The Privacy Commissioner used a recent blog to signal that “click to consent” arrangements won’t always be good enough under the Privacy Act.
Where complaints relate to data collected online, he will look closely at whether the agency has actual evidence that the individuals concerned understood how their information would be used.
Agencies are obliged under IPP 3 to take “such steps (if any) as are, in the circumstances, reasonable” to ensure an individual is aware of specified matters, including the purposes of collection. And when relying on the Privacy Act’s “authorisation” exception, they must have reasonable grounds to believe that an individual authorises the relevant use or disclosure.
Where an agency puts forward a “clicked consent” defence, the Commissioner may ask:
- Has the agency taken steps to establish the number of people who actually read the terms they were purportedly consenting to
Raising the bar?
The Commissioner’s comments suggest a tougher approach to authorisation and notice, despite the Privacy Bill failing to introduce European-style consent requirements, and the select committee failing to accept the significant enforcement powers sought by the Commissioner.
The test he is in effect proposing is not whether the individual read the terms but how many people who “accepted” the terms actually read them. This is a substantially higher standard than under contract law and represents a departure from recent cases. For example:
The upshot for businesses
It is unclear how tough the Commissioner will be in enforcing this approach, or whether he has the tools to turn his bark into a bite. But businesses should be thinking not just about having clear and accessible terms but also about testing customer knowledge.
The level of knowledge required is likely to be context-dependent, but might include evidence like email open rates, click-throughs to privacy policies, and/or user interviews.