More than a decade ago, European data protection regulators identified the problem of “consent fatigue”, where website users were overwhelmed with multiple requests to give consent for processing of their personal data. In theory, responding to those requests let individuals exercise control but, in practice, it seemed more likely that they were just clicking whatever was needed to get the content they wanted.
Despite the Article 29 Working Party’s 2009 comment (not specific to websites) that “the complexity of data collection practices, business models, vendor relationships and technological applications in many cases outstrips the individual’s ability or willingness to make decisions to control the use and sharing of information through active choice” and the UK Information Commissioner’s concern “that the creation and sharing of personal data profiles about people, to the scale we’ve seen, feels disproportionate, intrusive and unfair, particularly when people are often unaware it is happening”, regulators’ and legislators’ response to the problem has largely been to look at legal and technical formalities, not to question whether the data processing behind many commercial websites was simply too complex for individuals to meaningfully control.
Ironically, the opportunity for that change may now come from the technical side, where browser creators (including Google) are proposing new technologies for Internet advertising that may not obviously relate to existing legal provisions and rulings. The Information Commissioner has responded with a set of privacy expectations for such developments: these still call for “User Choice”, but alongside “Data Protection by Design”, “Accountability”, “Purpose”, and “Reducing Harm”. Whether this will result in a new approach, or just a new front in the battle of formalities, we will have to wait and see.