Introduction
“My wife asked me why I was speaking so softly at home. I told her I was afraid Mark Zuckerberg was listening! She laughed. I laughed. Alexa laughed. Siri Laughed.”
Most of us have heard this joke tweeted by an X user in 2019. Everybody laughed it off as a harmless dig at the increasingly invasive nature of everyday tech. Fast-forward to 2024 and this tech is called active Listening Software. Some smartphones use active listening software to collect real-time data about user conversations and behaviour. Advertisers then use this data to target consumers with relevant ads, among other data uses.
Recently, the long-held suspicion that our phones were listening to our conversations became a reality after a marketing firm confirmed that smartphones come with software to listen to their users. The firm, whose clients are Google and Facebook, has admitted using the phone’s microphone to collect information.
The Recent Developments Surrounding Active Listening Software
Cox Media Group (CMG), associated with one of the largest cable companies in the U.S., has claimed it can listen to consumer conversations through smartphones, smart speakers, smart TVs, and other devices for targeted advertising. This controversial practice, which CMG terms “Active Listening,” has raised significant concerns about privacy and the extent of eavesdropping by marketing and advertising companies. CMG Local Solutions discussed its Active Listening marketing solution, which can customize a campaign “to listen for any keywords/targets relevant to your business.” The blog post, which was later removed, asked marketers to “Imagine a world where you can read minds. One where you know the second someone in your area is concerned about mould in their closet, where you have access to a list of leads who are unhappy with their current contractor, or know who is struggling to pick the perfect fine dining restaurant to propose to their discerning future fiancé.”
Implications for Active Listening Software Under the GDPR
Once we have understood the intensity of the invasion of privacy that active listening software causes, we can ask the next logical question: Is it legal?
In the simplest terms, it is not. In almost every legislation across the world dealing with privacy laws, consent is always considered one of the foundational principles of any collecting, processing and distributing activity of personal data. A more specific answer would lead us to examine the provisions of GDPR, which this software potentially violates.
- Article 5
Active listening software goes against the foundational principles laid down in the GDPR. Enumerated in Article 5 of the legislation, these principles relate to processing personal data. It states that personal data must be processed lawfully, fairly, and transparently, collected for specific, legitimate purposes, and not further processed incompatible with those purposes. Data minimization is essential, and accuracy must be maintained.
Active listening software often violates the principles of lawful, fair, and transparent data processing. This article mandates that personal data be collected for specific, legitimate purposes, ensuring the data is minimized and relevant to those purposes. However, such software typically collects data indiscriminately, without clear disclosure or limitations on how the information will be used.
- Article 6
The Lawfulness of processing is dealt with in Article 6. This article states that the processing of personal data is only lawful if the data subject has given consent, the processing is necessary for a contract, compliance with a legal obligation, protection of vital interests, public interest, or legitimate interests, except when overridden by the data subject’s fundamental rights and freedoms. Public authorities may not apply to processing.
Article 6 outlines the conditions under which personal data may be processed lawfully, including when the data subject has given explicit consent when the processing is necessary for a contract or compliance with legal obligations.
The lack of informed consent—one of the primary legal bases for data processing—makes the processing illegal. In many cases, users are unaware that their conversations are being recorded or monitored by the software, making it impossible for them to have given explicit consent.
- Article 7
Article 7 elaborates on the principle of consent and places obligations on the entity controlling the data. The controller must demonstrate consent from the data subject to process their data, with the request presented clearly and easily. The data subject has the right to withdraw consent at any time, and it should be as easy to cancel as giving consent. The Lawfulness of processing based on consent before withdrawal is not affected. Contract performance is considered when assessing consent.
Active listening software often fails to meet the stringent requirements for obtaining valid consent under Article 7. In practice, users frequently have no idea that their devices are actively listening to their conversations, let alone giving consent. Additionally, even if they were aware, it is rarely straightforward how to withdraw consent from such passive surveillance, which compounds the violation of this article.
- Article 9
Article 9 deals with the rules relating to data processing, which falls in a “special” category of personal data. The processing of personal data revealing racial, ethnic, political, religious, philosophical, or trade union membership, genetic, biometric, health, sex life, or sexual orientation is prohibited. However, this prohibition may not apply if the data subject has given explicit consent, among other circumstances requiring obtaining such data. Active listening software can easily collect such sensitive information without users’ explicit knowledge, thus violating the stringent protections around this data.
- Articles 12-23
Articles 12-23 lay down the rights of a data subject. These are a plethora of rights and include:
- Transparent information, communication and modalities for the exercise of the rights of the data subject
- Information to be provided where personal data are collected from the data subject
- Information to be provided where personal data have not been obtained from the data subject
- Right of access by the data subject
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
Users have the right to clear, transparent communication about how their data is processed. Active listening software often operates covertly, preventing users from being adequately informed. Users must be informed when their data is collected, even if indirectly. Active listening devices frequently gather data without notifying users, breaching this requirement. Users have the right to access personal data collected about them. With active listening, users are rarely made aware of data collection and, therefore, cannot access or review it. This failure to grant access violates their rights to transparency and control over their data. Individuals should be able to request the deletion of their data, but the hidden nature of active listening often makes this difficult. Users have the right to object to data processing. Active listening software typically bypasses these rights by not allowing users to know or contest how their data is used.
An Indian Perspective: What Does the DPDP Act Say?
The Digital Personal Data Protection Act, 2023 (DPDP Act) 2023 also mandates that data can only be processed for lawful purposes after obtaining consent, which should be “free, specific, informed, unconditional and unambiguous with a clear affirmative action“. Thus, it is apparent that using active listening software does not comply with this requirement since it listens to conversations and processes data without the user’s consent. Such software would also violate Section 9 of the DPDP Act, according to which children’s data cannot be processed without verifiable consent from their parent/guardian. This Section also prohibits tracking or behavioural monitoring of children or targeted advertising directed at children.
Certain rights are also granted to the users by this Act, which every entity (called Data Fiduciaries) that processes their data has to guarantee to the users (called Data Principals); these rights include the right to access information about personal data, correct to correction and erasure, right of grievance redressal and right to nominate. However, active listening technologies, most often, do not provide such rights.
It is important to note that non-compliance with the DPDP Act can result in penalties up to Rs. 250 crores.
Conclusion
Active listening software seriously threatens privacy, violating numerous GDPR provisions. This ongoing surveillance undermines user trust, exposing individuals to unauthorized data collection and exploitation while offering little control over how their information is processed or shared. Consequently, active listening software opposes GDPR’s and DPDP Act’s robust privacy protections, highlighting the urgent need for more stringent regulation and enforcement to safeguard consumer rights.
Recent Comments