacy by design' and 'privacy by default' principles. In short, the first principle lies in embedding privacy in the service's DNA from the early stages of service development, using all necessary technical and organizational protection measures.

The second requires that the provider collect only strictly necessary information from the user by default - and for additional activities obtain the user consent. On the example of social networks, this also means that data sharing or publication of user details must be off unless he/she decides otherwise.

Thus, the European community acknowledges that digital design can affect the decisions of individuals - and they want service providers to be fair with its audience.

To read more: https://www.datatilsynet.no/en/regulations-and-tools/guidelines/data-protection-by-design-and-by-default/

Conclusion

As we see, digital design directly correspondswithtransparency and fairness, the provider's direct obligations before users. Design of user choices and legal docs must involve a close collaboration of legal and design professionals, which ensures the user-friendly consent collection with a reliable legal back-end.

In the last part of this series, I will aggregate some examples of how design and abusive practices affect our choices - something that the platform provider better refrain from.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.

Vlad Nekrutenko, CIPP/E
Privacy Lawyer at Legal Nodes

Need a lawyer in this area?

avatarchecked

Vlad

Ukraine

3 years in data protection

Experience
Vlad is a data privacy enthusiast and expert in the GDPR compliance. He possesses IAPP...
choose
choose

Legal Nodes Blog

For Startups
Ultimate guide to connecting Virtual Data Protection Officer

Connecting Virtual DPO can greatly reduce start-up’s data protection costs. This article explains who the Data Protection Officer is, why you should consider outsourcing DPO services, and how to pick one that matches the needs of your business....

Legal Nodes Team
Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills