Law requiring explicit consent for data use in Quebec: All smoke and mirrors

Read the article in La Presse.

This sounds like it must be good news for consumers… But is it? 

Here’s my humble opinion as a data scientist: 

Human nature makes this a toothless law.

I don’t say this because I’m against the protection of personal data, just the opposite. There are major problems with the way the web has evolved since it was democratized – and particularly since it was commercialized. From a system devoted to sharing information between universities, it has become the heart of our communications, and the way we share our lives. That’s why it’s essential that we maintain a modicum of privacy in at least some facets of our existence. But our behaviour and the needs of the market unfortunately run counter to the noble sentiments espoused by this law and all those like it elsewhere in the world. 

No one wants to give away their personal information, and yet we do it constantly [1]. The majority of people (67% of adults in Quebec in 2017) have a Facebook account filled with details of their personal lives. But perception matters, and in the end the number one thing people want is to know that they have “control” over their personal data (rather than knowing that, on the corporate side, their data is protected.) [2]

The worst thing is that this law actually works to marketers’ advantage, because as much as the public says that they don’t want to share their information or see targeted ads, what they really want is the reassurance of a more transparent process [3]. And the more control people feel they have over their data, the larger the quantity of data they are likely to give away [4]. As a result, the marketing world can’t help but support this type of law that gives more power to the public, because over time it increases people’s confidence, and consequently allows for greater collaboration between the public and advertisers. 

Unfortunately, this type of law tends to be very ineffective; the majority of European websites still don’t respect the GDPR, with 49% of websites still collecting data before obtaining consent from users [5]. The funniest thing is that, law or no law, the industry that’s the most transparent in its use of personal data and that protects your data the most, is pornography (or “adult sites” as the author of the article puts it) [6]. And in the end, even when your data is supposed to be protected, it still somehow manages to leak out to third parties, as happens regularly with email, from which data is constantly stolen [7].

Essentially, even if this draft bill comes to fruition, the final result might not meet expectations. People who believe themselves to be protected could end up voluntarily sharing their private data. Websites, through lack of resources, skills or scruples, will mostly flout the law. And countless unscrupulous individuals will continue to take advantage of security holes to help themselves to users’ data. 

Moreover, the worst data leak in Quebec in recent years, at Desjardins, had nothing to do with our use of the Internet. There’s clearly still a lot of work to be done before we can say we’ve made the world a better place. 

 

What do you think? I’d love to hear your thoughts.

 

1. Hargittai E, Marwick A. “What Can I Really Do?” Explaining the Privacy Paradox with Online Apathy. International Journal of Communication [Internet]. 2016 Jul 27 [cited 2017 Dec 12];10(0):21. Available from: http://ijoc.org/index.php/ijoc/article/view/4655
2. Data protection rights: What the public want and what the public want from Data Protection Authorities. Manchester: Information Commitioner’s Office | European conference of Data Protection Authorities; 2015 May.
3. Turow J, King J, Hoofnagle C, Bleakley A, Hennessy M. Americans Reject Tailored Advertising and Three Activities that Enable It [Internet]. Rochester, NY: Social Science Research Network; 2009 Sep [cited 2018 Jan 12]. Report No.: ID 1478214. Available from: https://papers.ssrn.com/abstract=1478214
4. Hajli N, Lin X. Exploring the Security of Information Sharing on Social Networking Sites: The Role of Perceived Control of Information. J Bus Ethics [Internet]. 2016 Jan 1 [cited 2020 Feb 13];133(1):111–23. Available from: https://doi.org/10.1007/s10551-014-2346-x
5. Trevisan M, Traverso S, Bassi E, Mellia M. 4 Years of EU Cookie Law: Results and Lessons Learned. Proceedings on Privacy Enhancing Technologies [Internet]. 2019 Apr 1 [cited 2020 Jan 21];2019(2):126–45. Available from: https://content.sciendo.com/view/journals/popets/2019/2/article-p126.xml
6. Marotta-Wurgler F. Self-Regulation and Competition in Privacy Policies. The Journal of Legal Studies [Internet]. 2016 Jun 1 [cited 2017 Dec 12];45(S2):S13–39. Available from: http://www.journals.uchicago.edu/doi/full/10.1086/689753
7. Englehardt S, Han J, Narayanan A. I never signed up for this! Privacy implications of email tracking. Proceedings on Privacy Enhancing Technologies [Internet]. 2018;2018(1):109–126. Available from: https://www.degruyter.com/downloadpdf/j/popets.2018.2018.issue-1/popets-2018-0006/popets-2018-0006.pdf