Redesigning data privacy: Reimagining notice & consent for human technology interaction

Executive summary

With every year that passes, our lives are becoming more and more dependent on digital services. More than 53.6% of the world’s population is online, while 93% of the world lives within reach of a 3G or better mobile network.1 From accessing vital services such as a doctor, to ordering food online or simply surfing the web, our use of and increasing reliance on digital services continues to grow at an exponential rate.

At the same time, the way in which we interact with technology is continuously evolving: For example, some screen-based interactions are transitioning to voice-based interfaces; always-on sensors are increasingly embedded within our environments. But regardless of whether the interface is tangible or not, we are often asked to consent to the collection and use of data generated by us and about us. But how many of us truly understand what this really means? And when we are asked, does the collection and use occur in a way that fundamentally protects our best interests? Further, once we grant the requested access, is there any way to change our minds? And can consent truly be given if there is no real choice, an inability to revoke consent or lack of an informed decision because of the complexity of information provided to help make the decision more informed?

When an option to consent is given to us, there is a sense that we are empowered to make a decision, a sense that we are in control of what data can be processed, who it can be processed by, where it can be processed and for which purposes. Consent has become illusory and, through its current design and deployment, does not always operate in expected, or at times even logical, ways. As we increasingly conduct our lives online, we continue to part with more personal information, click through more boxes and increasingly seek to limit any barriers between ourselves and the service or product we intend to access.

When the permissions people grant to companies and organizations at one point in time become the gateway for everything that happens to that data in the future, that moment becomes extremely important, perhaps far beyond what could be envisaged. The default means of setting the rules of the game on how data about someone can be used is often reliant on what is termed “Notice & Consent”. Within the context of data protection and privacy, or more broadly information or onlinew data privacy, Notice & Consent functions as a primary means by which the public is provided with Notice about what information an organization intends to collect from a person and how they intend to use it. Consent is the process by which a person acknowledges and agrees to the terms of the data collection relationship.

As this paper will explore in detail, there are various concerns about how this process functions presently. These include doubts as to whether the current process is effective in educating people about the collection and use of their personal data, whether it provides them with meaningful choice and whether existing mechanisms meet the needs of the public.

The enactment of the European Union General Data Protection Regulation (GDPR) and in the United States the California Consumer Privacy Act (CCPA) increases the urgency of the need to address the flaws in current data protection and privacy norms. In the US specifically, which relies heavily on Notice & Consent frameworks, there is a possibility that federal-level privacy legislation will be passed in the nearer term. That this might occur without a long overdue reckoning with Notice & Consent mechanisms would be a missed opportunity.

Globally, countries are looking to both the GDPR and the CCPA as they consider their own data protection measures, raising the stakes with regards to how we choose to address Notice & Consent in these new regulatory environments. New laws or policies that leave existing mechanisms untouched threaten to perpetuate them indefinitely.

In this paper we examine the topic from two complementary perspectives: If we accept that Notice & Consent is not fit for purpose, how can it be improved? And what does an alternative regime beyond the terms and conditions box look like?