Blog

I (Do not) agree and allow the collection of my personal data

Written by

4 de January de 2021

You’ve probably noticed when opening any website or app online, we come across some request for consent in relation to the contracts of privacy policies, cookies and data collection. It is also noticeable that, to obtain access to some virtual services, it requires the agreement with what is proposed in those documents. This fact stems from the implementation of the brazilian General Data Protection Law (LGPD) and the consequent need for contracts updating institutions that collect, process and store data personal information of its users. For that matter, it is important to observe and enquire the methods used in the adequacy of contracts and whether they are in conformity with the new legislation.

What is the value of access to personal data?

One of the objectives of the General Data Protection Law is to guarantee access to clear and transparent information about the processing of personal data. Therefore, it is reasonable to expect that contractual updating of websites and applications will innovate in their methods to provide clarification (a enlightenment) to customers about the content of these documents and policies of use.

Nevertheless, what is perceived in many virtual services is an adaptation that offers little or no clarification about the content of the documents that need the endorsement of users, that is, they need human action to press “OK”. This act of movement of the user, in theory, can be interpreted as a sign of confirmation and consent for extensive documentation describing what can be collected and how the personal data of customers is treated.

Doubts hang over whether the procedures used to obtain consent from users are in harmony with the principles and norms of the new legislation regarding the access to information and the massive processing of private data, which are, the raw material of high value assets in the market. 

This happens because, once we accept the contractual terms, a series of files and programs are connected to our internet access devices for the purpose to track our habits, customs and tastes through access to what we do when we are online. For example, social cookies, which are responsible for saving records of user behaviour on social networks. Then the data collected through these cookies are organized, processed and imputed with meanings that make it possible for those who own this information to take advantage of establishing personalized market strategies with the objective of persuade and encourage consumption and, consequently, make a profit.

For this purpose, many institutions claim that monitoring the habits of online users will be invested in benefits, such as advertising and targeted marketing, and which may even be transformed into personalized discounts for people. However, is this exchange of interests really balanced? 

“Fast and Slow”

Given the above, will the strategy of having a request box, just telling customers that to get a better experience or greater security on websites and virtual applications it is necessary to allow constant monitoring of their online behavior, be in accordance with the brazilian General Data Protection Law?

According to the psychologist and author of the book, “Thinking, Fast and Slow”, Daniel Kahneman, winner of the Nobel Prize in Economics, there are two simplified ways to understand the behaviour of the human brain. The first form is called by the writer as a System 1, who is characterized by thoughts that require little energy and minimum effort for decision making, while System 2, needs more attention and energy to carry out a laborious mental activity and complex. Following this logic, the use of System 1 tends to prevail in several situations about System 2, since it requires less mental effort and, therefore, it is faster. This trend means only a natural form of human behaviour which aims to save energy.

In this sense, it seems reasonable to use the analogy that when a given service online offers a consent request box with little or no information about what is collected and that just needs you to click on the “OK” option, there is an attempt to induce the user to choose the easiest path and to avoid reasoning analytical system 2.

Thus, the fact that the contracts on data processing guidelines are in long documents and in unclear language can also contribute to a higher prevalence of System 1 in the users’ choices. Because it is much faster and easier for the user who accesses some content over the internet, just agree with what the site asks for, than read and interpret the countless and boring contractual clauses of all the browsed pages, which demands time and effort from System 2.

I read and agree to the use of my personal data 

Bearing in mind this information, it is extremely important to analyze whether the resources used to obtain customers consent for the use of their personal data, are in line with the entire regulation established by the LGPD. Since the new legislation explicitly defines in its article 5, XII, that consent is the free, informed and unequivocal manifestation by which the holder agrees with the processing of your personal data for a specific purpose.

This means that customers need to be aware of what are agreeing to allow the collection of their information in exchange for access to some website or virtual application. This is, understand what data is being collected and what is the intention of storing them, with whom will they be shared, if they are safe, if they will not be used for discriminatory purposes, as well as several other rights regarding the treatment of your personal information.

Another essential point of LGPD to carry out such an analysis is to observe the command of article 6 and item VI, which deal, respectively, with good faith in the treatment of data and the definition of the principle of transparency as the guarantee, to the holders, of clear, accurate and easily accessible information about the treatment and the respective treatment agents, observing commercial and industrial secrets. Thus, it is determined that the institutions responsible for collecting and processing data personal data have a duty to insert LGPD rules into their procedures and contractual documents to comply with obligations related to facilitated access to information by internet users.

In view(light) of this, uncertainties remain if the procedures used by entities that collect and process data have been updated to provide and stimulate the acquisition of people’s understanding of what the storage and handling of such personal data, bearing in mind the responsibility and good faith to adapt with LGPD requirements.

Conclusion

Given the observation of the attempts to adapt virtual contracts in relation to the LGPD, it can be assumed that those responsible for transmitting information are careless, which may result in several requests to cancel the data collection, deletion of existing information and requests for nullity of the consent, which will cause irregular data collection and storage.

This is what the law says in its 9th article: The holder has the right to easy access to information about the treatment of your data, which should be made available in a clear, adequate and conspicuous way, among other characteristics provided in regulations to comply with the principle of free access. 

To that end, § 1 of the same article defines that in the event that consent is requested, it will be considered null if the information provided to the holder have misleading or abusive content or have not been displayed previously with transparency, in a clear and unambiguous way. In this way, the simple consent by clicking “OK” in a warning box, which behind it has extensive pages and boring texts that do little to access information, can be considered as a practice unable to secure permission for data collection according to the law. This means that using consent to justify data processing will not be valid when the provision of information to users happens in a way that does not facilitate the clarification about collection and treatment personal data, since it will be without legal support to legitimize the management of information.

Thus, it is reinforced that one of the main focuses of LGPD is to stimulate a culture of access information and that the contractual relations aim at elucidation, in order to inform the rights and duties of the companies that collect data and the users who provide this data. For that, it will be necessary the users’ and companies’ attention for reasonableness and responsibility on the manner used to communicate the meanings of the collection and treatment of personal information, with a view to transparency and other principles of legislation.

This is because, in addition to the fragile contractual updates of the data controllers of companies, the legal guidelines established, according to art. 7, § 2, which is up to the controller the burden of proof that consent was obtained in accordance with LGPD. In this way, companies will have to work hard to prove their intentions and conduct to ensure that their customers have a clear understanding of contractual content, as they will be responsible for proving that they have offered information in an enlightening and transparent way to obtain consent of your customers 

At last, users now have a consistent and specific legal structure that aims to protect your personal data from arbitrary contractual relationships within the virtual environment. Which can promote the engagement of citizens in relation to their rights, as well as providing them with knowledge to claim them.

The views and opinions expressed in this article are those of the authors.
Illustration by Freepik Stories

Written by

Graduanda em Direito pela Universidade Federal de Ouro Preto - UFOP (ingresso 1/2018). Integrante do grupo de estudos Núcleo de Direito do Consumidor - UFOP (2020/1- atual). Pesquisadora bolsista de iniciação científica (PIBIC/CNPq) com estudos nas áreas de Direito do Consumidor e Lei Geral de Proteção de Dados (2020/2-atual).

Categorised in:

Leave a Reply

Your email address will not be published. Required fields are marked *

Veja também

See all blog posts