Is consent broken? If yes, what can we do?

From IIW

Is Consent Broken? If Yes, What Can We Do?

Session: 11F

Convener: Clare Nelson


Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Link to slide deck provided by Clare Nelson:

Session Description: Is consent broken? If yes, what can we do? See the slides with the MORE titles for input from the group. Consent means different things, and can be used in different ways.

Fred Cate – 2020 TED talk on Data Privacy and Consent. Has identified 7 issues with consent, along with suggestions

Daniel Solove – the privacy paradox myth, the difference between reported preferences and actions taken

Shoshana Zuboff – the age of surveillance capitalism. Data about individuals is the raw material that is used for digital advertising

Two kinds of privacy law – private vs. government.

7 reasons why consent is broken:

  • Complexity of notices, and nesting
  • Notices are long and dense
  • Consent is ineffective since it is hard to understand
  • Consent is illusory – contracts of adhesion, binary take it or leave it
  • Burden is on the individual, liability is shifted from the data processor
  • Consent choices are often a disservice to the consumer
  • Leads to lousy consumer protection

Privacy laws are spreading, and thus conversations about consent

CCPA has the broadest definition of personal data – includes the notion of probabilistic identifiers such as cross-device tracking, device fingerprinting and digital exhaust

Myth of anonymization – de-identified data can be re-identified fairly easily

Marketing and advertising are finding new ways to track and identify specific individuals as techniques such as cookies fall under new privacy laws. E.g. Merkle Wallet

Data brokers can provide “hyper-personalization” to predict behavior. They create identity graphs that can include 10k+ attributes.

Data privacy laws are not necessarily covering all of this.

What can we do?

  • Make stewardship of data the responsibility of companies/data handlers
  • Create regulations that make data handlers/processors act in trust
  • Provide redress
  • Making giving consent meaningful, timely, and effective

Me2B project Project VRM – Doc Searls

Addition to the 7 reasons – volume, number of times we interact digitally Consent should not used as a form of protection – overarching protection Legitimate purpose for collection

IndieBox – personal cloud server CloudYoult

  • There may be an incentive for data handlers/processors to stand up technology services to allow for personal data storage/choice schemas to remove their own liability

Concept of data trusts – board of trustees with fiduciary responsibilities. Mozilla Kantara ISI: consent receipts – machine readable receipts for consent

  • have published consent receipt 1.1
  • they are fairly far along with defining the next step

Consent tagging and tracing (open receipts, a subset of open notifications) – ideally we can understand the conditions under which consent was given Consent is a personal decision about a tradeoff, for what services am I willing to give what data - Can individuals truly make these decisions? They don’t have full information, very context specific - But who can make these kinds of decisions on behalf of individuals?

First we need a common vocabulary for data – DPV (data protection vocabulary)

Need something where users can express their preferences and then that can map to legal terms and actions Harvard – policy enforcement as data moves through a workflow

The idea of consent in terms of boilerplate legality is bad. The highest rendition of consent is the file upload dialogue box. Embodied consent – as an act of your body, you tactically are giving consent.

Privacy chain – idea is to control this vast network of machines. Need a control channel to demonstrate and track where data flows across the value chain.

Zuboff is a bit inflammatory - have been talking about it since David Packard Jean Twenge – Filter bubble Information snacking; mental health effects

Communication/vocabulary - triangle between legal, consumer friendly, and machine readable

The conversational nature of privacy policies is a joke – they try to make it so easy to understand, but they are still not read

Need to validate things – go through testing between regulators, and consumers You need an advocate – COVID is bringing that up. Many individuals need interpreters, guides through much of this.

Differential privacy – has been shown to prevent leakage. Can it be applied in the advertising pipeline.

Music/entertainment industry viewpoint – limited use rights