Quantified-self and health data - innovation in the collection of consent
The phenomenon of quantified-self has been growing rapidly since its inception in the mid-2000s. The movement is gaining momentum with the development of connected objects and the health crisis.
Quantified-self is understood as measuring and comparing with others nutrition, physical exercise, sleep, mood, etc.
“Increasingly based on the use of connected body sensors – bracelets, pedometers, scales, blood pressure monitors, etc. – and mobile applications, these are becoming more and more popular. – and mobile apps, these voluntary self-quantification practices are characterised by increasingly automated modes of data capture, and by the sharing and circulation of huge volumes of personal data.” #1
The qualification of health data, which gives rise to strict legal and technical requirements
Quantified-self consists of users providing, recording and analysing information about their lifestyle and state of health or well-being. Legally, the personal data processed are therefore considered sensitive and fall under a more restrictive legal regime. So much so that, as a matter of principle, the processing of health data is prohibited. As every principle has its exceptions, it is still possible to process health data, particularly from quantified-self, provided that the specific consent of the user is obtained. This implies being able to demonstrate, at any time, that the user has given consent. #2
The more sensitive the data, the more its processing must be controlled and protected as it poses a risk to the fundamental rights and freedoms of users (in particular, the fundamental right to privacy).
Consent, an essential condition for the success of any quantified-self project
The second paragraph of Article 9 of the GDPR sets out the exceptions that allow the processing of special categories of personal data, including health data. Among these exceptions, only one applies to quantified-self: when “the data subject has given his or her explicit consent to the processing of such personal data for one or more specific purposes”.
How to obtain consent?
For the process to be successful, two cumulative rules must be respected: the legal requirements and the UX requirements (user experience).
Legal requirements for obtaining consent to process health data
Article 4(11) and Article 7 of the GDPR set out the conditions for the validity of consent.
Consent is defined as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies his or her agreement, by a declaration or by a clear affirmative act, to personal data relating to him or her being processed”.
When health data are involved, the condition that consent must be explicit is added.
Free consent is neither coerced nor forced.
For example: consent to the processing of the user’s email address for the purpose of sending a newsletter may not be mandatory to access the service. In this case, consent is not free.
This explains the condition of specificity of consent. The user of a quantified-self solution must be able to choose the situations in which his data will be processed, independently of each other.
For example: the fact that the user registers on a platform does not mean that he wants to receive its newsletter. He must be able to freely choose the purposes for which his data will be used.
The requirement of informed consent requires the data controller to be transparent with the user of its quantified-self solution. This implies giving him a certain amount of information upstream, which is defined by Article 13 of the GDPR.
Unambiguous consent results from a clear positive act. This means that consent cannot consist of unchecking a box (this is opt-out) or leaving a box checked in advance. According to the CNIL, this requirement also excludes “grouped” consents (where only one consent is requested for several distinct processing operations) and inaction on the part of the user: silence does not constitute acceptance. If the user does not say yes, it means no!
The first paragraph of Article 7 of the GDPR states that when the legal basis of a personal data processing activity is consent, the data controller must be able to demonstrate, at any time (and especially at the time of the CNIL’s control), that it has the consent of the users whose personal data it processes.
According to the CNIL, to ensure explicit consent, the data controller may, for example:
- include a specific consent box for the processing of sensitive data,
- requesting a written and signed statement by the data subject or sending an e-mail indicating that the data subject expressly agrees to the processing of certain categories of data,
- collecting consent in two steps: sending an email to the data subject who must then confirm his or her first action of consent.
Solutions exist to help data controllers meet this obligation, which also entails numerous requirements. These solutions allow, in particular, to generate time-stamped consent receipts and to sign them: this provides a reliable source of time, guarantees the integrity of each consent and, a fortiori, gives them a strong evidential value.
Finally, the third paragraph of Article 7 of the GDPR sets out, very clearly, the following two conditions: “The data subject shall have the right to withdraw consent at any time. […] It is as easy to withdraw as to give consent.” Obviously, the withdrawal of the user’s consent does not make the processing carried out up to that point unlawful. On the other hand, it is effective immediately and has the effect of stopping the processing, which can no longer continue, as it has no legal basis.
A good practice that is increasingly observed is to provide the data subject with a dedicated personal space (sometimes called a “Privacy Center”) from which he or she can consult the consents he or she has given and, if necessary, modify them. These spaces also allow certain preferences (preferred information channel or other) to be adjusted in real time. Compliance and the right to informational self-determination do not escape the users’ demand for immediacy!
Consent can be collected by any means, including paper. Collecting consent in a dematerialized format allows for its optimal use. A well-managed consent database makes it possible to know, in real time, the possible processing activities according to the consents granted for the determined purposes. These functionalities make it possible to respond even more instantly to requests to exercise the rights of individuals. The user experience is enhanced and the data controller’s integration and maintenance requirements are reduced.
Clear Legal Language, Legal Design and Privacy Icons in the service of the “Privacy UX
Now that the conditions for collecting consent have been established, how can we ensure that this moment does not become a barrier to registration? Sometimes, organisations are reluctant to implement a consent process that complies with the legal requirements, which are often considered too cumbersome. Fear of rejection by the user, competitors do not do it either…
In the field of quantified-self more than anywhere else, compliant consent is a guarantee of a trusting relationship with the user, who will be inclined to share more data, particularly health data. This effect is reinforced by a quality UX: registering for the quantified-self solution and consenting to the data processing that will be carried out is the first step in the onboarding of the user to the service. The first impression must be good.
As the name suggests, clear legal language is simple and easily understood. But beware, expressing yourself in plain language is not a given!
Like clear legal language, Legal Design aims to make the law more accessible through a creative process around the topic at hand. Illustrations, icons and diagrams are used to improve readability and understanding. As regards the collection of consent, a good practice is to use Privacy Icons, specific to subjects related to the protection of personal data.
The final UX tip is to only ask the user for consent when necessary. Letting the user sign up for the quantified-self solution without immediate processing of their health data is a good practice that allows them to navigate the tool, to learn about it, its content and its benefits, without risk to their privacy. Consent to the processing of their health data may only be sought when they wish to use the tool.
For example: in a running performance tracking application, location sharing is only necessary during the run.
Legal, ethical and economic issues related to consent
Consent is one of the most visible parts of compliance. Moreover, it is a must for the user of quantified-self tools, who is increasingly sensitive to the way his personal data is handled. This means that a poor UX of onboarding and consent gathering can affect the image of the data controller.
The practices outlined above do not only avoid the penalty of non-compliance. They have the advantage of leaving users free to decide what to do with their data. In addition to guaranteeing respect for their privacy, the data collected is more accurate and the bond of trust strengthened. The UX is differentiating and the result is a clear competitive advantage.
When dealing with personal health data, there are many obligations and it is not always easy to find the right method to comply and achieve the expected result. The subject of obtaining consent to process health data when using wellness or quantified-self tools is as important for users as it is for the publishers of these solutions. It is necessary to develop common goods, reference systems and standards on these subjects based on concrete cases of use in order to complete the law and guarantee the durability of innovative solutions.
It is not on all subjects that ethical and economic issues are aligned. By deploying the appropriate means, they can be aligned on the management of consents.
If you would like to learn more about Fair&Smart and our personal data management solutions, click on the button below:
Follow us on social networks: