The downside to Consent
Sometimes when we consent, we can give up more than we receive in return
We interact with consent many times during the course of regular daily life - certainly more than could fill even an encyclopaedia. While we give our consent to access some benefit, be it medical treatment, discounts or technological services, embeded within a consent agreement may be clauses more beneficial to the organisation seeking our consent. In essence, we may be giving up more than we receive in return…
Part 4: How do I consent?
To demonstrate potential issues arising for consent in modern society, we now discuss four examples that should be relevant and familiar to the majority of readers.
Law, Health and Technology Newsletter is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
An example that demonstrates these dark patterns trends comes from the Daily Mail newspaper website in the United Kingdom2. In Figure 1 the Consent and Legitimate Interest selectors are both turned off, which would lead the average website user to believe consent has been declined for all cookies and that only those cookies required to actually make the website function should be allowed. However, when viewing the Vendors3 tab as shown in Figure 2, all of the cookies identified as Legitimate Interest4 that should have been disabled by the greyed-out setting on the Purposes/Features tab are still active. A further issue we demonstrate in Figure 3, was that many vendors had migrated most of their data collection and analytical cookie types, including those that relied on personal data about the individual user, into the legitimate interest section. This means that presenting the user with an initial interface showing that all consents on the Purposes/Features tab were declined may be deliberately deceptive and could be intended to mislead the user into believing they had disabled all cookie functions on the website - when in truth, a large number of cookies that collect and/or use personal information remained active.
Figure 1: Daily Mail Cookie Consent - Purpose/Features Tab
Figure 2: Daily Mail Cookie Consent - Vendors Tab
Figure 3: Daily Mail Cookie Consent - Legitimate Interest Cookie Functions
Medical consent: While in ancient Greece patient participation in medical decision-making was unwelcome as they believed it would suggest the physician lacked confidence in his diagnostic or treatment skills; and medical texts from Medieval times told doctors that while offering comfort and hope they had to be manipulative and deceptive in order to appear authoritative and inspire obedience in patients; contemporary clinical practice, at least since and as a result of the Nuremberg Trials, has required doctors to inform patients of their diagnosis and treatment options and seek consent before commencing treatment (Murray, 1990).
Medical consent, often referred to as informed consent, has continued to evolve. Most people at least realise that a healthcare practitioner cannot simply ‘walk in and do things to them’ - that the doctor or nurse must explain what it is they propose to do and why, and seek permission prior to commencing. It is true that in an emergency situation where the patient cannot communicate their wishes, a doctor can justify the lack of informed consent prior to treatment of a life at risk because it is generally reasonable to assume that most people would want to be saved. However, in most situations the doctor would be required to explain: the diagnostic process or resulting diagnosis; proposed treatment and any alternatives5; describe the potential for and probability of side effects and both positive and negative outcomes; and all while ensuring they have identified and explained any information that a reasonable person in the patient’s position would be likely to attach significance to, or the doctor is or should reasonably be aware that the particular patient would be likely to attach significance to it6. A key intention for contemporary informed consent is inclusion of the patient in the decision-making process. However, while in an ideal world this best-case informed consent scenario would be the patient experience every time, this is not always the case7 (Cumberlege, 2020; Haskell, 2020).
Medical ethicist Harriet Washington in her most recent text Carte Blanche: The erosion of medical consent paints a damning picture for how frequently and systematically medical research subjects and patients from the military, nursing homes and prisons have had their right to decline violated. Examples include overuse and abuse of consent waiver systems8 and laws that provide a statutory waiver of the need for consent for research that provides no more than minimal risk to the subjects9 and testing of different treatments on trauma victims who are unconscious and unable to consent for themselves10. Washington (2021) also points to the use of contract research organisations (CROs) - external for profit companies who contract to perform in vivo studies and whose financial returns are directly dependent on the number of participants they can sign up and the degree to which their results satisfy the medical device or pharmaceutical manufacturer. While debate continues regarding the now industry standard practice of using CROs, the potential for safety concerns, intervention absent consent and retrospective consent collection, participant unblinding, and data integrity issues was brought to the forefront when the British Medical Journal (BMJ) broke news of then CRO Ventavia employee Brooke Jackson’s disclosures concerning issues on Ventavia’s Pfizer Covid-19 vaccine trials (Thacker, 2021). Other researchers have also identified that participant disclosure and consent documents from the Pfizer trials failed to include information regarding the potential for certain known and significant adverse events11 (Cardozo & Veazey, 2021). While the processes currently used for medical consent and clinical trial conduct are what the medical community believed would reflect best practice, these are just some examples where as a society we may have begun to regress.
Loyalty scheme consent: Fundamentally, loyalty schemes began as a marketing tool with the primary goal of attracting customers and influencing ongoing purchasing habits in favour of the brand, or brands, of the scheme operator (ACCC, 2019; McColl, 2022). However, with the increasing popularity for using customer data12 to develop marketing and sales insights to increase market-share and profits, scheme operators have expanded loyalty schemes into sophisticated data collection and analysis engines that work online and offline, across town and country, and even as customers switch devices or networks (McColl, 2022; Stourm et al, 2020; Tomlinson & Evans, 2005). Enabled by what regulators describe as vague privacy policies and exceedingly broad consents, scheme operators can target members and create realistic profiles of individual consumers with precision (ACCC, 2019; McColl, 2022; Tomlinson & Evans, 2005).
Examples of harmful discriminatory customer treatment attached to loyalty schemes have become commonplace (Lacey & Sneath, 2006; Pez et al, 2017). Customers are consenting collection and use of their personal details, shopping habits and other linked data that they may or may not even be aware is being collected - even after reviewing long and complicated membership agreements. It may seem uncontentious that scheme members receive lower prices in return for their data; this is, after all, the carrot on the end of the data stick (Tomlinson & Evans, 2005). However, it is also becoming common to see claims that lower member prices are being subsidised not by the money made from selling their data and the insights being gleaned from it - but rather, and as with the recent example of Tesco13 in the UK, by charging non-members substantially higher prices (Sandercock, 2022; Winchester, 2021). This could also be a crude penalty to ‘nudge’ non-member customers into taking up membership and hence, consenting the ongoing and pervasive collection, analysis and sale of their own personal data. Tesco and others do this in spite of the fact that for almost a decade they have been surreptitiously tracking and profiting from of the data of non-members through those customers’ repeat use of electronic payment methods like debit cards and digital wallets at the till (Ferguson, 2013). Tesco are said to save or profit by an estimated £350mil each year through intelligent application of member data to decide which stores should or should not receive stock of particular items and when (Poulter, 2011). However, by 2011 they were also already earning more than £53mil annually from sales of their loyalty scheme member dataset for aggregation with the data collected by other organisations (Poulter, 2011).
Connected vehicle consent: Modern vehicles have become so heavily computerised and dependent on constant telematics that they are now one of the smartest devices we own (Fowler, 2019; Prevost & Kettani, 2019). Many new vehicles have always-on internet connectivity that connects with vehicle manufacturer servers and third parties to exchange a broad range of data (Fowler, 2019). Mapping data for the navigation system can come from Google or Apple Maps, or a range of telenav companies who provide bespoke solutions to different manufacturers. By sharing your current location and travel direction with third parties, those maps are overlaid by the manufacturer’s infotainment software with traffic, traffic camera and point-of-interest (POI) location data. Manufacturers can also collect and upload 245 or more datapoints14 from sensors and computers throughout the car, and many now on-sell this data to vehicle data hubs (Keegan & Ng, 2022). The infotainment unit can provide data on the places your vehicle has been and its current location; details about the smartphones that have been connected to it, the phone calls made or received and the music that has been played; driver and passenger preferences; and broader vehicle settings and service histories. However, the infotainment unit is just one of anything from 30 to 100 specialised computers located around the vehicle. Manufacturers also began installing event data recorders (EDR) in expensive high-specification vehicles in the mid-1970’s. While those original EDR captured very limited data like engine rpm, vehicle speed and whether the early airbag systems of the time had triggered, modern EDR are able to constantly capture a stream of data collected from many different systems and sensors within the vehicle and in the event of an accident, act like an airliner’s black box to provide information to assist in crash and insurance investigations15. EDR became ubiquitous during the last two decades such that it is now difficult to identify a vehicle without them, and they are becoming mandatory in many jurisdictions16. If someone can gain access to your vehicle network - whether physical access or, where an over-the-air exploit exists, from a remote location, they could potentially download your driving history and a wealth of personal data.
It is a legal requirement in many jurisdictions that consent must be acquired from every vehicle user for which personal data will be collected (Bruyndonckx et al, 2020). In practice this rarely occurs and in any event may not always be practical. Consider that many new cars are ‘aware’ of the number17 of passengers and, as one example, whether they have fastened their seatbelt. Would it be practical to present an interface to consent each individual passenger prior to every trip during which the vehicle will be recording18 and reporting, usually to the driver in the instrument cluster but potentially also to manufacturers over-the-air, how many occupants there are on this trip and whether each has been compliant with traffic law and fastened their seatbelt? Another example would be where multiple people share use of the same vehicle - such as a family or staff working for the same employer. In these situations, after the first user is asked by the infotainment system to consent data collection and dissemination to the manufacturer or third parties, subsequent users will rarely be asked to consent to the now ubiquitous data collection of these modern sensor-filled, computerised and connected cars. Finally, there is also now a trend towards incorporation of inclusive language in the vehicle’s consent agreement intended to resolve this multi-user issue by shifting the information articulation component of consent (the informing of subsequent users) onto the primary owner - a person who often also did not read the terms of consent when they purchased the vehicle (Pattinson, 2020).
Consent is like any other agreement or contract we may make. We give up something to get something. What we have seen is that in many cases what we give up is information about ourselves - in essence, some aspect of our right to privacy. While countries like the UK have their General Data Protection Regulation (GDPR) and Australia and New Zealand cling to their Privacy Principles, our small act of consent can give organisations permission to access, store and process personally identifiable information about us that, absent our consent, they would otherwise be legally restrained from doing.
The true balancing act lies in our deciding, each for him or herself, how much we are willing to give up for what we receive in return.
Join me next time when we will look at some of the ways consent has recently been used, or misused. When we will ask… How are recent global events shaping consent?
In the EU the ePrivacy Directive must be interpreted in line with the General Data Privacy Directive (GDPR 2016) which requires valid consent in the form of a freely given, specific, informed and unambiguous indication of the data subject’s wishes in order for companies to collect and use data via online mechanisms such as browser cookies.
On the day we browsed the Daily Mail website an incredible 238 separate vendor organisations were listed in this interface including market researchers, advertisers and tech companies from the UK, Germany, Australia, America, South Africa, Singapore, China and others.
More than one quarter of all listed vendor organisations claimed a Legitimate Interest requirement for the data or analysis from multiple cookie types and functions
Including the alternative to ‘do nothing’.
Montgomery v Lanarkshire Health Board  SC 11,  1 AC 1430.
The 2020 Cumberlege Independent Medicines and Medical Devices Safety Review in the United Kingdom reported on hundreds of patients with a lack of informed consent for their initial treatment followed by years of dismissal by clinicians and regulators who did not want to associate life altering symptoms or injured children with their medical interventions. The review panel found that healthcare providers’ dismissive attitude toward patients was underpinned by a reluctance in all parts of the system to collect evidence on potential harms, by a lack of coordination that would allow clinicians and agencies to interpret and act on that information, and by a culture of denial that failed to acknowledge harm and error, impeding learning and safety.
The USA’s FDA provides a consent waiver system for individual research studies and trials that can demonstrate minimal imposition or risk of outcome for participants. Similar approaches are used to qualify low risk ethics approvals within the UK’s NHS.
For example, US Code of Federal Regulations: 45 CFR 46.111 (d) which Washington (2021) states was used to justify ambulance officers injecting agitated patients in Minnesota with the amnesia-inducing sedative Ketamine, and collection and analysis of retrospective identifiable patient records datasets.
For example, US Code of Federal Regulations: 21 CFR 50.23-24 dispenses with consent for such things as side-by-side testing of interventions on trauma patients. Examples cited in Washington (2021) include infusing the unconscious trauma victim with either saline or artificial blood products in a side-by-side treatment efficacy study, or the testing of different types of patented valves during cardiopulmonary resuscitation.
Cardozo & Veazey (2021) found that while Pfizer and their CROs were aware that antibody-dependent enhancement (ADE) was a known side effect that would arise for a small group of patients in their trial, they failed to inform any participants regarding ADE and the life-altering negative effect it could have on their lifestyle.
The so-called ‘big data’.
Tesco Supermarkets run one of the largest supermarket loyalty schemes in the United Kingdom - with a membership estimated to exceed 20 million individual users. In 2013 the public were made aware that Tesco established a subsidiary to oversee the highly secretive Crucible database that links purchasing habits with socio-economic and lifestyle data and information from the Land Registry, Office for National Statistics, Electoral Roll and other government agencies and Tesco admits, seeks to know everything about consumers. Crucible data is on-sold to other large consumer groups and companies that include Sky, Orange and Gillette. Recent changes to the Tesco Clubcard scheme moved the rewards process to be almost entirely digital, changed the terms and conditions multiple times in favour of the operator, and have drawn significant negative public attention to the brand.
A common data hub used by American manufacturers is CARUSO. The CARUSO API lists 245 different data points that collect a range of Boolean, discrete and continuous data values about everything from seat and steering wheel positions to regular images taken using the front and rear parking cameras of the car.
Federal law in the USA has prescribed the data requirements for EDR in 49 CFR 563 since 2006 - inter alia the speed of the vehicle, engine ROM, throttle position, disposition of brakes, seatbelt status and (where available) occupant size for each occupant and airbag deployment data. Other countries like Australia are working on regulation that would mirror the USA requirements.
EDR became mandatory on vehicles sold in the USA from 2011, on vehicles sold in China during 2021, and in the EU from July 2022.
Sometimes also including the approximate size (i.e. child or adult)
In restraint and airbag management computers and the EDR.
NB: Due to space limitations I have not included the reference list. All of the references in todays post should have already been provided in the preceding three posts on consent.