Generic Consents in Digital Ecosystems: Legal, Psychological, and Technical Perspectives

Abstract

AbstractConsent is an important authorization basis for the processing of personal data. According to the General Data Protection Regulation (GDPR), consents must be as specific and unambiguous as possible. In practice, however, this leads to users being overwhelmed by the large number of consent requests, which can ultimately be detrimental to freedom of choice. What the overwhelming number of requests for consent can lead to is reflected by the so-called cookie fatigue problem: users have become accustomed to accepting cookies on websites only to get rid of cookie banners as quickly as possible. As cookies do not always lead to the collection of personal data, the cookie fatigue problem cannot be transferred entirely to the problem we would like to address in this chapter. It only serves as an example for the consequences of overloading a data subject with requests for consent. As the GDPR demands that consent be informed and given freely, the current strategy of consent handling cannot be in the spirit of the data protection legislation. In this chapter, we present our vision of how consent can be integrated in the context of digital ecosystems from three perspectives: (1) achieving legal compliance according to data protection law, (2) demonstrating technical feasibility, and (3) assuring user-friendliness by adding cognition to the equation. Our approach aims to enable “generic consents” within a clearly defined scope and context. Although generic consents that serve as a “catch-all” are generally not allowed, we leverage the specific characteristics of digital ecosystems to impose limitations that can justify their use in this particular context. We will also detail the legal implications and present implementation options.