Digital Consent: Type, Trouble & Trajectory


The absence of a few things lays bare their importance in our lives that would otherwise go unnoticed, and I believe consent is at the top of this list. Similar to air, no one notices consent when it is present, but its absence is what makes all the difference. A nice pat on the back becomes a battery when there is no consent. Consent distinguishes sexual intimacy from assault, surgery from slaughter, sharing from stealing, and the list goes on. The act of consent does a great deal of legal work. The converse is also true: “if you consent, you cannot sue.”

In the digital world, consent is the cornerstone of our interactions with search engines. It serves as the foundation for the digital economy, digital government, and online social interactions. If you use a smartphone, which more than 80 crore Indians do, you have probably given digital consent at least once in your life. If so, this article is for you.

Defining consent 

There are countless definitions and interpretations of digital consent floating around the world; it differs depending on the country, culture, and context. However, as the privacy laws in the majority of countries are modelled after the EU GDPR, a generally accepted definition can be derived from it.

According to Article 4 (11) of the EU General Data Protection Regulation (GDPR)  “Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Article 7 of the EU GDPR also sets out further ‘conditions’ for consent, with specific provisions on

  • keeping records to demonstrate consent;
  • prominence and clarity of consent requests;
  • the right to withdraw consent easily and at any time; and
  • freely given consent if a contract is conditional on consent.

‘Free’ in this definition refers to the absence of any unwarranted pressure or influence that might impact the decision’s outcome. For consent to be specific and informed, the data subject must be informed about the controller’s identity, the type of data that will be processed, how it will be used, and the purpose of the processing operations. It should be given voluntarily, without any ambiguity in intention and communicated explicitly. The process of withdrawing consent must be as simple as providing it.

Types of digital consent 

There are a lot of classifications of digital consent, but we will stick to just three for now- 

  1. Implicit consent: Unless the consumer expressly states otherwise, it is considered that they have consented. For instance, including your phone number in your email signature indicates that you are fine with being contacted by the person to whom you sent the email.

  1. Explicit consent: It’s usually communicated verbally or in writing. It can be provided in a variety of ways, such as by signing an eConsent form, checking the ‘I agree box on long consent forms (active consent), and accepting privacy policy or Terms of Service.

  1. Directive consent: Consent directed to one person/people. For instance, Sharing a Google Doc with someone entails your agreement to share it only with the person whose email address you are entering. So, it will be wrong if the other person distributes that document to a third party without your consent.

Opt-in occurs when you consciously check each box rather than being automatically given consent. As opposed to opt-out consent (passive consent), which is granted if you continue without openly rejecting. 

Businesses want opt-out consent because it requires customers to take action in order to stop receiving marketing communications. Many people do not read the language or permissions and are far more likely to assent for objectives that benefit an organisation.

Challenges related to Digital Consent

More consent leads to more data, more data leads to more targeted advertising which further translates to more sales. 

Aiming to make the most money exposes its evil side and puts digital consent under scrutiny. Some of the most commonly observed challenges are:

From Organisation’s end

  • Manipulation using Dark Patterns: Disabled back buttons, ‘sponsored’ default bookmarks in browsers, unexpected and pointless forms, glaring ads, and pop-ups that cover desired information. It is not surprising that many of these bad interfaces are used to cajole, wheedle, and deceive consumers into giving consent because businesses have significant incentives to do so.

  • Giving Psuedo choice: Cases in which a person must choose between consent and the loss of a valuable asset, such as their life or their job. Sometimes a choice isn’t actually a choice; it’s more of a game of “would you rather?” with a choice between a lousy option and a terrible one. It’s similar to “sign or not live like the majority of people.”

  • Confirmshaming:- The act of guilting the user into opting for something. The option to decline is worded in such a way as to shame the user into compliance. Consider the request from MyMedic to send users notifications, which forces those who do not wish to receive notifications to click a button labelled “no, I prefer to bleed to death.”

At Consumer’s end

  • Lack of Technical Knowledge: Not understanding the technology being agreed to. Far too many people in the digital environment have little to no knowledge of the data practices they are agreeing to.

  • Legally not allowed to Consent: Minors will almost certainly use apps and engage in online and offline actions, ranging from data collecting to sex, that they lack the legal competence to consent to due to the combination of easy-to-install apps and a liberal regulatory system.

  • Human Fatigue: According to a 2011 study by Carnegie Mellon University, it would take 76 workdays to read all of the privacy regulations that the typical Internet user encounters in a year. The length of privacy policies has doubled in 2022, totaling 152 working days to JUST read them, forget about comprehension. I mean, seriously?

  • Difficulty in Comprehension: The legal document may be excessively lengthy, include ambiguous language, grammar, or technical terms that would be difficult for laypeople to grasp, or it may be too imprecise to clearly state what is being agreed to.

What encompasses informed consent? 

Informed consent is a process, not a thing and in 2017, the UK Information Commissioner’s Office set out some ideas around the same. They include: 

  • Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. 
  • Include the name of your organisation and any third parties, why you want the data, what you will do with it, and the right to withdraw consent at any time. 
  • You must ask people to actively opt-in. Don’t use pre-ticked boxes, opt-out boxes or default settings. 
  • Wherever possible, give granular options to consent separately to different purposes and different types of processing. 
  • Keep records to evidence consent – who consented, when, how, and what they were told. 
  • Make it easy for people to withdraw consent at any time they choose. Consider using preference management tools. 
  • Keep consents under review and refresh them if anything changes. 

Possible Pathways 

  • Consent as a Service (CaaS): The future of the digital economy, according to many experts, will involve people storing their identities with dependable third parties. They will just request that the custodian of their ID furnish any personal information requested by a new provider.

  • Consistency in Consent Forms: Consistency in the presentation, storage, and administration of consent forms. Digi.me, a startup, suggests organizing consent forms into six plain-language categories and presenting them as follows:

    • What data do we want? 
    • What will we do with it?
    • What will we give you back in return for the data? 
    • What data will we keep?
    • What will we share with third parties and why? 
    • How do we give you the right to forget/erase/revoke your data?

  • Pay to Not: Data is the value exchange for many “free services” available today. You trade your personal information for a free Instagram account. What if users had the option of “pay to not” receive advertisements? They could then escape the consent loop. (I am just thinking out loud at this point tbh). 

  • Make Consent Opt-In: Pre-ticked or opt-out boxes are not sufficient, EVEN in India and not just in Europe. 

2 thoughts on “Digital Consent: Type, Trouble & Trajectory”

Leave a Comment

Your email address will not be published. Required fields are marked *