Are click-through consents legally sufficient for privacy and data-sharing agreements?

In the era of digital transactions and online platforms, most services rely on click-through consents where consumers agree to the privacy policies and data-sharing terms by simply clicking a button. While these click-through agreements have become a standard practice, the question arises: Are they legally sufficient to bind consumers, especially under stringent privacy laws like the Personal Data Protection Bill (PDPB) and global standards like the General Data Protection Regulation (GDPR)? In India, these agreements must comply with various legal requirements to be enforceable and ensure that consumers' privacy rights are respected.

Legal Framework Governing Click-Through Consents

Personal Data Protection Bill, 2019 (PDPB)

The PDPB is India’s attempt at creating a robust framework for data protection and privacy. It aims to regulate the processing of personal data and protect individuals’ rights with respect to their data. According to this bill:

• Informed Consent: The PDPB mandates that data subjects (users) must give informed consent before their data is collected or processed. Click-through consents must meet the informed consent standard, meaning the user must be fully aware of what they are consenting to.
• Clear and Understandable Terms: The privacy policy or data-sharing agreement should be written in clear, simple language, and consumers should be able to easily understand how their data will be used, shared, or processed. Click-through consents cannot be valid if they are buried in complex legal jargon or if users are not adequately informed.
• Granular Consent: Consent must be granular, meaning users should be able to consent to different types of data processing separately, rather than giving blanket approval for all types of data collection or sharing.

Consumer Protection (E-Commerce) Rules, 2020

The Consumer Protection Rules for E-Commerce require platforms to clearly communicate their privacy policies and data-sharing terms to consumers. Platforms must ensure that consent for data collection is given voluntarily and with full knowledge of what the user is agreeing to.

• Transparency and Accessibility: E-commerce platforms must make privacy policies and terms of service easily accessible and understandable. This includes ensuring that click-through agreements are not vague or misleading and that consumers have the option to read the policies in full before agreeing.
• Opt-In Consent: Platforms must adopt an opt-in model where consumers must actively express consent, as opposed to opt-out or pre-ticked boxes that could imply consent without active participation from the consumer.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

These rules, under the Information Technology Act, 2000, set out guidelines for the collection, storage, and processing of sensitive personal data. Platforms that deal with sensitive data (e.g., financial, health, biometric data) must obtain explicit consent from consumers, and click-through consents must comply with these provisions.

• Sensitive Data: Platforms must make clear the types of sensitive data being collected and how they will be used, stored, and shared. Consent for this type of data collection requires special attention to ensure that it is informed and voluntary.

General Data Protection Regulation (GDPR)

If a platform deals with consumers in the European Union, it must also comply with the GDPR, which sets high standards for consent:

• Affirmative Action: According to the GDPR, consent must be freely given, specific, informed, and unambiguous. A click-through consent should involve an affirmative action (e.g., a check-box or button), and pre-ticked boxes or silence cannot be considered valid consent.
• Right to Withdraw: Users must be informed that they can withdraw their consent at any time, and the process of withdrawal must be simple and accessible.

Key Considerations for Legally Sufficient Click-Through Consent

Clarity and Transparency

The language of the click-through consent must be clear and easily understandable to the consumer. If the consumer cannot easily comprehend what they are agreeing to, the consent may not be considered valid.

• Plain Language: Complex or technical terms should be avoided or explained in simple terms. For example, using terms like third-party data sharing or cross-border data transfer should be clarified, especially if the consumer is not familiar with these concepts.
• Summaries or Highlights: Key points, such as how data will be used or shared, should be highlighted or summarized before the full terms are presented, ensuring that the consumer understands the critical aspects of their consent.

Granularity of Consent

Informed consent should allow for granular choices. This means the consumer should be able to choose which types of data they are comfortable sharing and for what purpose. For example, consumers should have the option to consent to data being used for marketing purposes separately from data being used for service improvement.

Right to Review and Withdraw Consent

Consumers must have the right to review the terms of the privacy policy and data-sharing agreement before agreeing, and they must be made aware that they can withdraw their consent at any time.

The process to withdraw consent should be as simple as providing consent, and platforms must not make it difficult to revoke consent after the agreement is made.

Time and Frequency of Consent

The click-through consent should not be forced as part of a mandatory step without giving users sufficient time to read and understand the terms. Additionally, platforms should obtain consent at regular intervals if the nature of data processing changes or if new data-sharing practices are introduced.

Enforceability of Click-Through Consent

Breach of Consent Terms

If a platform fails to meet the requirements for valid consent, it can face legal challenges from consumers or regulatory authorities. Breach of consent terms can lead to:

• Penalties under the PDPB or other consumer protection laws.
• Compensation for data breaches or violations of privacy rights.

Consumer Disputes

If a consumer feels that they were not properly informed or that the click-through consent was misleading or invalid, they can file a complaint with the Consumer Protection Authority or take the matter to consumer forums for dispute resolution.

Example Scenario:

A user signs up for an online shopping platform and clicks on the I Agree button, which indicates their consent to the platform’s privacy policy and data-sharing agreement. The platform collects personal data, including the user’s email, phone number, and location.

• Consumer Concern: The user later realizes that their data has been shared with third parties for marketing purposes without their clear consent, as the platform did not clearly outline how data would be shared or the extent of third-party access.
• Legal Action: The user files a complaint with the Consumer Protection Authority, arguing that the click-through consent was insufficient and not properly explained. The platform may be found liable for violating data protection rules.
• Outcome: The platform is asked to provide compensation and ensure that future consents meet legal standards by providing clear granular consent options and a simple withdrawal process.

Summary:

Click-through consents can be legally sufficient for privacy and data-sharing agreements if they meet specific requirements under laws like the Personal Data Protection Bill (PDPB) and consumer protection laws. However, for these consents to be enforceable, they must be informed, clear, voluntary, and granular. Platforms must ensure that users understand the terms they are agreeing to and can easily manage their consent preferences.