Stripe my word: notice and choice ≠ meaningful consent

MPC – Practical Insight Series

A landmark decision in Europe this past month marks the month of data privacy: Stripe and Google Analytics have been declared “illegal” in Europe, as they violate privacy law.

From : Illegal data transfers to the US.  In the so-called “Schrems II” case, the CJEU made clear that the transfer of personal data from the EU to the US is subject to very strict conditions. Websites must refrain from transferring personal data to the US where an adequate level of protection for the personal data cannot be ensured. The EDPS confirmed that the website actually transferred data to the US without ensuring an adequate level of protection for the data and highlighted: “the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organizational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.”

We don’t want to focus on the technology but rather on the many lessons to be learned from this judgment:

  • organizations will use technologies that are advantageous for them in attracting customers
  • most organizations try to conduct due diligence but some third parties do not respond, plain and simple
  • some technologies are very invasive and organizations using them have no means of turning off privacy invasive settings or engineering privacy into their implementation of the tool
  • organizations do not understand the triangle notice-choice-consent because these are abstract law concepts that are very difficult to translate into compliance language

One this is sure:

  • GDPR Chapter V applies even for transfer of cookie data.
  • The online identifiers collected by Google Analytics are personal data. They are identifiers either by themselves or when combined with other elements. Also, probabilistic identification is sufficient for the purpose of GDPR

What about notice and choice? Well – if the privacy online notice (the privacy policy on the vendor‘s website), is fully transparent about what information they collect, customers will maybe be informed about what personal information they give up for that product or service.

If there are omissions, then ordinary people will have no clue what personal information is being harvested from their visits.

Furthermore, if such transparency is not followed through with some decent choices that involve less privacy invasive options, then is that really a choice?

And then, how can consent be “freely given, specific, informed and unambiguous” when the notice is not complete and the choices are not giving the data subject or individual the least privacy invasive options?

What do Google Analytics and Stripe have in common, other than a blatant disregard for privacy law? They are both technologies where privacy was purposely not engineered or designed in. The options provided are not congruent with the wishes of individuals to not have their information harvested at the will and mercy of the technology provider.

GDPR Article 4.11. Definitions.

If you are unsure how privacy protective or invasive a technology is, we can assist. We can conduct a Privacy Impact Assessment and/or a Data Transfer Assessment to put your mind at ease. Contact us and benefit immediately from the extensive knowledge of certified privacy professionals with strong technology knowledge and backgrounds.

Facebook: @ManagedPrivacy
Instagram: @managedprivacycanadaTwitter: @managedprivacy

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on email

Sign up for our Newsletter