In May 2018, email inboxes were overflowing with messages asking consumers to “reconsent” to the collection and use of their data so companies could comply with the European Union’s General Data Protection Regulation. Mechanisms for consent have hardly changed since the dawn of the internet. “Click the box.” “By visiting this site, you agree to these terms.” These mechanisms require a screen, and they also assume that the user has been adequately informed – not always the case for both of these things.
The near-term challenge with consent is twofold. Firstly, organizations need to know what mechanisms are compliant with the rapidly changing regulatory landscape. This is not at all clear as recent enforcement actions indicate. The second challenge is that technologies of the Fourth Industrial Revolution, such as ubiquitous, ambient data collection via the Internet of Things and connected cities, do not readily lend themselves to checking a box to consent.
The long-term challenge with consent-based models for data collection and use is that the ever-accelerating rate of technological innovation means that the threshold for what it means to give informed consent is growing higher by the day. How many people understand how artificial intelligence or distributed ledger technologies such as Blockchain work? This gap is growing, making it harder for consumers to understand the ramifications of their choices to share data.
The immediate opportunity for impact is to help regulators and data-collecting organizations find common ground on what mechanisms for consent are sufficient to meet new regulatory and legal requirements.
Recent regulations in the United States and the EU have created confusion and ambiguity on what models and mechanisms for consent are best practice or even minimally compliant. Enforcement actions are emerging that provide some guidance but also create anxiety that the methods upon which companies have long relied on may not pass muster. The basis for processing and using data starts at the moment of consent. The costs of getting consent wrong are, therefore, very significant.
The longer-term opportunity is in leveraging human-centred design thinking to develop innovative solutions for emerging technologies. Privacy engineering has emerged to design privacy into back-end systems. We need the same attention to front-end usability and design to realize the full potential of “privacy by design”.
The Fit for Purpose Consent Project takes a holistic approach to examining the issue of protecting people’s data and privacy in the Fourth Industrial Revolution. Through a multistakeholder process, we can develop, test and iterate innovative and future-forward alternatives with consumers and regulators. These design alternatives will provide greater certainty in this uncertain space. In the longer term, we will explore new consent mechanisms that address the unique characteristics of Fourth Industrial Revolution technologies that do not lend themselves to traditional consent mechanisms.
The project is brought to life via close collaboration with leading academics, subject matter experts, thought leaders, designers and engineers, as well as the Centre for the Fourth Industrial Revolution’s community of Chief Data Officers.