Tougher enforcement for online consent

10 September 2019

The Privacy Commissioner used a recent blog to signal that “click to consent” arrangements won’t always be good enough under the Privacy Act.

Where complaints relate to data collected online, he will look closely at whether the agency has actual evidence that the individuals concerned understood how their information would be used.

Agencies are obliged under IPP 3 to take “such steps (if any) as are, in the circumstances, reasonable” to ensure an individual is aware of specified matters, including the purposes of collection. And when relying on the Privacy Act’s “authorisation” exception, they must have reasonable grounds to believe that an individual authorises the relevant use or disclosure.

Where an agency puts forward a “clicked consent” defence, the Commissioner may ask:

  • Has the agency taken steps to establish the number of people who actually read the terms they were purportedly consenting to
  • How many times customers clicked to the terms and conditions or the privacy policy before clicking the consent box?
  • Did those who clicked through spend long enough on the privacy policy to read it?

Raising the bar?

The Commissioner’s comments suggest a tougher approach to authorisation and notice, despite the Privacy Bill failing to introduce European-style consent requirements, and the select committee failing to accept the significant enforcement powers sought by the Commissioner.

The test he is in effect proposing is not whether the individual read the terms but how many people who “accepted” the terms actually read them. This is a substantially higher standard than under contract law and represents a departure from recent cases. For example:

  • the successful reliance on an “opt-out” authorisation in 2016 by the purchasers of Dick Smith’s customer database, and
  • the acceptance in 2017 by the Commissioner that a letter by the AA to its members authorised it to automatically disclose member information to a supermarket chain for fuel discounts when members swiped their AA card.

The upshot for businesses

It is unclear how tough the Commissioner will be in enforcing this approach, or whether he has the tools to turn his bark into a bite. But businesses should be thinking not just about having clear and accessible terms but also about testing customer knowledge.

The level of knowledge required is likely to be context-dependent, but might include evidence like email open rates, click-throughs to privacy policies, and/or user interviews.