The Privacy Policy Paradox

Playing a staring role in consent theatre

  • Chris Chapman

  • 25 January 2022

For a data controller, the privacy policy is a legal document produced by a legal professional to provide the legal basis for processing personal data. So why is it starting to look like a legal hazard?

···

The privacy policy has a dual purpose. The first is to inform the website visitor about the facts and risks related to processing their personal data. The second is to defend the legal interests of a data controller in court. When it comes to legal documents, the need to be effective in court will always override the need to be understood by non-lawyers (website visitors). This leads to a contradiction, namely, that a document that requires legal expertise to be understood is intended to be understood by someone without that legal expertise. We call this contradiction the privacy policy paradox and it has a direct impact on the utility of the cookie banner.

The purpose of a cookie banner is to obtain a website visitors lawful consent to process their personal data.

Lawful consent is consent that is informed and freely given.

In order to be freely given, the website visitor must willingly click the Accept All button and, in order to be informed, the visitor must read and understand the privacy policy.

As almost everyone clicks the Accept All button without reading the privacy policy, consent is hardly ever informed and thus, almost always unlawful. This not only has the effect of rendering the cookie banner almost entirely useless at obtaining lawful consent, it also raises the very real possibility that most personal data obtained in this manner has been obtained unlawfully. As legislators and law enforcement continue to tighten their grip on this situation, the risk to data controllers increases significantly and, in the end, it may be more cost effective to delete the data rather than face the consequences of retaining it.

The dark pattern of the 'privacy policy/accept all' mechanism is the mainstay of the cookie banner. It is also the shovel that dug the hole that data controllers now find themselves in. The way out of that hole will involve new concepts and a new approach to consent.

It may have started out with the best of intentions but in the end, the privacy policy has not only inhibited the lawful processing of personal data, it appears to have actively enabled the unlawful processing of it. That's why we believe it is a legal hazard.