Posted on: Monday 28th of January 2013
As another International Privacy Day comes round again it’s time to question something at the heart of European privacy legislation – the notion of ‘informed consent’.
‘Informed consent’ was created with the best of intentions. But in its current form it is an obstacle to progress. It needs replacing.
The underlying goal is admirable enough: personal data is the person’s (not the organisation’s) and individuals should have the right to know what information an organisation is collecting about them and what the organisation is going to do with it. They should also have a right to give or not give consent to this data collection and use.
Great. In theory this is all about empowering the individual, while also establishing the foundations of trust that a modern data-driven economy needs to work.
So what’s the problem?
The mythology of choice
With ‘informed consent’ the EU swallowed the great 20th century fiction of ‘rational economic man’. This is the belief that we are all ‘rational’ economic actors, always gathering and assessing complete information about every aspect of every decision we make (where the costs of doing this are effectively nil) in order to maximise our utility..
If you believe this, it follows that good policies should help rational economic man work his wonders, making choices to drive the competition that makes markets, and capitalism, zing. By, for example, providing information about data collection in privacy policies and terms of service, and giving individuals a choice as to whether they accept these terms or not.
The reality is almost the complete opposite. Decision-making is a costly and sometimes painful task and we human beings are cognitive misers. There are countless things we would rather not think about at all (and try very hard not to). If we do have to think about them, given half a chance, we pay as little attention to them as we can. So when organisations present individuals with small print, far from eagerly investing time and effort trying to understand it, we just tick the box.
In reality, people are neither informed nor consenting. But the fact that the information has been made available in some form or other means individuals are deemed to have been informed. And the fact that they have ticked the box (because they can’t progress the transaction without doing so) means they are deemed to have consented.
Another common feature of human behaviour is ‘learned helplessness’: the logic that ‘if I can’t do anything about X, why bother trying in the first place?’ Learned helplessness applies to informed consent in spades. What is the point of reading all that small print if there is nothing I can do about changing what it says anyway?
For these reasons, often in modern markets power doesn’t reside with the chooser. It lies with the person who sets the default– who writes the small print in the first place. Whenever it takes time or effort to consider, understand or change a default setting a very small proportion of people do so. In a world where he who sets the default makes the choice informed consent actually becomes a mechanism of disempowerment, not empowerment. A mechanism that places the burden of responsibility and work on the individual – and the blame when things go wrong. After all, ‘you agreed to it. You ticked the box!’
At first glance, such a situation might look like good news for organisations. But actually what it creates is perverse incentives. If people are going to give your small print ‘informed consent’ no matter what it says there is a huge temptation to draft it in such a way that it maximises your freedom of manoeuvre and your ability to monetise the data they collect. That’s great in the short term. It becomes an easy way to make money. But it’s disastrous in the long term, because it rewards sharp practice and punishes transparently high standards – thereby destroying trust.
The result is a lose-lose-lose. Consumers lose because they are disempowered. Firms lose because they find themselves incentivised to pursue practices that end up undermining trust and brand reputations. And markets and economies lose because the benefits of the true exercise of choice – where firms are forced to compete over of innovation and value – aren’t fully realised.
Setting the wrong agenda
There is another way in which our current approach to informed consent is flawed. It sets the debate on the wrong track, smuggling in a number of progress-stifling assumptions.
Value Talking about informed consent smuggles in the assumption that value is always created by an organisation using the individual’s data, never by individuals using their own data for their own purposes. It sets the debate on the wrong track.
Control The real challenge for individuals is not consent but control. Informed consent assumes somebody else is always in control (the organisation as ‘data controller’). It does nothing to help individuals actually manage or control their own data.
‘Informed’ Individuals should not need to be ‘informed’ how their personal data is collected and used just as they should not need to be informed as to how the raw materials of their car are collected and used. But they should be qualified to drive safely. The real education challenge is not to ‘inform’ people through acres of small print, but to help them make the best use of their own data.
In other words, it was not conceived for a world where individuals, as well as organisations, are data managers.
So what’s the answer?
The shopping parallel
To see how absurd our current situation is just imagine if ‘informed consent’ operated when we went shopping. Every time you wanted to buy an item, you would have to sign a contract (tick a box) saying that you have read, understood and agreed to the fact that these particular ingredients are being used (with these possible side effects on health), that the product has been processed in this or that way, in this or that country, that it has these qualities and promises to do those things.
With an average grocery shopping basket of 40 items, you would be required to read, understand and accept 40 different sets of terms and conditions 40 times over. Quite absurd.
A safe default
With shopping, we address these problems in a different way. Every time we hand over some cash for an item, a contract is made between retailer and shopper. Behind this contract lies a vast body of legislation and regulation, backed by professional monitoring and enforcement bodies such as Trading Standards, that spend time and effort checking weights and measures (are they accurate?), enforcing rules about what ingredients can be used in each product (is that beef burger really made out of beef or does it contain horsemeat?), health and safety precautions, labelling, product claims, packaging and so on.
These rules and regulations are the default setting for the shopping transaction. Instead of employing armies of lawyers to construct a different unique set of T&Cs for every product and every service, they create one, single baseline standard. This standard – the default setting – is designed to protect the consumer without forcing the consumer to read, understand and consent to volumes worth of small print. It simplifies the process rather than complicating it, creating a level of trust so taken for granted that 999 times out of a thousand, we don’t even stop to think about it.
That’s what we need for personal data. Default settings and standard processes that ‘I can trust so much I don’t have to think about it’.
An alternative approach
Informed consent is a bust process. The EU knows this because, in its draft new Data Protection Regulations, it tries to beef the concept up by making it ‘specific, informed and explicit consent’. This appears to be ‘even more’ empowering. In fact, it places an even greater burden of responsibility and work on the individual. It’s making matters worse, not better.
Online, consumers should be able to do business as easily and confidently as they shop in physical stores today. We are not required to read, understand and agree to the technical specifications of a car before we buy it. We ‘just know’ it will be safe to drive (and there’s a massive scandal and product recalls if it is not). Likewise, we should not have to read acres of small print to do business involving personal data. We should ‘just know’ that it is going to be used safely.
Businesses and individuals should be able to use this trust-creating default setting as a springboard for added value. In a retail store for example, you have some statutory rights to return goods. Marks and Spencer went one step further with its ‘no questions asked’ returns policy. You can vary the terms and conditions, but only in one direction – improvement, without underlying statutory rights being affected.
That’s what we need now in personal data. A baseline standard – a default setting – that automatically protects consumers’ data without their having to read, understand and agree to anything plus new tools and services that help them collect, manage and use their data for their own purposes – leading to new layers of permissioned data sharing built on strong foundations of trust. Good for individuals, firms and the economy as a whole.