What is ‘consent farming’, and can you really ‘farm’ consent?

“It’s not often that something can be stated with absolute certainty, but here goes: People hate illegal robocalls,” suggests a Federal Trade Commission (FTC) blog post titled “E-I-E-I-No: Operation Stop Scam Calls targets operators that facilitate illegal robocalls, including ‘consent farms’.

Here’s another thing people hate: Misleading consent processes designed to extract personal information for illegitimate purposes.

‘Consent farms’ are the object of the FTC’s latest enforcement sweep. In July 2023, the regulator announced five new cases against companies accused of illegally obtaining “consent” to facilitate unwanted phone calls and other communications.

We’re putting quotation marks around “consent” for a reason. Let’s explore what consent farms do – and consider whether people can truly “consent” to the types of activities consent farms proliferate.

What is a ‘consent farm’?

A consent farm is a process by which a business coerces a consumer into providing their personal information and agreeing to the sale of that personal information.

The consent-farming process normally goes something like this:

• A company sets up a “reward site” offering consumers anything from free phones to gift cards and cash.
• The website claims consumers can obtain such rewards for free by providing certain personal information. The consumer answers questions about various aspects of their personal life. The chances of earning a reward are typically low or non-existent.
• During the rewards process, the visitor “consents” to a set of long-winded agreements that (ostensibly) grant the company permission to sell their personal information.
• The company sells the consumer’s personal information as a “lead” to third parties, who then target the consumer with calls and other communications.

There are variations on this consent-farming process. For example, a consent farm might look like a job application portal.

But the goal is always the same—acquiring consumers’ personal information and obtaining their “consent” to third-party communications.

FTC vs. Fluent

Now, let’s look at a real-life example of consent farming.

In a complaint against Delware-based company Fluent and its affiliates, the FTC provides some details of how the company procures personal information.

The consent-farming “funnel” begins on one of Fluent’s reward sites. A consumer visiting the site sees a large graphic of a gift card, which sits above with text reading, “Do you like to shop online?”. “Yes” and “No” buttons appear underneath the question.

The web page includes links to various policies and notices, but the FTC notes that the links are not sufficiently conspicuous, particularly on a mobile browser.

Whether the consumer chooses “Yes” or “No”, they are presented with further preliminary questions. Then a form requesting the consumer’s email address appears, together with a “Continue” button.

The web page states that by clicking “Continue”, the consumer agrees to Fluent’s privacy policy. That policy states that Fluent may sell the user’s personal information to unnamed “marketing partners” and “other third parties.”

If the consumer proceeds, they are told to complete a “quick survey” to earn their reward. The survey can consist of dozens of questions about intrusive matters such as the user’s health, financial situation, and employment history.

The FTC describes this process as “a ruse to obtain consumers’ purported consent to receive telemarketing and text message solicitations, including robocalls”.

Are consent farms illegal?

The law is rarely black and white. However, the FTC alleges that such conduct violates the FTC Act (a consumer protection law), the Telemarketing Act (a federal law regulating robocalls), and the CAN-SPAM Act (a federal law regulating unsolicited emails).

It’s also interesting to consider whether these companies are truly collecting “consent”.

Several US states have recently passed privacy laws with strong “consent” definitions. As it happens, the most recent state privacy law passed in Delaware—the home state of Fluent and many other businesses.

The Delaware Personal Data Privacy Act (DPDPA) defines “consent” as follows:

“…a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer…. “Consent” does not include any of the following:

1. Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information.
2. Hovering over, muting, pausing, or closing a given piece of content.
3. Agreement obtained through the use of dark patterns.”

The DPDPA does not enter into force until 2025. Fluent and its affiliates might not be covered by the law, and these sorts of activities do not always require consent.

But it’s interesting to consider whether the practices described above would meet the DPDPA’s “consent” definition.

• “Freely-given”: Tying consent to rewards means the consumer might feel disadvantaged if they do not consent.
• “Specific”: Consent should be linked to one purpose. A consent request covering multiple purposes might not be sufficiently specific.
• “Informed”: The consumer should receive clear, concise information about the business’s intended activities before consenting.
• Not obtained via “acceptance of a general or broad terms of use of similar document”: Consent farms typically rely on the consumer’s agreement to several long and complex agreements they might not have read.

Delaware is one of twelve US states to have passed a comprehensive privacy law in recent years. Each of these laws defines “consent” in similarly strict terms.

The legal landscape in the US is changing, and businesses should consider reviewing their consent practices in light of these changes.