Posted on: Monday 16th of March 2015
Interesting debates at last week’s Westminster e-forum on ‘Data protection policies and business opportunities’.
In personal data circles today there’s endless hand-wringing about the problem of ‘informed consent’. It’s now universally recognised that current approaches to consent, based on the publication of privacy notices and tick box mechanisms to agree to terms and conditions, are not working. Nobody reads them. Nobody understands them. And because they can say almost anything a lawyer fancies writing into them, far from protecting consumers they’re doing precisely the opposite.
So the quest is on for better ways achieve ‘informed consent’.
But should we really be pursuing this quest? Here’s a suggestion: the notion of informed consent is part of the problem, not part of the solution.
Here are two alternatives to ‘informed consent’.
1. ‘Safe by default’
The first alternative is ‘safe by default’. When you go into a store and pay money for goods, you don’t need to read and sign a massive tome of T&Cs. You ‘just know’ you are protected because behind that simple exchange there’s a phalanx of rules and regulations to make sure you are protected. You don’t have to be ‘informed’. You don’t have to ‘consent’ to anything. You ‘just know’ you are safe.
Likewise, when you flick a switch to use electricity, you are not required to pass exams to demonstrate your understanding of the generation, distribution and dangers of using electricity. So why do we expect consumers to (effectively) pass countless different exams on the generation, distribution and uses of personal data?
You don’t have to pass electricity exams because a whole set of rules and standards have been established so you ‘just know’ that when you flick that switch that you will get that electricity and you’ll be able to use it safely (unless you do something really stupid).
Why can’t personal data be this simple, safe and useful? Why can’t consumers ‘just know’ that when they provide some information to a company, the company will use the information for the purposes of providing you with the service you requested, and that nothing else untoward will happen? After all, the existing Data Protection Act allows for it even though it seems to have been entirely forgotten.
With ‘safe by default’ you should ‘just know’ that your data will be collected and used safely just as you ‘just know’ you can shop safely and use electricity safely, Why is that too much to ask?
2. ‘Privacy intermediaries’
OK, there may be some occasions when things get a little more complicated, when you do need to be more ‘informed’ as to what is going on. How can we rise to this challenge?
One way not to do this is to expect consumers to take a PhD in personal data, just as we don’t expect consumers to take a degree in engineering to drive a car.
When there is a genuine need for consumers to be more informed they should be able to turn to trusted third parties – let’s call them ‘privacy intermediaries’ – who ‘read and understand complex terms and conditions for me so I don’t have to’. Their job would be to be informed ‘for me’, as a service, just as it’s the job of a doctor to be informed about medicine and a lawyer to be informed law so that I don’t have to. Personal data stores and other personal data management services can (and are) taking on this role, and because they are adding value in lots of other ways they don’t have to charge extortionate fees to do so.
An innovation opportunity
Our current approach to ‘consent’ in the collection and use of personal data has become counterproductive to the point of toxic. More of the same is not an answer. We need fresh thinking, new tools and new approaches. Safe by default and privacy intermediaries are just two examples of alternative ways forward. They make it safe and easy rather than risky and difficult.
But why bother? What’s the return on the innovation investment?
Because ‘safe and easy’ (versus risky and difficult) is the rocket fuel of economic growth.
Take another look at those industries where consumers ‘just know’ they are safe, where they are not required to be ‘informed’ to ridiculous degrees of sophistication and where they are not barraged with a deluge of consent requests: Retailing. Everything and anything that uses electricity. The motor industry.
They are massive. Over the last century they grew from nothing to operate at the heart of our economy as engines of wealth creation. They are how firms make money and how consumers improve their lives. And this growth only happened when they made it safe and easy for consumers to participate fully.
In the 21st century digital economy personal data should be playing a similar role to electricity, the motor car and retailing. Until maximising the value of personal data is made safe and easy for consumers (rather than risky and difficult) the real potential of personal data won’t be realised.