From legimacy to informed consent: mapping best pracces and idenfying risks A report from the Working Group on Consumer Consent May 2009 PEN paper 3 About the Working Group The Working Group on Consumer Consent is a project convened by the Information Systems & Innovation Group of the London School of Economics and Political Science and administered by 80/20 Thinking Ltd, based in London UK. The Working Group aims to bring together key industry players, consumer experts and regulators to achieve the following goals: • To better understand the implications of the Article 29 Working Party Opinion on data protection issues related to search engines (April 2008) and its potential impact on the processing of personal information in the non-search sectors. • To foster dialogue between key stakeholders to map current practices relating to notification and consent. • To inform regulators about limitations and opportunities in models and techniques for informed consent for the processing of personal information. • To help inform all stakeholders on aspects of the pending Article 29 Opinion on targeted advertising planned in 2009. Membership The members of the Working Group included: AOL, BT, Covington & Burling, eBay, Enterprise Privacy Group, Facebook, the Future of Privacy Forum, Garlik, Microsoft, Speechly Bircham, Vodafone, and Yahoo! We also sought comments from a number of privacy commissioners and regulators from across Europe. Methodology, Meetings, and Outreach We have been actively engaging with policy-makers and regulators since the creation of the group. This networking not only enhances the quality of the research, but also goes some way to identify and prepare the audience for our discussion papers. We have liaised with Parliamentarians in Europe and in the UK, staff members of regulators offices across Europe, and spoken at more than a dozen conferences and countless meetings since our last update. We have also met with nearly every group member, often on-site, and sometimes involving in- depth discussions regarding privacy practices across their services, to discuss the pressing problems, the key experiences, and lessons. All of the feedback from these experiences has fed into our own work, resulting in our discussion papers. 2 The sections on the Article 29 Opinion and on the general issues relating to online Consent were drafted primarily by the teams at LSE and 80/20 Thinking. The section on ‘informed consent’ was drafted by Speechly Bircham, and the section on children and consent was drafted by Covington & Burling. All drafts were circulated to the full membership for their review and commentary, and comments were fed back into the final versions. 3 Table of Contents EXECUTIVE SUMMARY ........................................................................................................................................6 BACKGROUND TO THIS PROJECT ....................................................................................................................8 THE WORKING PARTY OPINION ON SEARCH ENGINES AND INFORMATION SOCIETY SERVICES ...................................8 LEGAL FRAMEWORK .................................................................................................................................................................9 SUMMARY OF RELEVANT POINTS RAISED IN THE OPINION ..............................................................................................10 CONCLUSIONS ...........................................................................................................................................................................12 SECTION I: PROBLEMS WITH CONSENT ....................................................................................................13 CHALLENGES OF MANAGING CONSENT ONLINE ...................................................................................................................14 READABILITY & USABILITY ...................................................................................................................................................14 VERIFIABILITY OF CONSENT ..................................................................................................................................................15 CUSTODIANSHIP OF DATA .......................................................................................................................................................16 THIRD PARTY ACCOUNTABILITY ............................................................................................................................................18 SIGNALING OF CONSENT .........................................................................................................................................................18 Opt­in versus opt­out ........................................................................................................................................................19 MANAGING CONSENT ONLINE: OPPORTUNITIES ....................................................................................20 FACEBOOK: FROM BEACON TO CONNECT ............................................................................................................................21 ENHANCED OPT‐OUT COOKIES? ............................................................................................................................................22 EBAY: ON AD NOTICE FOR INCREASED USER AWARENESS .................................................................................................23 MICROSOFT HEALTH VAULT: GRANULARITY OF ACCESS ...................................................................................................24 BLUEKAI: USER CONTROL OVER ADVERTISING CATEGORIES OF INTEREST .....................................................................24 GOOGLE DASHBOARD ..............................................................................................................................................................25 CONCLUSION ............................................................................................................................................................................25 SECTION II: KEY PRINCIPLES OF ‘INFORMED CONSENT’ ......................................................................26 INDUSTRY EXAMPLES (COMMERCIAL IN CONFIDENCE) .....................................................................................................29 DISNEY ......................................................................................................................................................................................29 PHORM ......................................................................................................................................................................................30 EXPEDIA ...................................................................................................................................................................................31 ECCLESIASTICAL ......................................................................................................................................................................32 ELECTRONIC ARTS (TRUSTE VERIFIED) ............................................................................................................................33 MSN ..........................................................................................................................................................................................33 SECOND LIFE ............................................................................................................................................................................34 HOME OFFICE ..........................................................................................................................................................................35 PAYPAL ......................................................................................................................................................................................35 PIPEX .........................................................................................................................................................................................35 AOL ...........................................................................................................................................................................................36 ROYAL BANK OF SCOTLAND ...................................................................................................................................................37 FIDELITY ...................................................................................................................................................................................37 CONCLUSIONS ...........................................................................................................................................................................38 SECTION III. MINORS AND ONLINE CONSENT ..........................................................................................39 INTRODUCTION ........................................................................................................................................................................39 ‘CONSENT’ UNDER EUROPEAN FRAMEWORK LEGISLATION .............................................................................................39 THE ARTICLE 29