According to the European ePrivacy Directive325the user326must be provided clear and comprehensive information about the purposes of the storage of personal data, or access to that information. More in particular, the use of electronic
with Regulation 254/2014/EU of 26 February 2014 on an multi-annual consumer programme for the years 2014–2020,O.J.2014, L 84/42.
323See Jonker et al. (2017), p. 137. Also Schinkels criticizes the voluntary character of laudable educational initiatives like the GermanVerbraucherzentrale Bundesverband e. V.’s web presenta- tion for consumer education (www.verbraucherbildung.de) which provides specially developed educational material for use in schools in order to improve consumer skills. The materials cover topics likefinance, media, nutrition, sustainable consumption and consumer law. See the contribu- tion of Schinkels to this book. In Belgium the Flemish government decided on 17 January 2018 to make a certain level offinancial literacy part of the compulsory key competences that students of secondary schools must have attained before commencing higher education; see the proposal for a Flemish Decree, to be consulted at https://www.vlaamsparlement.be/dossiers/vernieuwing- eindtermen.
324See Domurath (2015), p. 163. Compare with Pearson (2008), p. 20; Garcia Porras and Van Boom (2012), p. 50; Ramsay (2016), p. 174. See also Trigg (2011), p. 876 and about the huge costs of financial education: Willis (2008), p. 197 and Osovsky (2013), pp. 925–931. Also P. Bongini, L. Colombo, M. Iwanicz-Drozdowska doubt the effectiveness offinancial education but neverthe- less conclude: “However, the ineffectiveness of financial literacy programs for those specific individuals does not imply that allfinancial education initiatives are useless and that policy makers should instead concentrate their actions on consumer protection regulation and, in particular, on the design of mandatory choices, as behavioralfinancial economists tend to propose”, in Bongini et al.
(2015), p. 7.
325Directive 2002/58/EC of July 2002 concerning the protection of personal data and the protection of privacy in the electronic communications sector,OJ 2002, L 201/37, as amended by Directive 2009/136/EC of 25 November 2009,OJ 2009, L 337/11. This Directive builds on Directive 95/46/
EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. 1995, L 281/31) and Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector (O.J. 1998, L 24/1) which translated the principles set out in Directive 95/46/EC into specific rules for the telecommunications sector. See also Directive 2016/680/EU of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data,O.J.
2016,L 119/89.
326This is an individual using public electronic communication services, including also consumers.
communications networks to store personal data information or to gain access to that information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.“This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”.327
This information obligation serves as the basis for the user’s consent in the context of electronic communications and the use of cookies. How the cookies used by the electronic communication networks work and what they are used for must be explained to the consumer in a clear and easily available way.328
The consent of the consumer (user) is to date subject to a rather low-level control.
Subscribers can give their consent by amending or setting controls on the internet browser which they use or by using another application or programme to signify consent, but also by simply clicking an answer on the web page. No specific requirements exist for the form in which the information about the purposes of the storage or access must be given nor exactly what information must be given.329 However, to be valid consent must be freely given, specific and informed.330 It follows that there must be some form of positive action of the consumer, even though this positive action may be confined to ticking a box or clicking a link. Yet, consent must not be an explicit‘opt-in’consent.331Also an implied consent is valid such as consent by implication preceded by the following words:“By continuing to
327Article 5(3) ePrivacy Directive, cited above.
328Not all cookies are subject to consumer’s consent. User-input cookies, authentication cookies etc. are exempted from consent. SeeEU advisory body on data protection—WP29.
329However, default options have been expressly prohibited by Directive 2011/83/EU of 25 October 2011 on consumer rights,OJ 2011, L 304/64.“Before the consumer is bound by the contract or offer, the trader shall seek the express consent of the consumer to any extra payment in addition to the remuneration agreed upon for the trader’s main contractual obligation”(Article 22). Also Japanese law prohibits the use of default options, see the contribution of Nozawa to this book. In the same vein the law of Québec requires traders to bring costs to the attention of consumers. If they fail to do so, the additional costs cannot be claimed. See on this subject the contribution of Arbour to this book.
330See Van Eecke and Schellekens (2015), pp. 279–301. The user/consumer must give his consent to the use of most types of cookies.
331In Greece and the Czech Republic, the existing European legislation is interpreted as an opt-in system whereby users must actively accept the use of cookies on their terminal devices. In absence of such consent, users should be enabled to freely browse the webpage they are visiting. See the contribution of respectively Karampatzos and Kotios, and Selucká, Staviková Reznicková and Loutocký to this book.
use this site you consent to the use of cookies in accordance with our cookie policy”, with a link to the“Cookie Statement”, and a positive action on the part of the user, such as pressing a“hide”button on the notification.332
How cookies work and what they are used for is a complex phenomenon which further exacerbates the information asymmetry with the consumer. It is questionable whether the average internet user fully understands what is meant by aforementioned notices or statements concerning cookies or is fully aware of the potential conse- quences of the use of cookies. In theory consumers who wish to use a website will often simply agree with the proposed use of cookies, in absence of which they are prevented from having access to the website.
The new European General Data Protection Regulation333which applies in the member states from 25 May 2018 onwards requires businesses to ask users their consent for data not necessary for the performance of a contract, for compliance with a legal obligation or certain other privileged aims.334Consent is defined in Article 4 (11) as a freely given,335specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.336It
332See the contribution of Kelly to this book. Compare with consent pop-ups: a clear banner notifying the consumer about the use of cookies and a‘learn more’-link to further information.
333Regulation 2016/679/EU of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such date,OJ 2016, L 119/1 (General Data Protection Regulation).
334According to Article 6 (1) GDPR processing shall be lawful only if and to the extent that at least one of the following applies: (1) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the controller is subject; (4) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(6) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (6) shall not apply to processing carried out by public authorities in the performance of their tasks.
335According to introductory recital 43 of the GDPR, the assessment whether consent was freely given has to take into account a clear imbalance between subject and controller.
336Article 7 of the Regulation further specifies the conditions for consent. Article 7 (2) for instance states:“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding”. It follows that a banner on a website indicating the use of cookies with the only option to accept or acceptance as default option does not comply with these requirements (see also introductory recital 32 GDPR, which indicates that pre-ticked boxes are not sufficient to constitute consent). In absence of an option to refuse the processing of data not necessary for the service offered, the consent will not be given freely.
follows that the Regulation imposes a stricter standard337 and requires an opt-in consent by the data subject (user/consumer) to the processing of his or her personal data for one or more specific purposes.338As a consequence the European ePrivacy legislation needs to be adapted to align with these new rules. Hence the proposal for a regulation concerning the respect for private life and the protection of personal data in electronic communications.339 This proposal, when adopted, will repeal the ePrivacy-Directive cited above and contains revised cookie rules.340
The GDP Regulation also deals more explicitly with the transfer to other parties of personal data. According to some reporters this could hardly be seen as an adequate solution given the speed, the frequency and the number of implied issues.341In that regard a consumer should at least be granted the right not only to be forgotten, but also to have access to his virtual self which results from the application of diverse algorithms and to adjust or correct the characteristics or profile of his virtual self.342
In The UK the manner in which this information must be given is further specified. Businesses are advised to make sure that the language and level of detail are appropriate for their intended audience and that the information about cookies/
the privacy policy cannot show consent if it is hard tofind, difficult to understand or rarely read.343If very sensitive personal data are collected, such as e.g. health details, businesses were advised to ask already before the GDPR entered into force an explicit opt-in consent from users.
Yet, extensive legislation on the use of personal data does not exist in all the reported countries. In Brazil for instance a draft Bill aims at regulating the issue.
More specifically with regard to cookies the unlimited use of them by businesses may constitute an abusive commercial practice within the meaning of the Consumer Protection Code. However, it is reported that although consumers have technically the means to disable cookies on their personal computers, they are generally unaware
337This standard is based on the following principles, further clarified in Article 5 of the Regulation:
lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability.
338See Article 6 (1) (a) GDPR. See also thefive other lawful ways of processing personal data, for which no prior consent of the data subject is required, mentioned in Article 6 of the Regulation.
According to introductory recital 30 of the GDPR, cookies which allow to identify an individual directly or indirectly are considered as covering personal data.
339Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), Brussels, 10 January 2017, COM(2017) 10final.
340The rules are said to be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. Furthermore the proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remem- ber shopping cart history) or cookies used by a website to count the number of visitors. See Articles 8, 9 and 10 of the proposal.
341See the contribution of Benacchio to this book.
342See again the contribution of Benacchio to this book.
343See the contribution of Cartwright to this book.
of that in practice. Furthermore, if they would deactivate the cookies, they would no longer have access to most of the websites.344
In the same vein Japanese law on this subject is also in its infancy. Personal data may be used by businesses provided that the consumers are informed for which purposes they are used and provided that the use which is made from the personal data is in line with the communicated purposes pursued. There is no obligation to obtain any consent from the consumer. Furthermore, it turns out that in practice consumers would not have any choice but to accept the proposed uses by the businesses.345
Singapore has no legislation on e-commerce or distance selling. In contrast, the Personal Data Protection Act 2012 requires the consumer’s express consent for the collection, use or disclosure by businesses of the consumer’s personal information.
“A consumer is deemed to have given his consent if he voluntarily provides personal data to the businesses and if it is reasonable that he would volunteer that data under the circumstances”.346The reason for the data collection, use or disclosure must be made known to the consumer, absence of which he cannot consent.347Although it is disputed whether opting out could constitute a means of imputing consent, the regime seems to favour an express opt-in. With regard to cookies consent can be derived from the consumer’s consent to internet activities which require cookies to be accessed. Default settings will not necessarily suffice to impute consent for cookies.348
Also Taiwan makes the collection, use and disclosure of personal data subject to the consumer’s consent.349Consent will be inferred from the consumer’s absence of raising objections after being given substantial information about the use, processing and collection of personal data in accordance with the legislation. In case a business by accident uses personal data contrary to the purposes indicated to the consumer, that business will not be held liable.
344See the contribution of Donato Oliva to this book.
345See the contribution of Nozawa to this book.
346Based on the responses to the questionnaire from professor Gary Low, Singapore Management University,garylow@smu.edu.sg.
347The development of a data protection or privacy policy by which the consumers may be notified of the fact of and reasons for collection, use and disclosure of their personal data is categorised as a good practice, provided that the policy is drafted in sufficient detail. The notification of such policy drafted in too vague or general terms runs the risk that the notification and consent obligations are not met in specific cases. The foregoing is based on the responses to the questionnaire from professor Gary Low, Singapore Management University,garylow@smu.edu.sg.
348Based on the responses to the questionnaire from professor Gary Low, Singapore Management University,garylow@smu.edu.sg.
349Based on the responses to the questionnaire from professor Jiin Yu Wu, National Chengchi University, Taiwan,jywu@nccu.edu.tw, who also seems to indicate that since information about the collection, processing, storage and use of personal data is mandatorily disclosed in standard contracts, the use of personal data in accordance with the purposes indicated therein is automatically allowed.
Chinese law operates the distinction between personal information and personal sensitive information. Whereas in the latter case the explicit consent is required, authorized consent suffices in the former case. Explicit consent requires an affirma- tive action of the person concerned (e.g. by clicking the button‘agree and register’ which gives access to the relevant information directly followed by another‘agree’-- button) which demonstrates his unambiguous consent for core business functions and his separate consent for all other affiliate functions.350In contrast, an authorized consent may be given implicitly, but only when explicit consent turns out to be impossible in the given context.
Overall it must be submitted that the extensive use of new technologies by businesses as a marketing tool creates the risk of new forms of information asymmetries to the detriment of consumers, namely businesses knowing more about an individual consumer’s behaviour and preferences than the latter is aware of, and to which legislatures have not yet found the right answer.
7 Behavioural Sciences ’ Impact on the Consumer Information Model
The multiple critiques sketched out above351 brought some legal scholars to the conclusion that information models based on mandatory disclosures have completely failed. The most prominent scholars who voice this view are Omri Ben-Shahar and Carl E. Schneider.352In their view the disclosure’s failure is due to a misunderstanding of psychology: it rests on the false assumption that people actually want to make all of the significant decisions in their lives and to make them with care. They conclude that“as a regulatory technique, mandatory disclosure is a fundamental failure that cannot be fundamentallyfixed”. Thus,“what fails should be abandoned”.353
Like Ben-Shahar and Schneider, Thaler and Sunstein attacked the economic benchmark of the information paradigm, but, instead of abandoning the information model Thaler and Sunstein argued in their best seller Nudge,354 for a new
350See the contribution of Yang to this book.
351See the introduction to this contribution. See additionally on the subject of bounded rationality Hacker (2016), pp. 300–301.
352See e.g. Ben-Shahar and Schneider (2011), pp. 647–749; Ben-Shahar and Schneider (2014), p. 240; Ben-Shahar and Schneider (2015), pp. 83–93. They claim that “although mandated disclosure addresses a real problem and rests on a plausible assumption, it chronically fails to accomplish its purpose. Even where it seems to succeed, its costs in money, effort, and time generally swamp its benefits. And mandated disclosure has intended and undesirable consequences, like driving out better regulation and hurting the people it purports to help”, see Ben-Shahar and Schneider (2011), p. 651.
353Ben-Shahar and Schneider (2014), p. 12.
354Thaler and Sunstein (2009).