A few days ago I read this Tweet: “We always assume opt-in is stronger than opt-out. Often the reverse. Depends on information.”
I never thought to the opt-in & opt-out regimes in this way but, after reading, I realized that it’s simply correct.
This may be the reason why one of the matter in which the two converse theories of opt-in and opt-out have always been opposed is the commercial communications (both direct marketing and advertising): in these cases, infact, the information is minimal and the choice between the two methods is purely theoretical.
As well-known, according to the opt-in setting, all processings for advertising purposes need the data subject’s prior informed and explicit consent, instead, the opt-out asserts a kind of silent consent so that processings are deemed lawful as far as the data subject – properly informed of his right to object – does not express his wish not to receive any commercial communication.
In both methods, information is minimal but paramount: in the first case, the data subject is informed about the fact that the controller will use his personal data to send him adv communications, in the second case, about the fact that he can object to this kind of use.
The information is simple because it concerns a clear, specific purpose and therefore a well-defined data processing.
So, why these two theories are opposed for so long?
Indeed, at the very beginning, even in Europe, the trend was surely in favour of the opt-out method, as we may argue from the text of the European Council’s Recommendation No. R(85) 20 on the protection of personal data used for the purpose of direct marketing, which provided the negative option (synonym of opt-out).
Later, the European legislator oscillated many times between the two principles.
The Directive 97/7/EC on the protection of consumers in respect of distance contracts, at Article 10, established the opt-in principle only with reference to the use of automated calling systems without human intervention or fax, granting the opt-out principle for the other techniques of distance communications.
Likewise, the Directive 97/66/EC on the processing of personal data and the protection of privacy in the telecommunications sector, at Article 12, concerning unsolicited calls, allowed the use of automated calling systems without human intervention or fax for the purpose of direct marketing only with the data subject’s prior consent, leaving each member State to decide which consent method to adopt regarding other different means of communication.
The Directive 00/31/EC, in the field of electronic commerce (e-commerce Directive), adopted an hybrid system, known as “preventive opt-out”, because it established that, without prejudice to the Directives above mentioned, Member States should take measures to ensure that service providers undertaking unsolicited commercial communications by electronic mail consult regularly and respect the opt-out registers in which natural persons not wishing to receive such commercial communications can register themselves. The preventive opt-out is based upon a system of so called “black lists” or “Robinson’s lists” that are registers in which people may enter their names, in this way expressing a preventive and general refuse to receive commercial communications.
In Italy, these registers were strongly opposed by the Italian DPA (e.g. the first draft of the Italian legislative decree which implemented the e-commerce Directive providing the creation of a national register was immediately attacked for “eccesso di delega”, stating that according to the EU Directive and to the Delegation Act the Italian legislator had not competence to introduce provisions regarding the processing of personal data in the field of electronic commerce). In 2010 (decree 178/2010) was finally emended the RPO (registro pubblico delle opposizioni) that is a public register in which user can enroll in order not to receive telemarketing communications. In July 2011 (decreto sviluppo) the opt-out system was extended to the delivery of adv paper mail.
Finally, the Directive 02/58/EC, concerning the processing of personal data and the protection of privacy in the electronic communication sector (e-privacy Directive), at Article 13 provides that the use of automated calling systems without human intervention, fax and e-mail for the purpose of direct marketing, is allowed only towards those subscribers who had expressed their prior consent. The same Article 13, at paragraph 2, introduces an opt-in exemption for purpose of marketing carried out towards customers already gained by the controller.
Before the e-privacy Directive was enacted, only five Member States had adopted the opt-in setting, and in July 2001 the Committee on Civil Liberties, Justice and Home Affairs still made a proposal of Directive based on the opt-out regime due to several pressures from UK and other States of historical liberal socio-economical matrix.
The main reason of this big turnabout in favour of the opt-in system is probably the growing concerns raised by the spamming phenomenon but, whatever the reason, from that moment the gap between Europe and U.S. on this issue has become irreconcilable.
If we add that large American Internet corporations base their profits on advertising it’s evident that the conflict can sometimes become very hard.
The last act of the saga is the processing of cookies related to online behavioural advertising.
In November 2009, the European Parliament and Council adopted the Directive 09/136/EC that revised, among else, the e-Privacy Directive. One of the key changes concerns the mechanisms for implanting information in the user’s terminal device (i.e. cookies) because the existing opt-out regime (the original text of Article 5(3) included only the need to provide the subscriber or the user concerned a clear and comprehensive information) was rejected on behalf of an informed consent.
We may find the reasons of this radical change in the last WP 29 opinion (N.16/2011[1]), which states that “many public surveys showed, and continue to show, that the average internet user is not aware that his/her behaviour is being tracked with the help of cookies or other unique identifiers, by whom or for what purpose”. With this mind, the opt-in solution reflects a growing concern that the technical possibilities to track individual internet behaviour over time, across different websites, is rapidly increasing, but the possibilities offered to citizens to protect their private life and their personal data against this type of tracking is not keeping pace with this growth (especially considering the development of the Internet mobile access) and it needs a strong implementation.
IMHO, I think that, on this matter, it’s in progress a translation from the informed consent as a means of data subject’s self-determination (see WP 29 opinion N.15/2011 on the definition of consent[2]) to a protectionist conception of data protection: confirmation can be found in the approval by the same WP 29 of browsers default settings as a way to obtain consent, which is nothing more than an example of privacy by design, but, according to the Party, in fact, browser settings are not an exception to Article 5(3), but a different kind of consent, still valid.
I don’t agree with this interpretation. It seems to me that, like any other means of privacy by design, it’s contrary to the self-determination principle: if the consent is an essential aspect of the fundamental right to the protection of personal data and it must be freely given, default browser settings preventing the collection of behavioural data don’t allow the data subject to exercise a real choice.
As the WP said in another document (see the working document on the processing of personal data relating to health in electronic health records[3]), “free consent means a voluntary decision, by an individual in possession of all of is faculties, taken in the absence of coercion of any kind”.
How can we claim that a default settings is equivalent to a free consent? Where is the user voluntary decision? Can’t we find even in this case a coercion, although by the law rather than by the controller? What could the user do if he wants to receive targeted adv from a specific provider (and therefore specifically authorize that provider to track him)?
To date[4], the national implementation of Article 5(3) of e-privacy Directive is at 50%, having only 14 Member States supplied. Among these, only Austria, Latvia, Lithuania, Sweden and UK laws require the opt-in consent, whereas Finland, France, Hungary, Ireland, Luxemburg and Slovak Republic have chosen to let the user give the consent via browser or other appropriate application settings; in Portugal and Denmark, even if 09/136/EC Directive has been implemented, the said Article 5 (3) has not yet been transposed into national laws; Estonia has concluded that the new law is already satisfied by the Estonian Electronics Communications Act and as a result no further implementation measures are necessary.
In conclusion, just three remarks.
First, WP 29 has clarified that consent is not required for every type of cookie, as there are different ways to use cookies with different purposes and requirements associated with them. Cookies that are exempted from informed consent are, e.g. secure login session cookies, shopping basked cookies and security cookies.
Secondly, the revision of privacy Directive should rethink to the concept of consent that it’s born as one of the six basis to legitimate the processing of personal data, but it’s now in crisis.
We must become aware of the fact that opt-in option is fallible and that it’s not “panacea” for all ills. As said at the beginning, a valid, freely given consent depends on information, nor on the opt-in option itself. Likewise, a true self-determination depends on a proper and honest relationship between data subjects and Internet providers and on the development of Internet culture and not on a paternalistic legislation.
Third, we can no longer say that the American context is very far from our because it’s not so different as it might seem. Indeed, the Federal Trade Commission “Self-Regulatory Principles for Online Behavioral” report, adopted in 2009, stated that material changes to privacy policies involving a different use of the behavioral data already collected need the secure affirmative express consent from the user before collecting any additional data and companies must ask an opt-in consent before the collection of sensitive data, which includes health information and social security numbers but also, unlike in Europe, financial information and information about children.
[1] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp188_en.pdf
[3] http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp131_en.pdf