In my first post in this “consent is dead” series, I challenged our core beliefs about digital consent:
We can’t – right now, anyway – force data-hungry companies to ingest data in tiny sips.
We can’t – using today’s methods – prevent identity correlation.
And we can’t empower people by asking them pretty much anything at the point of service.
By virtue of the results they produce, our current – and even emergent – systems are telling us what their true purpose is. Unfortunately, they’re not producing these outcomes. Just since I broached the “consent is dead” subject on the EIC stage on June 4, we’ve learned of AI cameras detecting passengers’ emotions in London, serious privacy critiques of the eIDAS Architecture Reference Framework, and the resurrection of third-party cookies.
So I’d like to explore three alternative beliefs that could reshape our approach to digital privacy, personal data rights, and user-centric permissions. In this post let me propose the first one…
Individuals Have the Right to Determine Their Relationship Status
In human relationships, we accept that anyone can decide to call it quits. Why does this change once we enter the digital world?
You lose control over your data with just one or two simple clicks – “I agree” or “Continue.” Even if you reject cookies or say no in other ways, you never know who will get their hands on your data next, painting a digital portrait of you so they can push camping gear ads right after you search for summer vacation spots.
It’s like your data is attending a never-ending party, and you can’t leave or clean up after yourself.
Why can’t we have the same freedom to decide on the status of a relationship in the digital realm? Instead of being effectively forced to surrender our data forever, we could assume a realistic amount of control – for example, being able to change our minds whenever we feel a digital relationship isn’t working.
If we believe individuals have the right to determine their relationship status, we’d probably think about the “subjects of data” differently, and perhaps regulate differently too. The GDPR notion of a data subject, now spreading throughout the regulatory world, empowers individuals somewhat more than its ancestral Data Protection Directive did. But it doesn’t do much to enable a basis for true relationship choice.
Here are two ideas that could help us live up to this belief. Lisa LeVasseur, founder of the Internet Safety Labs – formerly the Me2B Alliance – and I mooted both in a 2019 research article. (Disclosure: I am on the ISL board.)
Solution 1: The Me2B Lifecycle Model
The Me2B lifecycle model imports social norms into the digital context using concepts from interpersonal psychology and behavioral economics. This model advocates for interactions where the individual (Me) is on equal footing with the business (B), ensuring that the individual’s rights and preferences are respected and prioritized.
In the physical world, there are specific behavioral social norms and expectations for each of these stages of the Me2B Lifecycle. One doesn’t expect to be greeted by name, for instance, before any introductions have been made. Similarly, we don’t expect store employees to know our home address unless we’ve given it to them for a specific reason (such as delivery).
As you interact with digital service providers through different stages, their permission to know more about you would adapt – and the data they are permitted to know and use may grow, or wane. When you meet a “digital date” for the first time, it should be up to you whether to proceed. You could even decide to end the relationship and get back to “New phone, who dis?” stage with them.
This doesn’t mean loyalty programs must come to an end. Individuals and businesses alike could benefit from an uncoerced, transparent, and trustworthy association for such purposes.
(Read more about the complexities that underlie all these digital relationships in ISL’s Flash Guide #6.)
Solution 2: Right-to-Use Licensing
In the first post I talked about the legal structures underlying consent and consent-to-contract, without giving a lot of detail. (I did say IANAL, after all!) However, it’s worth going into more depth now, to highlight how a third legal structure – a license – may help us live up to this new belief.
You’re no doubt familiar with the process of negotiating agreements. Contracts require a “meeting of the minds,” a coming-together of purposes to find the intersection of the parties’ common interests. It’s sadly only a theoretical benefit with terms of service and privacy policies, which act as adhesion contracts. Plain consent is even worse because service providers “pull” agreement from you when they ask you to opt in or out – there’s a bit of coercion baked right into the experience.
If you could instead license the right to use your data, you’d be “pushing” terms out to others, which could go a long way to remediating the power imbalance in the situation. Those terms could cover personal data collection, use, further sharing, and more.
Such power in your hands wouldn’t have to inconvenience service providers – think of how standardized Creative Commons licensing is baked into tools around the world.
While having a contract in place would record the terms you agreed to (I’m tempted to say “agreed to” in scare quotes), plain consent doesn’t come with this automatically. Right-to-use licensing does – it’s in the license text. Wouldn’t it be awesome if personal data usage terms were just like Creative Commons – human-readable, machine-readable, and lawyer-readable?
Most attractively, you can revoke licensed rights in a way that recalls our rights in human relationships. If you’re not interested to continue, whether because of a trust issue or any other reason at all, you can end things.
An IEEE group has been exploring solutions for “Machine Readable Personal Privacy Terms,” and I hope to see progress soon.
User data is companies’ lifeblood today, and our devotion to a series of limiting beliefs in regulating and promoting privacy hasn’t helped us change the situation one whit.
Admittedly, living up to a new belief isn’t without its challenges. But the point of this particular new one is not to ensure airtight secrecy with zero data sharing; it’s to enable healthy online relationships between individuals and businesses. We won’t solve these challenges without “getting personal.”
Think about your own digital relationships, and how much you like them being determined by others. Wouldn’t you want to regain the power that belongs to you in the first place? What kind of data relationships do you want to build?
I bet you have more ideas that could help us live up to our privacy and consent ambitions, and hope you’ll share them in the comments. After taking part in episode #33 of Identerati Office Hours today, I’m inspired by the discussion with host Mike Schwartz and co-host Jeff Lombardo about how a Wall of Shame would spur consent enforcement, a GDPR 2.0 could capture new individual rights, and DRMing personal data could be the way to go. 😀 Check out the recording!
In the next post, I’ll explore a second belief that could help us reach for greater success in reimagining digital consent. Stay tuned!