Part 5: Notice and consent

Recommendation 31 Strengthen notice and consent requirements in the Privacy Act to address the limitations in these mechanisms, but preserve the use of consent for high privacy risk situations, rather than routine personal information handling.

5.12 Notice and consent only achieve their goal of giving individuals choice and control if they are used effectively and in appropriate circumstances. In the OAIC’s view, the overuse of these mechanisms will place an unrealistic burden of understanding the risks of complicated information handling practices on individuals. This will not address the privacy risks and harms facing individuals in the digital age.

5.13 There are several important practical limitations on the use of notice within the privacy framework. A fundamental dilemma of notice is that it usually comes to a choice between making notice simple and easy to understand or fully informing an individual of the consequences of handing over data, which can be quite complex if explained in meaningful detail.

5.14 APP 5 notices are increasingly being embedded within long and complex statements of terms of provision and use of service, while other privacy information is ‘incorporated’ by reference to a general privacy policy. Individuals may want to know how their personal information will be handled, but including these descriptions in long complex notices, often drafted with legal obligations in mind, fails to deliver on this objective.

5.15 Emerging, innovative technologies, such as artificial intelligence tools, may use personal information as the basis for a decision that could have significant effects for the individual, but do so in a way that is often invisible or difficult to comprehend, and may be challenging for APP entities to clearly explain.

5.16 The practical consequence of these issues is that the descriptions of more impactful or unusual privacy affecting acts or practices are often ‘lost in the noise’ of descriptions of more generic or expected information handling activities.

5.17 Expanding transparency requirements could have the effect of further increasing the length of notices, which may make them more difficult to interpret and be less useful in informing individuals, particularly of unusual or unexpected information handling practices. It is also important to note that the notice and consent model does not scale, meaning that while transparency reforms may make it easier for individuals to read and understand a few privacy policies or notices, it is unreasonable to expect individuals to engage meaningfully with notices from the large (and likely increasing) number of APP entities seeking to handle their personal information.

5.18 Consent is also a privacy self-management tool that has its limitations, particularly in light of the various challenges and complexities created by digital technologies. These limitations constrain the usefulness of consent as a privacy protection:

• Consent is only a meaningful and effective privacy self-management tool where the individual actually has a choice and can exercise control over their personal information. In many cases, consumers may feel resigned to consenting to the use of their information to access online services, as they do not consider there is any alternative.
• The challenge faced by APP entities in seeking consent will vary depending on how necessary the individual considers the relevant product or service. Anecdotal evidence suggests that individuals already feel that they are dependent on the services offered by global social media platforms, search engines and e-commerce sites, which typically offer all-or-nothing terms and conditions. As these products or services become more entrenched in individuals’ lives, not engaging with a product or service, even where an individual holds privacy concerns, may not be a realistic option without having a significant impact on an individual’s ability to engage online.
• Consent must be freely given, specific, unambiguous, and informed, which can be particularly difficult to achieve in the digital environment where data flows and data practices are increasingly complex and difficult to understand. It is becoming increasingly apparent that individuals are not always well placed to assess the risks and benefits of allowing their personal information to be shared. For example, at the moment of sharing, individuals cannot always know what other personal information can be derived about them, and what other information it may be combined with in the future to develop additional insights about them. This is supported by studies that have suggested that there are cognitive limitations that impact the ability of individuals to accurately assess risks when deciding whether to consent to privacy terms. For example, individuals have been shown to overvalue immediate benefits and costs (for example, the benefits of immediate access to a desired online service), while struggling to accurately assess more delayed benefits and costs (for example, privacy risks).[95]
• The notice and consent model is predicated on consumers making individual privacy decisions about their own personal information. However, recent privacy issues in relation to COVID-19 or attempts to manipulate political processes are illustrating that privacy decisions by individuals are increasingly impacting the community or the wider Australian public.[96]
• Research suggests that some APP entities operating online use so-called ‘dark patterns’ designed to nudge individuals to consenting to more collections and broader uses of personal information.[97]

5.19 As noted, consent is only required under the Privacy Act for higher risk information handling activities. This is why there is a high threshold for valid consent. If consent became the primary basis for personal information handling, this high threshold would place an unnecessary compliance burden on entities for much of their information handling across the online and offline environment. For example, APP entities will be required to seek informed, voluntary, current and specific consent for standard business activities, such as providing records that contain personal information to an accountant or reviewing records for auditing purposes. It would also require individuals to ‘consent’ to a myriad of information handling practices that they do not currently need to consent to and which they would reasonably expect.

5.20 As noted above, the OAIC is supportive of reforms to the notice and consent framework in the Privacy Act, particularly to prevent overly broad, unfair or unreasonable information handling practices. This submission recommends several reforms to further strengthen and clarify notice and consent requirements.

5.21 However, the OAIC does not consider that the privacy risks and harms facing individuals in the digital age will be addressed by expanding APP entities’ notice obligations, or the circumstances where consent is required.

5.22 The burden of understanding and consenting to complicated practices should not fall on individuals but must be supported by enhanced obligations for APP entities that promote fair and reasonable personal information handling and organisational accountability. The OAIC sees one of the key goals of the law reform process as being to ensure that the APPs provide a framework for the handling of personal information that is fair and reasonable, with consent only required in limited circumstances that will be of most benefit to individuals. Recommendations 37, 38, 39 and 40 in this submission are aimed at addressing this key issue.

Recommendations to strengthen notice requirements

5.23 The OAIC considers that an appropriate balance must be struck between strengthened notice requirements and the practical consequences of increased provision of notices to consumers, which could include increased notification fatigue.

5.24 Developments in technology present the opportunity for more dynamic, multi-layered and user-centric privacy policies and notices in the online environment. The OAIC supports innovative approaches to privacy notices, for example, ‘just-in-time’ notices,[98] video notices, privacy dashboards and multi-layered privacy policies[99] to assist with readability and navigability. The OAIC considers that the proposed Online Platforms code provides an appropriate instrument to include such measures.

5.25 The OAIC considers that the following measures would assist to address the limitations of notice outlined above and strengthen the utility of notice under the Privacy Act. These measures could be introduced into the Privacy Act, in industry-specific codes, legally-binding rules supported by Commissioner-issued guidelines.[100]

Language and accessibility

5.26The OAIC recommends that requirements should be introduced for APP 5 notices to be concise, transparent, intelligible and written in clear and plain language.[101]

5.27The OAIC also recommends the practical application of the enhanced obligations in APP 5 could be supported through the use of codes, legally-binding rules or Commissioner-issued guidelines addressing the following requirement:

• Formatting notices in a way that will draw the consumer’s attention to it at the time of collection, or before the point of collection
• Ensuring readability across multiple digital devices, including smaller screens
• Require notices to be written at a level that can be readily understood by the minimum age of the reasonably likely audience of affected individuals[102]
• Notices should be reasonably accessible, particularly for those with disabilities.[103]

5.28These requirements would ensure that APP entities create succinct and transparent notices that narrow the focus of what must be addressed, and ensure the notice is manageable to for individuals.

Recommendation 32 Introduce requirements that APP 5 notices should be concise, transparent, intelligible and written in clear and plain language.

5.29The OAIC supports measures to create a common language to assist individuals make informed decisions about their personal information, for example, through the use of standardised icons or phrases, as recommended in the ACCC’s DPI report. This will allow individuals to readily identify the information handling practices of most relevance to them, and to compare products and services in order to make consumer choices based on privacy credentials. It may also allow the development of a ‘traffic light’ system to compare privacy settings across products and services.

5.30 The use of standardised language and icons will also streamline compliance by all entities when developing privacy policies, notices and consent mechanisms. This will also support compliance by small business if the exemption is removed from the Privacy Act (see OAIC Recommendation 27).

5.31 The OAIC considers that, initially, sector-specific standard icons or lexicons, developed in collaboration between the OAIC, industry and consumer groups, will be most effective. This process was used in the CDR regime, where Data61 developed the consumer experience standards and the mandatory data language standards in collaboration with the OAIC, ACCC and industry. These standards were subject to extensive user testing.[104]

5.32 Recommendations 14, 15 and 16 will provide the Commissioner with greater regulatory options to operationalise such measures, for example through a code, legally-binding rules and Commissioner-issued guidelines. This could facilitate an industry-led, collaborative process to develop standard icons or language that are flexible and tailored to the specific needs of the sector. These standardised icons and lexicons can be refined and iterated based on consumer experience and as the needs of the sector evolve. This would complement similar measures that will be included in the upcoming code aimed at digital platforms.

5.33 However, in order to assist individuals to understand the specific information handling practices of the entity they are dealing with, standardised icons and phrases may need to be supported by additional information where required. This is primary because it is important that APP 5 notices remain context specific with a clear goal of explaining the particular purpose for which a specific entity is proposing to collect an individual’s personal information.

23. Where an entity collects an individual’s personal information and is unable to notify the individual of the collection, should additional requirements or limitations be placed on the use or disclosure of that information?

5.34 APP 5 requires an APP entity to take reasonable steps to notify an individual about the collection of their personal information, regardless of whether the APP entity has collected the personal information directly from the individual or from a third party.

5.35 The OAIC’s APP guidelines outline a limited number of scenarios in which not providing notice under APP 5 may be reasonable, such as where an individual is aware that the personal information is being collected, the purpose of the collection and other APP 5 matters relating to collection; when notification may jeopardise the purpose of collection or the integrity of the personal information; when notification may pose a serious threat to life or safety; or if notification would be inconsistent with other legal obligations. It is the responsibility of the collecting APP entity to be able to justify not taking any steps.

5.36The OAIC considers that Recommendation 37 to introduce a fairness and reasonableness requirement in relation to collections, uses or disclosures of personal information will serve to address the privacy risks that may arise if an APP entity does not notify an individual about the collection of their personal information under APP 5. Additionally, the OAIC considers that strengthening the obligations on APP entities collecting from third parties (as outlined in paragraphs 3.26-3.33) will further serve to reduce privacy risks in these circumstances.

Recommendations to enhance the use of consent

5.37 The OAIC considers that it is important to preserve the use of consent for situations in which the impact on an individual’s privacy is greatest, and not require consent for uses of personal information for purposes that individuals would expect or consider reasonable.[105] Seeking consent for routine purposes may undermine the quality of consents obtained from consumers, and result in consent fatigue. It is also essential that consent be relied on only where an individual is actually being given meaningful control over their personal information.

5.38; Rather than expanding the use of consent broadly, the OAIC recommends a number of measures that will ensure that consent is meaningful and relied on by entities in appropriate circumstances.

5.39 The OAIC supports the ACCC’s recommendation in the DPI report that consent should be defined to require a clear affirmative act that is freely given, specific, unambiguous and informed. This reform would align the definition of consent more closely with the GDPR.[106]

5.40 As noted in paragraphs 5.48-5.51 below, consent must also be current. This means that an individual’s consent will only last as long as is reasonable, having regard to the particular circumstances. The OAIC recommends elevating this requirement for consent from the APP guidelines into law.

5.41 Consent will only be valid if an individual understands what they are consenting to and is given the opportunity to consent to specific personal information handling practices. As noted in the OAIC’s APP guidelines, consent given at a particular time in particular circumstances cannot be assumed to endure indefinitely. An APP entity should not seek a broader consent than is necessary for its purposes, for example, consent for undefined future uses, or consent to ‘all legitimate uses or disclosures.' Requesting broad or ‘bundled’ consents has the potential to undermine the voluntary nature of consent.[107]

5.42An amended definition of consent, as per Recommendation 32 above, could be supported by Commissioner-issued guidance that sets out expectations for ensuring specific and purpose-based consent,[108] including that:

• Consent is not freely given when the provision of service is conditional on consent to personal information handling that is not necessary for the provision of the service, as per Article 7(4) of the GDPR.
• APP entities must clearly and narrowly define the purposes for which the personal information will be handled and consent is being sought.
• Consent must be specific and granular.[109]
• APP entities should consider the use of graduated consent and tiered consent, similar to the approach to consent currently being proposed under the CDR regime.[110]

Pro-privacy default settings

5.43 Default settings provided by entities nudge users towards privacy intrusive options as research shows most users do not look at/change their default settings.[111] These are known as ‘dark patterns’.[112]

5.44Research suggests some entities may use design choices and language to manipulate users to choose the less privacy-friendly options, and ultimately discourage them from making an active choice. For example, through the:

• Use of salient colours, buttons or options, playing towards the consumer’s tendency to choose the easier road.
• Need for significantly more clicks to adjust away from default settings.
• Focusing on positive aspects of one choice whilst glossing over potentially negative aspects, assisting consumers to comply with the service provider’s wishes.
• Giving consumers the illusion of control, making them more susceptible to taking risks with sharing information.[113]

5.45The OAIC considers that default settings that aim for data maximisation run counter to the policy intentions of the Privacy Act and increase the risk of harm to individuals. This is particularly the case where this information is being used to facilitate direct marketing through online advertising as part of an entity’s business model and is not necessary to reasonably enable the provision of the particular product or service in a manner reasonably contemplated by the user. They are also counter to community expectations, as evidenced in the OAIC’s 2020 ACAPS results, which found that 85% of Australians considered that digital platforms should only collect information needed to provide their product and/or service.

5.46 Pro-privacy default settings require a higher level of user engagement before APP entities can collect and use personal data for a secondary purpose. For an entity to collect personal data for a secondary purpose, they will need explicit opt-in from the consumer.

5.47While this will cause some regulatory burden on entities such as the digital platforms which rely on data collection for their business model, this is an essential protection for individuals. It will also incentivise entities to design consumer friendly, easy to use privacy controls and place the responsibility on these entities to provide clear notices that persuade individuals why positively electing to change these default settings is in their best interests.

Recommendation 35 Amend the Privacy Act to require all settings to be set to privacy protective as default except for collections of personal information that reasonably enable provision of the particular product or service.

5.48The OAIC’s APP guidelines indicate that consent must be current and specific. This includes enabling an individual to withdraw their consent at any time, which should be an easy and accessible process. Once an individual has withdrawn consent, an APP entity can no longer rely on that past consent for any future use or disclosure of the individual’s personal information. Individuals should be made aware of the potential implications of withdrawing consent, such as no longer being able to access a service.

5.49 The OAIC recommends that this guidance is elevated into law, including a requirement that an individual be notified of their right to withdraw consent, where consent has been required for the personal information handling. This could be modelled on current requirements in the CDR. [114] This would complement the OAIC’s recommendations to introduce a right to erasure and right to object, as outlined in Part 3.

5.50The OAIC’s APP guidelines also note that consent given at a particular time in particular circumstances cannot be assumed to endure indefinitely. It is good practice to inform the individual of the period for which the consent will be relied on in the absence of a material change of circumstances.

5.51 The OAIC is supportive of APP entities having processes in place to check whether the consent that an individual has provided remains current. This must be balanced with issues around information overload and consent fatigue, as discussed above.

Recommendation 36 Elevate OAIC guidance on withdrawing consent into the Privacy Act, including a requirement that APP entities must notify an individual of their right to withdraw consent, where consent has been required for the personal information handling.

5.52 IoT devices and services offer great benefits and opportunities to individuals and the Australian economy. However, as these devices become more widespread and interconnected, they are becoming increasingly capable of collecting more significant volumes of personal, and often sensitive, information. This can create significant security and privacy risks.[115]

5.53 IoT devices may appear in various contexts, ranging from consumer items such as smart speakers or smart appliances, devices used as part of smart city initiatives as well as industrial applications of this technology. Of particular risk are IoT devices used in toys or devices that will be used by children.

5.54 Transparency obligations are particularly important for IoT devices and can present compliance challenges. Under the Privacy Act, APP entities are required to ensure that individuals have access to information about the types of personal information that will be collected, and the ways it will be used and disclosed. Where IoT devices do not have screens or other interfaces, APP entities will have to take other steps to ensure compliance with their transparency obligations.

5.55IoT devices also pose challenges for seeking valid consent where required, particularly ensuring that consent is voluntary and informed.[117] Devices that collect personal information in public spaces automatically may rely on individuals to opt-out of collection. To the extent that individuals are aware of the use of these devices, the non-interactive nature of IoT devices means that opting-out may be challenging. This may also result in an individual simply having to move to a different area.[118] Obtaining informed consent will require APP entities to place notices prominently so that individuals are aware of how their personal information will be handled.[119]

5.56 The OAIC’s recommendations about notice and consent  and ensuring that all settings to be set to privacy protective as default in the above section will assist in addressing the challenges to these privacy self-management tools that are posed by IoT devices.[120] The OAIC also recommends amending APP 1 to expressly require entities to adopt a ‘privacy by design’ and ‘privacy by default’ approach, which will require APP entities to consider privacy compliance while developing and designing IoT devices (see Recommendation 42). [121]

5.57 Given the challenges that IoT devices pose to privacy self-management requirements, ensuring that APP entities deploying this technology act fairly and reasonably, and comply with other appropriate organisational accountability requirements, is particularly important. This submission recommends several requirements that will be relevant protecting individuals in the context of IoT devices:

• Introducing requirements for APP entities to collect, use and disclose personal information fairly and reasonably to ensure that APP entities providing IoT devices handle information in a manner that meets Australian community expectations (see Recommendation 37)
• Implementing full or partial prohibitions for certain acts or practices in relation to IoT, particularly in relation to children, as well as the surveillance of individuals through their personal devices (see Recommendation 40)[122]
• Introducing a right to erasure which, subject to exceptions, would allow individuals to request the deletion of their personal information, particularly where there is a transfer of ownership of an IoT device (see Recommendation 23)[123]

5.58 IoT devices may often collect technical data which may be used for purposes such as profiling individuals. The granularity of information collected by IoT devices may also allow increasingly accurate inferences about individuals. The OAIC’s recommendations about the definition of personal information to clarify that technical data and inferred information are captured will address this issue (see Recommendations 4, 5 and 6).

5.59 Finally, information security obligations under APP 11 are particularly important in relation to IoT devices, given the volume of personal information that may be collected by this technology.