MyTerms/ IEEE P7012 - the 'No...., but' Browser/ App Standard Privacy Signal
AKA The cookie banner zapper....
How great to see The EU Omnibus update to GDPR and ePrivacy regulations go big on the use of browser and OS automated, machine-readable signals to help people set and manage their privacy preferences. And that California, Colorado and other states have done similarly. I guess they all must have known that IEEE P7012, aka MyTerms was due to publish in Jan 26.
Or if not, they certainly should.
Why you say?
Quite simply because MyTerms offers precisely that capability. But also does in a more granular, less technical way than one might assume (given other signals in the market such as GPC/ Global Privacy Control). In fact the possibility to send signals that ‘get rid of cookie banners before they show up’ has been our most requested feature through development.
But firstly, what does the omnibus update say? Here are a few highlights…., with MyTerms related annotations from me in bold italics.
‘a regulatory solution on the consent fatigue and proliferation of cookies banners is long-overdue’ (yes, consent in this form has long since been meaningless. The UK Consumer Association research on the subject notes that people are ‘rationally dis-engaged’ when it comes to consent checkboxes, cookie banners and similar. That is to say, they know the approach is fundamentally flawed and unfair to them; but also know that they have no option but to go along with it).
‘used to track individual’s behaviour and interaction with different online services to provide personalised advertisement.’ (yes, that is why this whole issue persists)
Many of these online services rely on the revenue from advertising, including personalised advertising. This is also the case for media services. (and here’s the exclusion that seriously waters down the whole proposal)
Such banners contain information on purposes of processing, often linked to types of cookies, recipients of data, and they are not always easy for individuals to understand. For these reasons they might not achieve their aim – to inform the individual and give control over protecting their privacy and processing of their personal data, but instead are perceived as a nuisance to internet users. At the same time, the providers of online service incur considerable costs to design compliant banners. (both points great arguments for MyTerms)
For these reasons, it is proposed to immediately simplify the interplay of the applicable rules. (sooner the better)
The proposed amendments also provide for certain purposes where it should not be necessary to obtain consent and where the subsequent processing should be considered lawful, in particular where they pose a low risk to the rights and freedoms of the data subjects or where the placement of such technologies is necessary for the provision of a service requested by the data subject. (this is where MyTerms really help; they are tied to service provision/ delivery)
Finally, the proposal paves the way for automated and machine-readable indications of individual choices and respect of those indications by website and mobile application providers and providers of mobile phone applications once standards are available. It gives the Commission a mandate to request the standardisation bodies to develop a set of standards for encoding automated and machine-readable indication of data subject’s choices, and the communication of those choices from browsers to websites and from mobile phone applications to web services. Once these are available, and after a six-month grace period, controllers using website and mobile applications to provide their service are obliged to respect those encoded automated and machine-readable indications. (great, we have long known that MyTerms will work best when the approach is baked into browsers, mobile and desktop OS. And MyTerms has already made a huge leap on the standardisation front via IEEE)
Where controllers ensure that their websites or mobile phone applications comply with such standards, they should benefit from a presumption of compliance. On this basis, it is expected that browsers also develop relevant settings. (yes, that is helpful; the MyTerms model reinforces that by bringing a robust enforcement model into the mix)
The provisions are formulated in a technological neutral manner so that also other tools, e.g. agentic AI, could support users in making consent choices, should they be fit for ensuring compliance with the requirements of the GDPR. (perfect, the MyTerms standard requires that people have agency/ an agent acting on their behalf - no matter how simple. This is a smooth on-ramp to agentic AI supporting individuals across their many digital relationship management needs).
But now - the differences between the MyTerms model and what EU seem to be asking for.
Firstly - IEEE P7012, aka MyTerms, is a governance standard undepinned by technology options rather than a technical standard that supports governance. That distinction is critical. MyTerms is, strange as it is to say, more about online manners and etiquette than it is about precise regulatory do’s and don’ts. Check out this great video, itself dating from 2015, on the comparison between norms and behaviours in the online world in comparison with our much more evolved physical world.
Secondly, MyTerms is very much looking forward for many years. We see ‘consent’ largely as a pre-massive scale Internet and web’ construct that will find it incredibly difficult if not impossible to scale to the complex, life-long digital existences that billions of people have from now on. Likewise, the concept that individuals will always be passive, and digital serfs ‘clients’ of organisation-run servers will disappear. When individuals have genuine agency, then brand new capabilities emerge. MyTerms is one of the early steps on that journey.
Then, very specifically, MyTerms is about Contract as the legal basis for personal data exchange. The innovation is that these agreements, when signed, form contracts are written from the perspective of the individual - and in three formats, plain language, machine-language and detailed legal format. All are robust, pointing to the fabulous EU—backed resource that is the Data Privacy Vocabulary where they need canonical, permanent links to key privacy and data protection related words, concepts and definitions. Note that contract can form as a consent if needs be; what matters from the MyTerms standard point of view is that the individual is an active, empowered actor in the dance - that they have agency. In signing ceremony terms that will look and feel quite different to the current model - with obviously the ability to automate as discussed above and below.
Within these standard agreements, there is one that is set as default - and which therefore is sent in MyTerms standard-based browser signals as the individuals’ default privacy preference. At present that is named Service Delivery Base, or SD BASE; but that name may evolve from its technical/ legal start point to something more tuned for mass market. Very simply, when an individual proposes SD BASE as their preferred privacy policy to an organisation they are saying ‘i’m here to look at or obtain a product or service from you. I will happily give you the data that you need for that, and enable you to use that data for the purposes that support product/ service provision and delivery. But no more. I do not want to provide more data than that, or enable more purposes than that’. In other words, ‘just give me the service please, nothing else’. And in further words…, yes MyTerms specifically enables and turbo-charges the long held privacy and data protection principles of transparency, data minimisation, purpose limitation, and reciprocity. There are then several more evolved relationships in the MyTerms registry that allow an increased data exchange. But they only kick-in if the parties, via the methods in the standard, agree to escalate; perhaps to enable analytics, or to request data portability. (each of the standard agreements has a variant that adds a data portability request to the interaction. The only capability that is specifically NOT in any of the standard agreements at present is third party tracking, i.e. surveillance.
So what does all of that mean for the possible intersect between the EU stated requirements in the omnibus update to GDPR and ePrivacy? I would contend that MyTerms could well be a valid solution to the stated EU requirement. It is already coming from a standards body, and is very ethically aligned with core EU principles. The criticism of alternates and existing privacy signals are that they can be too broad and blunt - often forming as a giant NO; you can’t do that. Which is fine in theory, but is then largely ignored in practice.
I would contend that MyTerms, and especially the default ‘Service Delivery Only’ model moves beyond the blunt ‘No’. It is effectively a ‘No…., but’. Or indeed if/ when the individual opts for a more evolved agreement with a specific organisation/ app then it becomes a ‘Yes….., but’. Two more points that may become relevant:
The MyTerms standard is about the handshake. The means through which agreements are proposed, iterated upon, signed and stored. A visual of that is below.
The agreements themselves (five in phase one and a further eight identified for phase two) are what can flex based on market conditions and their utility in practice.
The standard is due to launch in January 2026, in time for Global Privacy Week. The ‘MyTerms Alliance’ is forming now; that is the group of affiliated organisations that wish to support and enable the development and adoption of the work. Web site for that should be up soon; meantime drop me a note if you are interested in joining.
And let me close on one final reminder of what this is really about. MyTerms is for our Kids.