Consent or Control: How to Make Informed Choices About Your Personal Data

In our digital age, our personal data is frequently shared and used without our knowledge or consent.

This raises important questions like "who controls my data?" and "how can I make informed choices about its use?". In this post, we'll examine different data sharing and consent models and discuss how you can take control of your data to protect your privacy.

Personal data is becoming more and more valuable. Do you think you are fairly compensated for the use of your data? How can we prevent consent models from being exploited by those that seek to profit from our personal information?

To ensure that individuals are fairly compensated for the use of their personal data, we need clear and transparent rules for data sharing and consent. Through robust regulatory mechanisms, we can ensure that individuals are fairly compensated for the use of their data and have control over how it is used.

By the way, if you are enjoying Practical Privacy Matters, you should check out my new book Privacy by Design: The Practitioner's Handbook. You can subscribe to read the latest chapters as they are released - all for free! It?is packed with the latest insights, best practices, and expert analysis to help you navigate the complex world of data. Check it out!

Requiring explicit and informed consent

There are several different models for data sharing and consent that have emerged in the digital age. These include:

1. Opt-in model: Individuals are asked to actively consent to the collection and use of their personal data. They must take an affirmative action, such as clicking a button or checking a box, to indicate their agreement.
2. Opt-out model: Individuals are assumed to consent to the collection and use of their personal data unless they take specific steps to opt out. This may involve clicking a button or checking a box to indicate that they do not want their data to be shared.
3. Implied consent model: Individuals are assumed to have consented to the collection and use of their personal data based on their actions or inaction. For example, if an individual continues to use a website or app without adjusting their privacy settings, it may be assumed that they have consented to the collection and use of their data.

The opt-in model of data sharing and consent is designed to give individuals more control over their personal data and to ensure that they are fairly compensated for its use. This means that they must take an affirmative action, such as clicking a button or checking a box, to indicate their agreement.

The opt-in model retains fairness to users in 3 ways:

1. It gives individuals the power to choose: Under the opt-in model, individuals are given the opportunity to make an informed choice about whether to share their personal data. This allows them to weigh the potential benefits and risks of sharing their data and to make a decision that is in their own best interests.
2. It ensures that individuals are aware of their rights: By requiring individuals to actively consent to the collection and use of their personal data, the opt-in model helps to ensure that they are aware of their rights and can make informed choices about whether to share their data.
3. It allows for fair compensation: If an individual agrees to share their personal data under the opt-in model, they may be offered fair compensation in return. This could take the form of access to features or functionality, relevant benefits, direct monetary payments, discounts and many other forms of value.

To implement an opt-in model as you're designing your user experiences, make sure that individuals are aware of and understand the purposes for which their personal data will be collected and used. This includes providing clear and concise information about how their data will be used, and obtaining their explicit consent before collecting or using their personal data.

Giving individuals the ability to access, correct, and delete their personal data

Provide individuals with clear and easy-to-understand information and tools to exercise their rights with respect to their personal data. This includes providing them with access to their personal data, and giving them the ability to correct or delete any inaccuracies or outdated information.

If an individual chooses not to share their personal data, respect this decision and do not try to pressure or coerce them into changing their mind. This helps to build trust in the opt-in model by showing that you value individuals' privacy.

Consider the following:

• Is your privacy policy clear and concise? Your privacy policy should be written in plain language that is easily accessible to all individuals.
• Are you explaining the specific purposes for which personal data is being collected and how it will be used?
• How do you facilitate data subject access requests? You should provide a mechanism to make a request to access all the personal data held about an individual.
• Do you have a clearly listed privacy contact? This person should be responsible for assisting individuals with requests to understand their rights and how to exercise them.
• What privacy settings do you provide? If your application or service allows a user to login, you can embed your solutions to these questions in alongside easy-to-understand instructions for following them.

Enforcing data protetion through regulatory mechanisms

As regulatory frameworks continue to evolve, the guidelines for data collection and use are maturing, and the penalties for organisations that violate these rules are increasing.

• In Australia, since 2022, the penalty for a serious or repeated breach of privacy has been increased to the greater of AU$50 million, 3X the benefit obtained through the violation, or 30% of domestic revenues in the relevant period.
• In California, the CPRA, which is effective in 2023, brings penalties ranging from US$100 to $7500 per violation.
• Amazon was fined €746 million by the Luxembourg National Commission for Data Protection for violations of the consent model in Amazon's targeted advertising system.

The establishment of these guidelines and penalties, and enforcement of such, aims to deter organisations from acting against the interests of individuals with respect to their personal data.

Data sharing and consent are crucial issues that affect individuals and society as a whole. To strike the right balance between data sharing and privacy protection, we need clear and transparent rules for data collection and use, fair compensation for the value that personal data generates, and the regulatory mechanisms in place for enforcement.

By doing so, we can protect individual privacy and allow for the true benefits of data to be realised.

If you want to learn more about data sharing and consent, and how to establish fair and transparent rules for personal data ownership and control, join Practical Data Privacy, the Slack community for privacy and technology professionals. https://practicaldp.com