It’s midnight. Rushed by a deadline you must buy a rare gadget online and the only place where it is in stock is a web store you never used before. As is the common practice, you must create a user account and leave your name, shipping address and some other personal data. Successful buy, just in time. Another day you need to purchase a train ticket and the only way to get that irresistible 50% discount is by joining a loyalty program. There again, you must give some personal data to identify you. During the trip, due to a dental emergency you must register your profile and leave some personal details to help create a patient record in the clinic. After years of situations like this, we have left personal data to so many organisations and we can hardly remember which one has what. The railway company has stored your name, phone number, postal address, date of birth, citizenship. Other organisations have stored less, others more.
We are giving away personal data very often, some people do it weekly or more.
Organisations store personal data for different purposes. For example, a web store needs your name, email and postal address in order to confirm and deliver your order, which is its main purpose. But beyond that, the web shop could use your data to send you promotional offers too. In a legal world, every company must have asked your consent to use your personal data.
You agreed to receive news and promotional offers by email, others by post, but you can’t remember whom you gave consent to and for what. In each of these transactions, you have given consent to use your personal data.
What is consent?
Consent can be defined in many ways but let us focus on the digital world. In simple words, consent is an expressed “green light” that allows an organisation to do something with your personal data. Without your expressed consent, an organisation can’t legally collect, store or process your personal data.
The problem with consent
In real life, we’re giving consent at all times. The biggest lie on Internet is that tick-box we’ve all checked: “I have read and I agree to the terms and conditions.” The phrase depicts how lightly we take consent. Even if we put in the effort, today’s systems and procedures are not designed to protect people’s data. The problem with consent is not one but many:
- Terms and conditions are usually lengthy and written in a language that only lawyers can understand.
- Consent is usually bundled giving the user only two choices: all or nothing, take it or leave it. The typical case is a mobile app that asks you access to your location even though it’s clearly not needed. Why does a torch app need access to my location or microphone?
- A person can’t keep a record of what personal data was given, to whom, and for which purposes (the boxes that ticked and what was written in the terms and conditions that specific day). Such a record is stored only in the organisations’ database.
Due to a raise of awareness on these problems, in the recent years we have seen more strict data protection regulations, such as European Union’s GDPR (General Data Protection Regulation). However, the third and last point requires a more technical approach, and the concept that is emerging to fill this gap is called “consent receipt.”
A consent receipt is a proof document that you receive every time you give consent to process your personal data. It records the essential details of the transaction so in practice, it should look like the voucher you receive when you buy something. Just like a physical receipt for an item you purchase today, in the future, you will be able to use a consent receipt to prove that you approved the use of your personal data. With the advent of consent receipt, the details of a consent transaction are not anymore a secret kept by the organisations. Consent receipt is a tool to empower citizens to take control of their consent at any time.
At this point you might say “Oh, this sounds like a great idea, but how is it in practice?” As of today, there are almost no implementations and the most promising standard is Kantara Initiative Consent Receipt. Mostly based on Kantara’s approach, I will use a simplified explanation to show you how a consent receipt would be in practice. You can find three main building blocks in a consent receipt:
- Receipt and transaction information (date, time, place, purpose of collecting data, receipt number, language)
- Individual’s details (name)
In order to be universally accepted by people and easy to process by information systems, experts agree that consent receipt must be both machine readable and human readable. The machine-readability is achieved by using widespread JSON format.
However, making a document human readable in a sensible way is trickier than what it sounds. Just remember how Terms and Conditions usually look. If you speak English you can read a British webstore’s fine print, but you might understand Iittle or nothing. Also, if you shop in a foreign store, you would like to have the consent receipt in your native language. Should a consent receipt be by default presented in a web format? As many of these technicalities appear, the standards will also need to define a rendering engine.
The beauty of consent receipt’s approach is that a piece of software that you control, your web browser or even the operating system could collect, store and manage these receipts. You could review where your information is being used and initiate actions, like revoking consent or requesting your data to be erased through such a tool. All these actions could be seen as a list of links, checkboxes or trashcan icons in a privacy settings tool. If well implemented, this can all happen seamlessly and securely.
Will a consent receipt become a ubiquitous tool in a few years from now? Only time will tell. Even a brilliant and popular technical solution can be defeated by lousy regulations or a lack of international consensus. We believe that the concept is promising and will bring more transparency to giving consent. Hopefully in the future, you will feel more protected if you have to buy that rare gadget at midnight.
Oscar Santolalla represents Ubisecure in the Kantara Initiative’s Consent & Information Sharing Work Group, helping to ensure our customers benefit from emerging privacy standards.
For more information about GDPR and consent related issues, register for IAMwithUBI. This full day IAM conference with international keynote speakers and influencers gets you up to date with the latest information.