COnSeNT 2022: 2nd International Workshop on Consent Management in Online Services, Networks and Things
Workshop on Consent Management in Online Services, Networks and Things (COnSeNT) - co-located with ACM Web Conference 2022 (WebConf)
✍ Paulina Jo Pesch* , Harshvardhan J. Pandit* , Vitor Jesus* , Cristiana Santos*
publication 🔓copies: harshp.com , TARA , zenodo
📦resources: workshop website , proceedings
Organisers abstract and introduction for the COnSeNT 2022 workshop
keywordsSecurity and privacy - Human and societal aspects of security and privacy; Social and professional topics - Privacy policies; Security and privacy - Domain-specific security and privacy architectures
Motivation
As people and businesses increasingly rely on the Web as a medium for communication, interaction, provision of information, and deployment of innovative services, such intense data sharing triggers the application of existing data protection and privacy laws (e.g. ePrivacy Directive - [leg_ePrivacyDir], GDPR - [leg_GDPR], and CCPA/CPRA). These laws govern how valid consent should be obtained and used for personal data management, laying down strict requirements. Yet again, with the upcoming ePrivacy Regulation - [leg_ePrivacyReg], the Digital Services Act - [leg_DigServAct], the Data Governance Act - [regDataGov] and the Data Act - [regDataAct], the data economy will be changed. Pursuant to such requirements, both research, policy making and industry move towards increasing transparency, user empowerment and usability, accountability, and privacy by design to ensure the required legal compliance framework. This demanding setting has led to new consent proposals, disciplines, actors and roles. Standardised user centric consent proposals such as the Consent Receipt Specification - [kantaraCRS], the Internet Advertising Bureau’s Transparency and Consent Framework (TCF) standard - [IABTCF], ISO/IEC 29184 Online Privacy Notices and Consent - [ISOconsent], the Global Privacy Control (GPC) specification - [GPCspec], and recently the Advanced Data Protection Control (ADPC) specification - [ADPCspec]. Consent Management as a discipline is only now becoming prominent as an emerging result of the many challenges across various disciplines, among the legal, technological, sociological, UI/UX and HCI, privacy, and security domains. Current consent implementation and its management on the Web is still in its infancy when intersecting concomitant actors and their roles, such as average (and vulnerable) users, their devices, publishers, consent management platforms, content providers, third-parties, regulators, and information itself. The Workshop on Consent Management in Online Services, Networks and Things (COnSeNT) provides a dedicated venue for researchers, practitioners, and all stakeholders to discuss and present investigations, critiques, and advances related to consent and privacy preferences.
Recent Debates, Events and Trends
In the period of 2021–2022, consent has raised many debates and several events occurred that have the potential to affect how consenting takes place in the online and digital world.
For COnSeNT 2022, the call for papers specifically referred to the following currently discussed:
Phasing out 1st/3rd Party Cookies
Privacy-preserving advertising based on consent
Consenting in/with novel proposals e.g. Google’s FLOC
User interactions and consent for automation (i.e. AI)
Internet/Web protocols and standards for Consent
Role of web browsers in adopting consent mechanisms
The following events and trends of 2021–2022 are particularly relevant and impactful:
Cross-Disciplinarity
COnSeNT is a cross-disciplinary workshop and serves as a forum for talks and discussions from diverse perspectives, as online consent management has numerous dimensions. Online consent management first and foremost poses legal and technological challenges, but also raises questions in other areas such as psychology, linguistics, human computer interaction, communication studies, and economics.
Law. Current and incoming EU data protection and privacy regulations impact consent management in online services. The GDPR imposes strict requirements for a valid consent request: it must be freely given, prior to any data collection, informed, specific, unambiguous, readable and accessible and revocable (Articles 4(11) and 7 - [cristianacookies].
A recent decision - [BelgianDecision] by the Belgian Data Protection Authority (APD) highlights some of the most pressing legal challenges regarding consent. This decision hold that the Interactive Advertising Bureau Europe’s Transparency & Consent Framework (IAB TCF) - [IABTCF], a consent industry standard, does not fully satisfy ePrivacy and GDPR requirements in its current form (also cf. - [cristianacookies], [MBS2020], [VealeBorgesius], [CNTBR2021], [CNILdec], [PolishDPA], [CNIL-Google], [ICOadtechRTB]). The decision asserts IAB Europe’s status as a "controller" of personal data jointly with the participants of the TCF: publishers, CMPs and ad-tech vendors for the collection and sharing of the TC string and for subsequent processing of personal data, as part of OpenRTB. It also ruled that the current form of the TCF is insufficient for: the purposes of providing transparency to data subjects, for obtaining consent to adtech processing and to establish legitimate interests as a legal basis for processing data subjects’ personal data for profiling - [VNSimpossible].
Regarding incoming legislative initiatives, the current ePrivacy Regulation proposal – facing trilogue negotiations, is yet to define relevant aspects of online privacy. For example, whether browsers, and other software placed on the market permitting electronic communications ( such as automatic privacy signals) will, by default, be set to prevent tracking individuals’ digital footsteps - [leg_ePrivacyReg]. It will also determine whether the use of tracking walls will permissible. The EU Parliament recently voted on the proposed Digital Services Act [leg_DigServAct] to include a “ban on dark patterns” relating to consent and to offer options based on “tracking-free advertising” in case consent is refused or withdrawn to avoid coercion via tracking walls.
Technology. Consent is a challenge that stems from technology and, necessarily, approaches for its effective management will necessarily require novel technologies. Notably, managing consent is not simply managing the collection point but should involve the whole lifecycle of personal data. At the moment, we can see three main approaches that are, likely, complimentary rather than self-sufficient, at least in the absence of regulations. The first approach consists of the Consent Management Providers (CMPs), whose role and responsibilities have been questioned - [cristianacookies]. The key strategy is to display a prominent consent request that asks for user action in an unambiguous (e.g., by clicking a button) and, in principle, halts data collection until the user’s notification. The second approach, which is sponsored by CCPAs, is to use simple notifications, or "signals" such as the Global Privacy Control (GPC), sent directly from the user agent (often a browser) and, commonly, which can be asynchronously to a notice (see a comprehensive overview on consent signals in - [PPFsignals]). The third approach is to rely on an authenticated user artefact, such as a Consent Receipt - [jesusharsh3022], that enables management of the consent lifecycle thus removing the focus from the point of collection and bringing to the front accountability and transparency.
Technology is not only crucial for consent implementation. Technological approaches can provide deep insights into the consent ecosystem and can allow for automated compliance checks: For example, scrapers and crawlers can be used to collect data on cookie banners on large numbers of of websites - [MaxMeasuring] - [darkpatternsscrape]. The NGO noyb uses automated website-scans to enforce the compliance of cookie banners with the GDPR on a large scale - [noybterror].
Other social sciences. Unraveling consent also calls for social science perspectives other than the legal. Facilitating truly informed consent requires providing online users with information they are not only able to perceive and understand but also willing to absorb. To design functioning consent dialogues that attract online users’ attention and promote an informed decision, it is necessary to consider psychological and linguistic aspects, and to carry out empirical user studies on users’ perception and interaction with consent dialogues (cf. - [comicsinfographics], [BotesRossi2021]). Furthermore, economic research can provide valuable insights into the consent ecosystem and contribute to solutions for improving privacy online. As the processing of personal data for targeted advertising promises to increase revenues, consent signals might be monetisable, creating incentives to collect as much consent as possible - [commodification]. Law and economics can provide an approach to proposals for regulatory frameworks that improve online users’ privacy - [externalities].
COnSeNT 2022
The program of COnSeNT 2022 comprises paper presentations, a keynote, and a panel discussion. At the time of writing, the list of panelists and the panel description are not yet finalised. This section, therefore, provides an overview of the accepted papers and the keynote only.
Papers to be presented at COnSeNT 2022
The three submissions accepted for presentation at COnSeNT 2022 discuss aspects of consent from the empirical, conomics and law, and technical perspective.
In their empirical paper “Conciseness, interest, and unexpectedness: user attitudes towards infographic and comic consent mediums” - [comicsinfographics] Xengie Cheng Doan, Annika Selzer, Arianna Rossi, Wilhelmina Maria Botes, and Gabriele Lenzini examine how users perceive consent mediums beyond plain text information. Through structured interviews with 24 internet users in Germany, the authors found significant differences in users’ attitudes towards a consent comic on the one hand and a consent infographic on the other hand. The authors identify infographics as more promising for consent especially as they enable users to prioritise information and skim. Based on the interviewees’ widely varying attitudes towards the comic, the authors emphasise the importance of audience fit and tone for presenting information to users.
Nils Wehkamp, in his paper “Internalization of privacy externalities through negotiation: Social costs of third-party web-analytic tools and the limits of the legal data protection framework” - [externalities], scrutinises third-party web-analytic tools from a economics and law analysis. The author interprets the data collection and sharing for web-analytics as externalities, arguing that website owners benefit of the use of third-party tools, while the data processing negatively impacts users especially where their data are further used for targeted advertising. The further analysis explores possibilities for users to negotiate about the use of such tools in a semi-automated way through cookie banners. The author points out that, albeit existing data protection law in theory gives users control over their data, effective negotiation in practice does not take place.
Laurens Debackere, Pieter Colpart, Ruben Taelman, and Ruben Verborgh present “A Policy-Oriented Architecture for Enforcing Consent in Solid” - [ConsentSolid], a specification for access control over decentrally stored data - [solidproject]. To obtain informed consent in compliance with the GDPR based on the existing web access model in Solid, the authors propose a layered architecture comprising two components: an Access Management App that uses digital signatures to ensure integrity of data controllers’ requests and users decisions, and an Authorisation Agent. Through the Access Management App data controllers shall create specific Processing Requests for which online users shall grant and revoke access to their data, while the authorisation Agent matches access requests with users’ decisions.
Keynote
The Keynote speaker of COnSeNT’22 is Robin Berjon, a long standing computer scientist working in Computer Privacy and Data protection. Among other works, the speaker was the editor of the HTML5 specification and, more recently, co-author of the Global Privacy Control specification at W3C. His keynote addresses the interplay between informed consent, that necessarily builds on voluntariness, and the hyper-monetisation that currently drives the Web of Personal Data. The talk will explore ethical conflicts, the misalignment of procedures and incentives, and the constraints users see, starting with usability and human interfaces.
Previous Edition: COnSeNT 2021
The 1st edition of CoNSeNT1 was successfully held at IEEE Euro S&P 20212 conference on 7th September 2021. The program of the full-day virtual workshop with approximately 40 participants from diverse fields and professional backgrounds comprised six paper presentations, a keynote, and a panel discussion.
The paper presentations provided diverse perspectives on different aspects of consent and encouraged vivid interdiscplinary discussions. The workshop started with interdisciplinary talks with a focus on regulation. Paulina Jo Pesch shared findings from interviews with members of the Global Vendor List (GVL) - [IABGVL], shedding light on “Drivers and Obstacles for the Adoption of Consent Management Solutions by Ad-Tech Providers” - [pjpvendors] against the background of legal issues of the TCF - [IABTCF]. This was followed by Vitor Jesus’ position paper “Pragmatic Online Privacy: the SftE Approach” - [Jesus2021], in which the speaker proposed a “Start-from-the-End" regulatory approach to re-empower online users. Two papers focused on the translation of legal requirements to technical solutions. The paper “Representing Consent and Policies for Compliance” - [BonattiSauroLangens2021] by Piero A. Bonatti, Luigi Sauro and Jonathan Langens explored a machine-understandable policy language for consent solutions and algorithms for checking compliance with the GDPR and providing users with explanations. Beatriz Esteves, Harshcardhan J. Pandit and Víctor Rodríguez-Doncel described an extension to Solid’s - [solidproject] Access Control Language ACL) based on the Open Digital Rights Language (ODRL) in their paper “ODRL Profile for Expressing Consent through Granular Access Control Policies in Solid” - [EstevesPanditRodD2021]. Two papers approached consent from a social science perspective. Maria Wilhelmina Botes and Arianna Rossi, with their paper “Visualisation Techniques for Consent: Finding Common Ground in Comic Art with Indigenous Populations”3 - [BotesRossi2021] evaluated a low-tech informed consent solution in form of a comic. Soheil Human and Mandan Kazzazi, in their paper “Contextuality and Intersectionality of E-Consent: A Human-centric Reflection on Digital Consenting in the Emerging Genetic Data Markets” - [humankazzazi2021] proposed and applied an interdiscplinary and human-centric approach to consent solutions.
The keynote, titled “Consent ‘spam’ and the undermining of European data protection law” was given by Dr Johnny Ryan (FRHistS) – a Senior Fellow at the Irish Council for Civil Liberties4 (ICCL). The speaker was previously the Chief Policy & Industry Relations Officer at Brave (the web browser), and is well-known for exposing the problems of internet-based surveillance ad-industry and its implications for competition, anti-trust, and privacy.
The talk presented an in-depth and approachable explanation of how RTB-based ad mechanisms work, who the actors are, and the involvement of problematic sensitive personal data. In particular, it focused on the perceived incompatibilities of such mechanisms with the underlying principles and obligations of GDPR. The keynote was presented between Dr. Ryan’s complaint to the Belgian DPA and its decision in 2022 - [BelgianDecision]. As such, it led to an interesting series of discussions during the Q&A session with the attendees, which included the CEO of IAB Europe. They keynote was recorded and is available for viewing online5.
Accompanying the keynote and diverse topics presented through papers, the workshop also featured a panel consisting of experts and stakeholder representatives discussing “Does Consent work? If not Consent, what else?”. The panel consisted of:
Armand Heslot (CNIL): Head of technology experts department at CNIL and member of EDPB’s Technology subgroup.
Irene Kamara (Tilburg university): Assistant Professor of Cybersecurity Governance at Tilburg, and an expert in standardisation with prior experience at EDPS, CEN and CENELEC, and a member of the ENISA Experts List.
Mark Lizar (Kantara Initiative): Co-inventor of the Kantara Consent Receipt specification, active member of standardisation processes as representative of Canada.
Robin Berjon (New York Times): VP of Data Governance at New York Times, established expertise in developing and driving standardisation efforts in W3C, editor of HTML Specification, and co-author of the Global Privacy Control specification.
Rob van Eijk (Future of Privacy Forum): FPF’s Managing Director for Europe, previously member of the Dutch Data Protection Authority (DPA) for 10 years, involved in Article 29 Working Party’s discussions on Do Not Track, and with a recent PhD focusing on online advertising (real-time bidding).
Townsend Feehan (IAB Europe): CEO of Interactive Advertising Bureau (IAB) Europe, and previously Microsoft Legal & Corporate Affairs in Brussels.
The panelists discussed the current state of consenting on the web in terms of cookie and consent dialogues, the issues surrounding it, how it relates to the legal requirements (in particular the GDPR), and the disparities between using consent and legitimate interests within online advertising mechanisms. While there was no formal conclusion to the panel, there was a general agreement at the end regarding known issues and necessity to produce solutions that fix and improve the situation.
They panel was recorded and is available for viewing online6.
Harshvardhan J. Pandit is funded by the Irish Research Council Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790. The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant #13/RC/2106_P2. Cristiana Santos is funded by RENFORCE, Utrecht University.
99 V. Jesus and H. J. Pandit, "Consent Receipts For a Usable And Auditable Web of Personal Data," in IEEE Access, 2022. doi: 10.1109/ACCESS.2022.3157850.
Cristiana Santos, Nataliia Bielova, and Celestin Matte. 2020. "Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners.", Technology and Regulation 2020 (Dec. 2020), 91-135. https://doi.org/10.26116/techreg.2020.009.
Paulina Pesch. 2020. "Drivers and Obstacles for the Adoption of Consent Management Solutions by Ad-Tech Providers". In Euro S&P Workshop on Consent Management in Online Services (COnSeNT 2021).
Soheil Human and Mandan Kazzazi. 2021. "A Human-centric Reflection on Digital Consenting in the Emerging Genetic Data Markets". In Euro S&P Workshop on Consent Management in Online Services (COnSeNT 2021).
Beatriz Esteves, Harshvardhan J. Pandit, and Víctor Rodrígues-Doncel. 2021. "ODRL Profile for Expressing Consent Through Granular Access Control Policies in Solid". In Euro S&P Workshop on Consent Management in Online Services (COnSeNT 2021).
Piero E. Bonatti, Luigi Sauro, and Jonathan Langens. 2021. "Representing Consent and Policies for Compliance". In Euro S&P Workshop on Consent Management in Online Services (COnSeNT 2021).
Vitor Jesus. 2021. "Pragmatic Online Privacy: the SftE Approach. In Euro S&P Workshop on Consent Management in Online Services (COnSeNT 2021).
Maria W. Botes and Arianna Rossi. 2021 "Visualisation Techniques for Consent: Finding Common Ground in Comic Art with Indigenous Populations". In Euro S&P Workshop on Consent Management in Online Services (COnSeNT 2021).
Belgian DPA. "Decision on the merits 21/2022 of 2 February 2022, Unofficial Translation from Dutch, Case number DOS-2019-01377". https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-21-2022-english.pdf.
Regulation (EU) 2016/679 of the European Parliament and if the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).
Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC.
IAB Europe. 2021 "Transparency and Consent Framework Policies". https://iabeurope.eu/wp-content/uploads/2021/09/TransparencyConsentFramework-_Policies_version_TCF-v2.0-2021-06-22.3.4.docx.pdf.
Kantara Initiative. 2018. Consent Receipt Specification. https://kantarainitiative.org/download/7902/.
ISO standard "ISO/IEC 29184:2020 Information technology — Online privacy notices and consent". https://www.iso.org/standard/70331.html.
Global Privacy Control (GPC). Proposal 27 January 2022. https://globalprivacycontrol.github.io/gpc-spec/.
Advanced Data Protection Control (ADPC) Unofficial Draft 08 July 2021 https://www.dataprotectioncontrol.org/spec/.
Kif Leswing. 2022. "Facebook says Apple iOS privacy change will result in $10 billon revenue hit this year". https://www-cnbc-com.cdn.ampproject.org/c/s/www.cnbc.com/amp/2022/02/02/facebook-says-apple-ios-privacy-change-will-cost-10-billion-this-year.html.
IAB. Vendors List. https://iabeurope.eu/vendor-list/.
Solid Project. https://solidproject.org/about.
Daniel W. Woods and Rainer Böhme. 2020. “The Commodification of Consent”, in: Workshop on the Economics of Information Security (WEIS), Belgium 2020.
Xengie Cheng Doan, Annika Selzer, Arianna Rossi, Wilhelmina Maria Botes and Gabriele Lenzini. 2022. In COnSeNT 2022. Web Conference, Lyon, France (in press).
Nils Wehkamp. 2022. "Internalization of privacy externalities through negotiation: Social costs of third-party web-analytic tools and the limits of the legal data protection framework". In COnSeNT 2022. In Proceedings of The Web Conference (Web’22). Web Conference, Lyon, France (in press).
Laurens Debackere, Pieter Colpart, Ruben Taelman and Ruben Verborgh. 2022. "A Policy-Oriented Architecture for Enforcing Consent in Solid". In COnSeNT 2022. In Proceedings of The Web Conference (Web’22). Web Conference, Lyon, France (in press).
Maximilian Hils, Daniel W. Woods and Rainer Böhme. 2020. “Measuring the Emergence of Consent Management on the Web, in: Internet Measurement Conference (IMC)”, ACM.
noyb.eu. "noyb aims to end “cookie banner terror” and issues more than 500 GDPR complaints". https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-issues-more-500-gdpr-complaints.
Midas Nouwens, Ilaria Liccardi, Michael Veale, David Karger and Lalana Kagal. 2020. “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”. In: Proceedings of CHI ’20 CHI Conference on Human Factors in Computing Systems, April 25–30, 2020, Honolulu, HI, USA.
Célestin Matte, Nataliia Bielova and Cristiana Santos. 2020. “Do Cookie Banners rRespect My Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent framework” in IEEE Symposium on Security and Privacy (IEEE S&P’20).
M. Veale, and F. Z. Borgesius. 2021. “Adtech and Real-Time Bidding under European Data Protection Law.” German Law Journal.
Maximilian Hils, Daniel W. Woods and Rainer Böhme. 2021. Privacy Preference Signals Past, Present and Future. In Proceedings on Privacy Enhancing Technologies, vol.2021, no.4, pp.249-269.
Cristiana Santos, Midas Nouwens, Michael Toth, Nataliia Bielova and Vincent Roca. 2021. “Consent management platforms under the GDPR: processors and/or controllers?”. In Gruschka N., Antunes LFC, Rannenberg K., Drogkaris P. (eds) Privacy Technologies and Policy. APF 2021. Lecture Notes in Computer Science, vol 12703.
Michael Veale, Midas Nouwens and Cristiana Santos. 2022. "Impossible Asks: Can the Trasparency and Consent Framework Ever Authorise Real-Time Bidding After the Belgian DPA Decision?" Technology and Regulation 2022, 12–22. https://doi.org/10.26116/techreg.2022.002.
Commission Nationale de l’Informatique et des Libertés. Décision MED-2018-042 du 30 octobre 2018.
European Data Protection Board. 2019. “Polish DPA Withdrawal of consent shall not be impeded.” https://edpb.europa.eu/news/national-news/2019/polish-dpa-withdrawal-consent-shall-not-beimpeded_en.
European Data Protection Board. 2019. “The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC.” https://edpb.europa.eu/news/national-news/2019/cnils-restricted-committee-imposes-financial-penalty-50-million-euros_en.
Information Commissioner’s Office. 2019. “Update report into adtech and real time bidding.” https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906-dl191220.pdf.
Proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act).
Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act).
References
At the workshop the authors presented their paper under the title “Standards for consent? From icons to comics and beyond!”.↩︎