Regulating targeted and behavioural advertising in digital services: How to ensure users’ informed consent
PE 694.680 105
Firstly, it has been argued that notices should focus on the most important issues, and that they should
be user-friendly and direct. In particular, simple and clear information should be given on how to opt-
in or out of critical processing, such as those involving the tracking of individuals or the transmission
of data to third parties. An interesting example is provided by the new California Data Privacy Act,
which requires companies to include in their websites a link with the words “do not sell my data” (or a
corresponding logo-button) to enable data subjects to exclude transmission of their data to third
parties. Further opt-in or out buttons could be presented to all users, so as to provide them with ways
to express their preferences relative to tracking, profiling, etc. Such methods may enhance
communication and choice, though a tension remains between the precision and specificity of consent
on the one hand, and intelligibility with a limited effort on the other hand.
Secondly, under the GDPR, data collected for certain purposes may be processed for further purposes,
as long as the latter are compatible with the original ones. For instance, the fact that the data subject
has only consented to processing for a certain purpose (e.g., client management) does not necessarily
rule out that the data can be processed for a further legitimate purpose (e.g., business analytics), The
further processing is permissible when it is covered by a legal basis, and it is not incompatible with the
purpose for which the data were collected. When these conditions are not satisfied, the collected data,
in the absence of a specific consent, cannot be used for different purposes, potentially leading different
risks and inconvenience. For instance, consent to client management does not authorise sending
targeted economic advertising, nor targeted economic advertising should authorise political
advertising.
4.3.4. Consent and legitimate interest
In the context of Article 6 GDPR, criticisms of consent call into question the connection between the
two general legal bases for the processing of personal data, namely, consent itself under Article 6, para.
1 lit. a, and the necessity to satisfy the legitimate interests of controllers and third parties, while
preserving the interests of data subjects, under Article 6, para. 1 lit. f.
Can consent still provide a legal basis for processing when Article 6, para. 1 lit. f is not satisfied, i.e.,
when the processing is meant to achieve interests that are not legitimate or legitimate interests that
are outweighed by harms to data subjects or third parties? If the answer is no, i.e., if consent is legally
ineffective whenever Article 6, para. 1 lit. f is not satisfied, it seems that consent becomes irrelevant:
whenever consent provides processing with a valid legal basis, Article 6, para. 1 lit. f would also provide
a legal basis. On the other hand, if the answer is yes—consent is also effective when Article 6, para. 1
lit. f is not satisfied—it seems that, by consenting, data subjects can lawfully make choices that are self-
damaging or anti-social, according to a legal assessment of the interests at stake. Following this idea,
consent could be used to authorise processing operations that cause data subjects or society harms
that are not outweighed by the generated benefits.
The answer to this puzzle may consist in considering that the two legal bases in Article 6 para. 1 lits. a
and f are in many cases complementary rather than independent. To assess their complementarity, we
need to distinguish between two contexts in which data subjects may consent. In both, data subjects
agree to the processing of their data since they expect to receive some benefits. However, there is a
significant difference. In the first context, benefits are going to be delivered by the processing itself. In
the second one, the benefits are not delivered by the processing, but are rather made conditional on it
by the contractual and technological arrangements established by the controller.