Effects of revoking consent and keeping track of tracking

[tessarakt]

I wonder how revoking consent for (or objecting to) any kind of tracking could be implemented such that the data processor will/has to delete information it has so far collected ("pseudonymously").

Naively interpreted, a new request which misses a consent for e.g. "build a personalised ad profile" would just mean that this request may not be added to that "personalised ad profile". But how can a user request deletion of that personalised ad profile?

#13 could be useful here.

[coolharsh55]

This depends heavily on legal obligations, so I'll stick to GDPR for my comment. If some data is collected and processed based on consent, and that consent has been withdrawn, that data must be deleted - this is an obligation. If that same data is being collected and processed for multiple purposes, and you only withdraw consent for one of those purposes (where the other purpose may have a separate consent or another legal basis such as a contract), the data doesn't have to be deleted, because it is still needed for those other purposes. Long story short, if that data is only being used based on consent, its deletion is an automatic obligation (in most cases). It is the 'data controller' which is responsible for doing this, rather than the processor.

[tessarakt]

Sure - but for that, the data controller must be able to link the revocation of consent to the original granting of consent, e.g. through cookies. Does ADPC really ensure that this is the case?

[coolharsh55]

No, you're right that ADPC doesn't indicate which consent was revoked, and there are discussions in other issues about this. To add to that limitation, ADPC also doesn't indicate what data is utilised for the purpose, entities its being shared with, data transfers, etc.

[coolharsh55]

If the controller has some means to identify the data subject, such that it is collecting data and adding it to that existing pile of data identifiable to a data subject, then the obligation applies that it must delete that data. If there is no such identifiable means, and the controller is (truly) collecting anonymised data, then the withdrawal of consent will mean prevention of further collection and processing. In practicality, I suspect there is no truly anonymised data, or that when called anonymised, it will just be abuse of re-identifiable data. Signatu has a proposal for including a receipt ID or some token for referring to the consent. So this is the same argument as Issue #6.

[tessarakt]

Yeah, such a token is what I had in mind.

[gb-noyb]

I’ll copy here what I just wrote in #6:

• Note that all this is very related to the spec’s section about “Personal scope”:

  The same person may or may not be recognisable to the website on a subsequent visit (for example when the user deletes stored IDs or uses another device or account), and may thus be considered a new user from the website’s perspective.

  The scope of the user’s exercise of rights is therefore limited to any personal data and information that relates to the user present in any transaction.

• If a user once gave consent to being profiled, then deletes their cookies, then wants to withdraw their consent — then indeed there will be no way to tell the website which profile to delete, if the cookies were the person’s only identifier. I don’t know if this is a grave problem; at least it does not seem to be different from the status quo.

• If we find that it is in fact a problem, I do see some appeal in having a ‘receipt number’ (programmers may think of it as an object capability or callback function) for each consent one has given; it would however not be an identifier for the subject, and it would not be passed to the website except when withdawing the consent. This would both ensure one can withdraw consent without needing to keep cookies etc, and make it easier for the website to know which data to erase.