Forced Consent: How tech companies manipulate users into giving away their data

It’s not just the usual suspects in the social media world cashing in on your private information. A huge range of businesses, including paid services like Uber and Netflix, are in on the action. The global big data and business analytics market was valued at 169 billion U.S. dollars in 2018 and is expected to grow to 274 billion U.S. dollars in 2022. With so much money at stake in data processing, it's easy to see why Big Tech is would be so reluctant to relinquish their control over your info – even when obligated by law.

But how are they allowed to use MY data? You might ask. Well, you gave us permission to, they’d respond. And they’d technically be right: you have almost certainly agreed to dozens or hundreds of Terms of Use agreements in which you consent to companies tracking your data and using it for pretty much anything they want…

…but you might not remember doing so: for the average individual, service agreements and terms-of-use policies are impenetrable. Long and boring by design, it would take around 250 hours – more than 25 full working days alone – for the average Internet user to read every privacy policy they have unwittingly agreed to. Most of us just click accept and get on with it, but can you really call that informed consent?

Worse still, most of them are “take-it-or-leave-it” agreements: either consent to data mining or hit the bricks. This practice essentially amounts to coercion. When the only way to use a service is to opt-in to data-mining, what recourse does a person the private user have? When someone’s livelihood depends on using online services with a monopolistic influence on modern life, what choice do they have but to agree?

Facebook has argued that processing user data is essential to its services’ functionality. If true, that would provide solid legal basis for their take-it-or-leave it approach. We would argue Facebook doesn’t need to process your data to function as a messaging app, but the courts have yet to rule on the many legal challenges brought by advocacy groups. France recently slapped Google with a $57M fine for one such overreach, establishing a precedent that forced consent is anything but “freely given.”

That French action was a result of landmark legislation known as the General Data Protection Regulation (GDPR): the single biggest blow to the tech sector’s data-mining operation in the modern era. A rare win for the average person, the GDPR seeks to reign in some of Silicon Valley’s more egregious practices related to the collection, storage, and processing of user data. Passed by the European Union in 2016 and in effect as of 2018, the GDPR imposes strict fines on any company found to be in violation of its many articles and resolutions.

In order to continue operations within the EU, tech companies around the globe hurried to update their terms-of-service, privacy policies, and platforms to avoid running afoul of the GDPR’s strict regulations. Whereas it was once more profitable to risk non-compliance with existing restrictions, and pay nominal fines, the GDPR’s adjusted penalties suddenly set the tech world scrambling to stay within the bounds of the law. However, as is the case with any legal document, grey-areas, and language open to interpretation have left loopholes that giants like Amazon and Google are happy to exploit. 

Contrary to popular belief, the GDPR does not require users’ consent to data processing for companies to collect, store, or use their data. Consent is just one of six legal justifications outlined in Article 6 for data collections and processings, including:

1. Processing is necessary to satisfy a contract to which the data subject is a party.

2. You need to process the data to comply with a legal obligation.

3. You need to process the data to save somebody’s life.

4. Processing is necessary to perform a task in the public interest or to carry out some official function.

5. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

When a company is unable to meet any of the above requirements, the sixth option, to obtain consent, is their only choice. But according to the letter of the law, the definition of consent comes with some very important specifications. The GDPR clearly states in Article 4(11):

“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Article 7 further expands on the conditions of consent:

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Layered under all that legalese, the pivotal phrase “freely given” makes all the difference when discussing consent. For consent to be considered freely given it must be “specific, informed and unambiguous.” Yet big tech companies aren’t eager to make it so easy: they bury key terms deep within ToS agreements that are, on average, longer than the US Bill of Rights. It is, apparently, almost twice as complex to use Microsoft Windows as it is to lay out a form of governance that has endured for 250 years.

Another important aspect of consent is the concept that consent can be withdrawn as easily as it is given. The GDPR explicitly demands as much. But can you remember the last time any service, paid or free, asked if you were still interested in sharing your data? Or made it easy to find the settings menu where you could possibly manage some such settings? Withdrawing your consent and retrieving your data from these companies is harder than dropping Sauron’s ring into Mount Doom, or (even worse) canceling a gym membership.

The truth is your browsing data, interests, and habits will continue to be preyed upon, regardless of small legislative wins, because multi-billion-dollar business models have been built upon it. Tracking pixels on almost every site builds files on netizens, recording their spending habits, their aspirations, and even their sex lives. 

All we ask is honest and transparent data policies, and the opportunity to take your data back if you want to. Yorba believes that what you do behind closed doors is between you and your god. Consent is sexy, but an economy built on coerced surveillance isn’t.