Why Consent Has Now Failed as a Means to Protect Personal Data
...., and how MyTerms addresses that, and allows us to move collectively move to a better model
I recall, way back in 1988 or so, first encountering ‘consent’ in the context of gathering and using personal data. For me that was when deploying the UK Data Protection Act 1987 for a large retail firm. Back then, ‘consent’ was not the core focus of the regulation; it was more around transparency and subject access. Check boxes were mainly used to signify a simple opt in, to a newsletter for example.
The 1998 update of the Act brought forward ‘consent’ as a big focus. By that time, The Internet was becoming a thing to be taken into account. The ‘consent check box’ emerged as a process in which a degree of friction was added into the registration processes of websites and applications. This friction was deliberately designed in to give individuals pause to read, understand and decide whether they wished to provide their data to enable whatever relationship they were engaging with at the time.
Personally I think that this concept was pretty much broken from the start. I certainly don’t recall any large scale consumer research commissioned either by regulators or large organisations that looked at differing approaches and concluded on the optimal one being ‘check this box to confirm that you have read, understood and agree with our terms and conditions and privacy policy’. Each organisation might research their own customer experience around registration; but ‘that bit the lawyers do’ was often out of the research scope and assumed to be un-touchable by marketers and customer experience professionals.
And then the killer problem around consent…. Whilst organisations might research their own domain; it seems no-one was been looking at the overarching effect of adding that friction many times over. That is to say, if one only looks at the registration process for one organisation, then one is presumably assuming that the individual would spend a few minutes on that necessary friction. But no-one is taking ownership of that friction multiplied many times over given that we can all easily have 100 online accounts or more. And that doing business online is now more or less essential across many aspects of life; so that friction increases in volume significantly from the individual perspective. Say 3 minutes x 100 accounts = 300 minutes, or 5 hours.
Then again, maybe that is a significant underestimate, this is how AI explains the situation; seems pretty accurate to me….
Reading Time for Individual Policies
Average Single Policy: Reading a standard privacy policy takes approximately 27 to 29 minutes.
Complex or Global Policies: Policies for major tech platforms like Meta (Facebook/Instagram) can take nearly 82 minutes to finish.
"Consent Fatigue": A widely documented phenomenon is "consent fatigue," where users, overwhelmed by frequent pop-ups and requests across different websites, simply click "Accept All" or "I Agree" without reading the details, just to access the content. This "blind acceptance" undermines the core principle of informed consent.
That’s pretty clear then, the current approach using deliberately inserted friction does not and never will scale.
So why do regulators persist with this model?
I’m guessing that it is because until now there has not been a better option on the table.
MyTerms could be that option.
What then is the game changer in the MyTerms model that enables us collectively to move beyond the current ‘friction’ based model?
Quite simply, MyTerms starts with a different assumption to all prior privacy and data protection models.
MyTerms starts with the individual and builds capabilities on that side of the digital relationship. And not therefore initially on the organisation side, which is where all current ‘protection-minded’ assumptions build.
If you think about that, it becomes fairly obvious that building on the individual side is a perfectly valid construct. It takes two to form a relationship; so why expect only one of them to take on the relationship management burden when it could be shared and co-managed? That does not make MyTerms an easy lift; but the model is certainly now very do-able - for the simple reason that most people now have the highly capable devices that are our smartphones.
In fact I would contend that if people had smartphones before or alongside organisations having CRM and e-commerce then digital relationship management would have evolved very differently. Imagine, individuals coming to form the relationship with tools that:
- are always on,
- are always present,
- are highly programmable
- know and can prove who and where they are,
- and which can connect, communicate and exchange data in any number of ways,
- then just as easily evolve or terminate connections.
That’s a pretty compelling start point for a ‘subscribe to me’ model of relationship management which begins with the individual.
Let’s leap forward then and consider how MyTerms can lead tactically to much better approaches to personal data exchange. And then strategically to much improved digital relationship management.
When the standard publishes in late January 26, it will clarify that, at the top level, it is really a governance standard; more about online manners than anything else. It then sets out ‘the handshake’; the process through which standardised agreements are proposed, discussed, signed and recorded. I think of this as a bit like Docusign for machine readable privacy policies. It enables the parties to propose, discuss, sign and record data sharing agreements (contracts) in a repeatable, sector and geographically agnostic way.
Then, we have the MyTerms agreements themselves. It is probably easiest to think of these as replacements or alternates to what we currently call Privacy Policies. So, a current norm privacy policy is an organisation saying to an individual, ‘here is OUR policy towards YOUR privacy. Whereas a MyTerms agreement enables an individual to say ‘here is MY policy towards MY privacy’. A subtle but important distinction.
On launch, MyTerms will run with 5 standardised agreements. They are covered at the high level on the MyTerms website. But let’s drill into the one that likely has most impact when it comes to addressing ‘the consent problem’. This is known as ‘Service Delivery Only’, or SD-BASE. This is the default agreement for any individual setting themselves up to use MyTerms.
It pretty much does as the name suggests. An individual wishes to sign up for any product or service of some form that has a digital component. This agreement and the MyTerms standard enables them to say ‘I’d like to sign up for this product/ service; I propose we manage the data exchange aspect of this under the MyTerms Service Delivery Only agreement’. Let’s assume, for now the organisation is fine with that as they don’t do any of the things this agreement excludes anyway, such as enabling third party tracking/ surveillance. That proposal can theoretically come in through any channel, including paper or smoke signals. MyTerms/ IEEE P7012 is technology agnostic. But in practice it is more likely to come in from a MyTerms enabled personal agent, mobile app or browser plug-in. It may well come with built-in customer-powered KYC to smooth onboarding. And if both parties are leveraging the machine-readability aspect of MyTerms then there few to zero points at which individuals need to manually get involved in the onboarding process.
On the flip side, if an individual proposes a MyTerms agreement, and the organisation is not geared up to listen for and accept the proposal, then the customer might well have gone elsewhere without the organisation even being aware of their interest. (Consumer Reports Labs have a great demo of organisations winning business because they accept MyTerms, will post if and when I find it online).
The visual below illustrates what can be accomplished with the MyTerms Service Delivery Only agreement when expressed as a browser header. It shows one way in which MyTerms can be deployed as an alternative to the broken consent/ cookie banner model. The agreement can express the individual’s privacy preferences in machine readable form. When received by an organisation this confirms that the individual agrees to provide the data that is essential for the delivery of the product/ service. It also confirms that they wish to provide no data, or data use permissions over and above that required for service delivery.
That being the case, the organisation has no need or remit to serve up a cookie banner and a consent check-box. They already have the details they need for privacy regulation (e.g. GDPR, ePrivacy) compliance at their end; and have that recorded in the form of the mutually signed agreement.
We believe that model can and will work well for the vast majority of organisations; they are not doing anything beyond service delivery anyway. This will include much of public sector; and many regulated industries such as banking, financial services and health/ wellbeing which are already constrained towards service delivery only anyway.
And fear not. Organisations that need/ want a bit more granular and optional data exchange will see 4 more agreements emerge in phase 2. Loyalty programmes for example may be well suited to an agreement that offers more flexibility to incentivise greater data exchange and/ or more purposes.
To summarise then, we in the MyTerms / IEEE P7012 team believe that the standard will offer a credible alternative to the very broken current model based on added friction and consent.
The standard and the agreements are built from the individual side; but are well aware of and informed by the practices within organisations, and the needs of privacy and data protection regulators.
In the next post we’ll get into why we think this model will also paint a very positive picture commercially for all willing and able to grab the opportunity.