21 April 2017 | 0
Take, for example, the recent story on The Register of a man from Chicago who is suing Bose, the high-end audio equipment maker, for alleged data slurping that amounts to an invasion of privacy and “intrusion on seclusion”.
“Implied consent for this kind of data gathering is no longer acceptable. Explicit consent, however that is achieved, is now necessary”
Kyle Zak bought a not inexpensive set of wireless headphones from the well-known maker that came with a smart phone control application.
Zak later discovered that the application relayed data about the kind of songs being listened to, for how long and when, along with a personal identifier. This information, the suit alleges is being shared with third parties and names a company called Segment.io specifically.
The story on The Register quotes the court documents which state:
“Plaintiff Zak never provided his consent to Bose to monitor, collect, and transmit his Media Information. Nor did Plaintiff ever provide his consent to Bose to disclose his Media Information to any third party, let alone data miner Segment.io.”
However, the chaps at El Reg, being the diligent journalists they are, investigated further and found that the Bose application in its documentation does indeed detail what data is collected and the fact that it is sent to third parties. Not only that, the downloading and use of the application implies consent to the terms and conditions. The story even points out a section of the terms and conditions entitled “How we share information with Third Parties”.
The success of Zak’s case is far from certain, but it does highlight a number of issues that are likely to change, at least this side of the water, in the near future under the shadow of GDPR.
Implied consent for this kind of data gathering is no longer acceptable. Explicit consent, however that is achieved, is now necessary.
Recital 32 of the GDPR states:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
“This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
“Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
There are quite few points of note here at odds with the previous experience, but most notably:
“Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
So what should be done when a consumer hands over several hundred units of their hard earned cash for a device only to find that by taking it out of the box and setting up for its intended use, they have agreed to terms and conditions which gather an intrusive level of data that is shared with third parties?
Should there be a warning label on the box that says, ‘by using this product as intended, you give up rights to your usage data’?
How would it work if such warnings were included on a piece of enterprise software, or a service, before purchase?
Would anyone, consumer or business, be willing to use such products if they knew beforehand the level of data gathering that must be consented to in order to use the product or service?
GDPR will remove ambiguity from many such practices and organisations and users alike should be aware of the both the power such changes confer and their respective responsibilities.
For my part, I’d be pretty disgusted at the having spent a lot of money on a high-end audio device, I also had to agree to it spying on me. How long and how often I listen to Royal Blood, Chvrches, Lana Del Rey and the Handsome Family is no one’s business but my own.
As said, I’d not be certain of Zak’s success in pursuing this case in the US, but after 25 May 2017, the odds would be a lot shorter for such a case on this side of the Atlantic.