Make Consent Work with More Transparency and Less Control

So, as it was pointed out to me, we should retitle this a bit, make consent work with more transparency and less control for companies and corporations that use the information. So some of our panelists are known to us, but it's always good to start with round of introduction. So mark much would kick it off and we'll work our way this way. Thanks John.

Hi, I'm mark Lazar. I am the chair of the Canera consent and information sharing work group and CEO of the open consent group. I've been working for a few years on something called the consent receipt specification, which is just getting to the version 1.1. So we've been working on automated consent management and privacy rights at scale for quite a long time. And finally, we're getting somewhere, Hi, I'm Denise Taylor, I'm the co-founder and CEO at Privo, and we manage youth registration and parental consent as well as advise companies on compliance with privacy regulations around children.

So GDPR kids is coming and cop in the us and these laws require consent verifiable parental consent. So we've been managing that process for almost a decade and learned a lot along the way about how to get consent. Okay. My name is Martin. I work for a, a company called IEL. We provide a cloud identity platform for consumer identity management and we are a European company. So we have a strong emphasis on GDPR support.

And if I can close you John parallels, consent management, so that might be relevant for well, and, and apart from let's say this of course commercial role, we also try to bring the industry a bit forward. So we really joined Canara for standardization of consent manage. Hi there I'm Chi brew director of customer relevant, ATT we RegTech and we enable businesses to unlock the power of their customers data using their consent, and also powering some data rights management.

So we're solving some key articles of GDPR for businesses by proving immediately proving that they have the correct legal basis for processing their customers data. And then for the individuals we're providing that control and transparency over that data use. So whether that legal processing is consent or any other basis, we're making sure businesses have that correct requirement. We see consent as enabler for businesses, and definitely not something that they should be shying away from.

Hi, my name is Justin Richard. I'm an independent consultant, which means I don't actually have a product or service to sell you other than me. And I've done a lot of work over the years on various security and identity standards worked on oof two and open ID connect user managed access some of the technical underpinnings of the consent receipt that mark mentioned earlier, and the security events work that's now going on in the ITF, which is kind of branched off of that and a bunch of other related things and topics. So Great.

So I think I'll just start with following up on some discussions that I had after yesterday with both Denise and Martin, you know, the capturing of consent is something, you know, when we think in terms of GDPR, it seems to be designed for, you know, the 80% cases there. GDPR also has some provisions in it for, you know, getting consent children, family management, and, and some solutions handle that pretty well today. And others are trying to make it work with either hierarchical or some sort of delegated administration.

But then there are also the other cases where, you know, someone may be ill. There may be, you know, like the power of attorney situation, where we would call it in the us where somebody else has to provide consent. And I think a lot of the technical systems, some may not quite be there yet. So any anybody want to talk about capturing of consent and some of these outlier scenarios, the difficulties there and, and how we might address that from a technical perspective? Sure. I can kick this off.

So I did a lot of work for a few years in the us with the health and human services and the office of the national coordinator for health information technology, which they, thankfully we shortened TEC. And this is all sort of in the healthcare space in the us. So HIPAA and other things come into come into play.

And we had a saying in all of the projects that we were working on, including the hardworking group in the open IV open ID foundation, that these so-called break the glass scenarios where, you know, the, the actual data subject is, you know, passed out on a stretcher and you, the paramedic needs to have access or they're in a coma and there's a power of attorney or something like that. We refer to these as the Godwin's law of health. It because inevitably, whatever, you're, whatever you were discussing, somebody would bring up these break, the glass scenarios.

The reason is that they are really, really difficult to tackle. Now, if you manage to get, you know, the person's consent ahead of time, that says, yes, if you know, if I am passed out and this person is there and it's to save my life, then yes, everything is okay. Then you can codify that inside of a policy system from the technological perspective, you know, within a single system, that's not that hard where it starts to get really hard is you start to do sort of cross domain systems. So say I'm traveling to France and something bad happens.

And a French paramedic needs to be able to access all of my stuff. I want them to be able to do that, right. But I shouldn't have to go around to all of the various jurisdictions and various, you know, sort of privacy bubbles that we have around the world and say, you know, yes, if I'm in France and a French paramedic needs access to my things, you know, when I'm knocked out from being hit by one of these, the crazy bicyclists that are all around Paris, I don't know if you guys have seen those, cuz that nearly happened to me twice yesterday. And if that happens though, I, I, yes.

I absolutely want them to have access to my medical records. Do I otherwise generally want French doctors to have access to my records just because I'm here?

No, not really. So there's a lot of different sort of subtleties and attributes here that if we were able to set everything up ahead of time, kind of explicitly, yeah, we can process them, but the real world isn't explicit. The real world doesn't get set up nicely ahead of time. And that's where the challenge really lies is to, in my view, to be able to work within that, that real world fuzziness, Maybe I can add a bit, John, of course there are all kinds of difficult areas that we need to cover. And that includes the current consent that you have specialist on.

But if you look at day to day situation in enterprises, data controllers in Europe, we, we just did the research and we'll be doing that in the next month as well, to look at the number of companies that currently do implement consent, and that is close to zero. So rather than focusing at the nitty gritty difficult situations, we should focus at mainstream first and get, just get going and, and make sure that we have the infrastructure in place, that there are standards available for the exchange of consent.

We are evaluating around 89 companies across seven countries in six industries and less than 20% show, any significant steps towards supporting GDPR and consent management. So less than 20% and we have less than half a year to go. Even if you look at, for example, a country like UK, 54% of the organizations in the UK, just to ask a fee for access to their data. And so of course I acknowledge that there are mandates and there are adults and all kinds of situations where consent might be difficult, but let's first start off with the very basic things and get that going. Yeah.

I would even say that like our research shows that only 12% of organizations UK have even registered with a data controller. So there's barely enough privacy transparency out there for people to even use their, any, any privacy rights or preferences.

So, and this is consistent actually over the last 10 years I've been researching this it's actually, transparency's gone down and more and more, there's less and less transparency. I think that's probably cuz the complicated technologies that are coming out.

So, but I just, as far as the issue goes for consent, how many people here are interested in dynamic consent? Is there any anybody ever thought that dynamic consent would be important? Yeah. So how about mixing consent with other justifications or processing? Is there anybody, any use cases where that's an issue? So I think that like these are big issues and another one is specifying a purpose for consent. Every company can specify it in a different way and no user is ever gonna understand it. Is that a concern for anybody here? Does anybody care about that? Right.

So I think there are, there are a lot of issues that are yet to come out and to make consent operational, but parental consent consent is definitely where they're leading the world. I think I appreciate you're leading the kids behind so that I can catch up there. Aren't 2 billion of them, you know, pushing quite a few dollars out of their parents pocketbook. So companies are going to going to the, let's not just talk about kids. I mentioned this yesterday, my father has mild dementia. He wouldn't appreciate that. I'm telling all of you that, but he'll forget it.

Like, so how does he, how is he gonna manage his, his digital identity? It's hard enough.

I mean, I, it was, you know, I haven't even gotten into a smartphone, but he's being forced to do things online. His, you know, renewal of his registration for his vehicle or whatever else it might be. Right. He needs Uber. He really needs Uber because he got lost going to the dentist the other day. So who's going to be able to help him manage his consent. So it's not just kids. I really think it's the bookends of life that are really, and then all the folks in the middle that have cognitive difficulties. Okay. So you asked a couple questions, you said dynamic consent.

Do you wanna tell people what you mean by that? Well, yeah. So in 1964, the Helsinki declaration on research for said for medical research, you need to have consent and this needs to be dynamic so that people can withdraw consent for research at any time up into the second in which they, So dynamic is just in time. I can turn it on. I can turn it off. It's all in my control. Right? So Dyna.

So, so that makes sense. But dynamic to me means feature by feature. What am I?

So in, in, in our world, I'm trying to ask a parent to consent to a newsletter, a push notification, a catalog and uploading videos, all of which are, are PII. Even the video in the kids, space, pictures, audio. So each of those features is mapped to date attributes and mapped to verification tiers. And a child may start a service with a starter account. They don't even have an email for password reset, but then later they decide, gee, this is really a problem. I've had to lose my account three times and created a whole new login. So now I do want an email.

And so adding these additively, adding, building against the profile, being able to click on the contest three weeks after you've been enrolled and say, yeah, I actually do want to participate in the contest. So now the consent needs to go request needs to go out to the parent just in Time. So you mean it, it, it, so, yeah, so I think dynamic That's, you know, to me it was dynamic, but it better, I think for control, like companies giving users control of consent.

So I want to be able as users say, okay, I'm gonna withdraw consent while I'm in this room for anything, for every company, for every service digital for this space, you know, I wanna be able to do dynamically. When I walk out of here, I want to turn it back on like that, that's kind of what I'm imagining the future of dynamic consent would look like and That's, and I would be so against that and the reason I would be against it. And then my passes is because I'm gonna have a parent, who's gonna get pissed off at one company, excuse me.

And they're gonna say, well, I'm just gonna opt him out of everything. And it's just too easy. Right? People have a glass of wine at night. We do things, you know, much more freely with our fingers. And I would want somebody to have, because it would be very burdensome for the companies that are supporting them. And it will be burdensome for the user who says, yeah, I didn't really mean to do that. Now I've gotta go reset everything.

Well, just To add to that. But I, to challenge that we, we are for that we're for contextual consent mark. I Well in this contextual, but he said one push and I've opted myself out of everything on the energy. Yes. And then one push you can opt back In or you can opt back in and I won't be meaning consent opting back in, but things will have changed, be tied to the breathalyzers, but I'm, I mean, look, I'm very granular consent. Yes.

It's, it's granular. I had to make a decision in our system.

We, we could not make it one push because the companies would not adopt the solution, Which is the topic for today, how you need to let companies give away control. Right. And that's definitely a big struggle. And when I first brought up the idea of withdrawal consent at a conference like this a couple years ago, I mean, people said, can you please not bring that up?

You know, everybody looked really uncomfortable and you know, withdrawn consent is scary. Cuz companies think they're gonna lose what 80% of their customers, when the laws come in and you know, maybe they should, right. Maybe they Consent. Isn't the only legal basis. And if you're worried that people don't want your service, then, then you shouldn't be marketing to them or you shouldn't be contacting them. And if you know that you should be providing that service, then you find another basis for processing that data.

I think that you want it's about having engaged customers, that you can actually get revenue off and give personalized experiences versus just having customers who you just wanna push that information to. What's really more valuable. Is it that engaged customer or, or dormant basis whose personal data you probably shouldn't be holding? So the charity sector in the UK they've come down really hard on a lot of money out of old people. I think the, the idea there was that what they've seen is when they opted everybody out and say, look, we really need you to come back in.

If you want to consent, they've got less, less people, but they're spending a lot more and they're much happier. So that's sort of the early indication. I'm not sure if that actually transcends across use cases. But So just to be clear though, I was talking about one single service across all one, one button that hits every company at one time. Right. I want to turn off the internet. That would be a lovely Moment. Right.

So, So What's That it's called flight mode. Flight mode. You'd Think so.

However, flight mode doesn't actually turn off all of your radios. Not anymore.

Yeah, Not anymore. So talk to me later.

So yeah, I, I, I think that, you know, this, this whole notion of, you know, being able to withdraw consent and it being it and it changing over time is, is really important because, so I do a lot of work in the security space. And in this space, we are really coming to understand that security is not really an event. Authentication is not an event. We used to treat it as an event. I saw your password. Therefore from that event forward, you are authenticated and you know, we're good to go, right? Authentication. Isn't really an event anymore.

We're seeing it a lot more heuristically it's like, okay, I saw your password, but I've got 37 other signals that are telling me that something is fishy about this. Maybe I shouldn't let you in, or maybe I've got, you know, a few dozen signals that tell me that you really are the same person and you typed your password wrong. Maybe it is you. And maybe I should ignore that one. And this gets back to what I was saying before about, you know, where the real world is really, really fuzzy.

And, you know, mark was talking about withdrawn consent, making people uncomfortable. And that's, I, I think that that's legitimate because consent really is kind of an uncomfortable topic to discuss, because think about it in, you know, with normal people in the real world and, you know, raise your hand if you think you're normal, okay. You're at this conference. You're not all right, seriously, you're at a conference about identity and you are not a normal person.

And so think about consent in kind of, you know, normal person space, you consent to something by letting it happen and being okay with it. I mean, that's, that's sort of fundamentally what is under, see how you express that You lost me. Yeah.

So here's, here's the thing though. I think we can slate consent with the expression of consent and the communication of consent, which is separate. All right. And so what we talk about in technological systems is largely capturing the expression of that consent and not being, you know, okay. That this thing is happening.

It's like, I need to be able to express that in the real world, we have a very, very rich set of signals for being able to communicate these things. Not the least of which being explicit language of like that is not okay, or this is fine, right? In the digital space, we lose a lot of that communicated bandwidth. And we are forced down into button clicks and, you know, maybe watching behavior over time. But even that behavior is what a series of clicks, you know, a series of things that I've touched in pages that I've gone to and stuff like that.

So it's much, much harder to map that type of expression into this space in order to capture what I would contend is this underlying model. And that's really where the challenge is because this underlying model is not a static event. It is very fundamentally not a static event. I may be okay with something now in five minutes, I may feel much less okay about it and want to withdraw my consent.

You know, maybe I'm not comfortable with the direction that this conversation took and I'm going to walk away. How do I walk away from an internet site that is going to remember everything that I've ever done there forever, right? We don't have quite the same level of controls yet. And so what I think that we need to do is really evaluate what this model means and how it's expressed and projected into this digital space. And now you're gonna tell me why I'm wrong.

No, I came around to it in the end. I kind of figured, but I think that's why GDPR is so important. Yes. It's really about defining the exact terms of what you're consenting to.

Yes, true saying cannot exist unless you're defining the exact context, the exact purpose for use of that data or for, for whatever it applies to any scenario related to consent, as well as the, the limitations and the duration. I, I don't, I don't consent for eternity. I consent for this contextual purpose for the purpose of giving me a credit rating or for the purpose of, you know, giving me an insurance quote or maybe for a year or until I opt out. Those are permissions that are within my control. And that's what we're working with financials.

And that's what they're looking about, consent for us and for the banks and financials that we speak to is about control and giving customers that control at a very granular level For the first, if I can add to that, I think that we as identity people, we very much think about the identity store with single source of suit with the users and user attributes. And, and we are extending that to metadata. We are expanding that to Yuma and to, to new consent standards, but what we also need.

And I think that that'll be a challenge for us as pretty technical infrastructure people is the user dialogue. How do we interact with, with users together that consent yesterday, we saw presentation where in a customer journey step by step things have been consented because they trust has been building up. And so user interaction and user dialogue, can we have your data so that we can do this for, for this period of time?

So I also think that that is very important thing, and I've seen very few presentations touching on that, but I think that would be valuable next year to, to go bit deeper on that third thing that I think will be important is also the governance and administration that we traditionally have seen in identity in companies who had access to which data, cetera, but also the question the user has consented this to be used for a monthly mailing.

How can I make sure that it's not used for weekly mailing, so governance administration and auditing from a perspective of consumer data, that'll also be a territory that's pretty untouched. Yeah, I think also, so there's implied consent, which we all know, you know, I've come, I've walked into this building. So I consent to be here.

You know, it's kind of obvious. And also there's the deeper, you know, I think people understand that we, you know, if you live in a country where you vote, you know, as a democratic society, you're consenting to be in the country. There's an assumption there of consent by the government. So we live in a consent society. So even legitimate interest, well in the EU, you know, you're supposed to have a sign on the front door, says your, your CCTV in this building, it's operating so that you have the opportunity to, you know, consent or apply consent by being a part of that.

And now the GDPR, even though there's many justifications for processing, it's all consent for all of those justifications are about to some degree consent. So there's one word consent is, you know, having many things pushed into it. And what we talk about is identity people is explicit consent on a granular level.

And we, you know, we miss the consent full part that all the users expect. They, you know, they're consenting to be there. They want to go their website. They want to log into something.

So, you know, that's sort of a bigger consent discussion. And I don't think we have the ability yet to, you know, color the consents in a way that's more meaningful expressing for people. Right. And I think that something that's, that's important to that there are two points that I'd like to make to that first is that, you know, I consent to be at this website. So what does that mean? Does that mean that I consent my browser to that loan things from that domain? What about content delivery networks? Right.

So if you're using a content delivery network to load some of the JavaScript or imagery or anything like that, am I also consenting to that because that's part of your architecture. I have no idea where your architecture is.

And so we, I think we need to be really, really careful about what, what it means that, you know, I'm in this building now. Yes. I'm in this building. Do I consent to be locked into this building so that I can't get out in most cases? Probably not. If there is a riots mall outside that wants to kill me, maybe I'll be locked in here for a little bit. Maybe that's okay.

I mean, it is always context. Exactly, exactly. It's context. And so the other point that I wanted to bring up about that, that whole notion of implicit consent is I actually wanna push back on what you were saying before about changing the title of this. Do is this not allowed too bad? I don't consent to that.

I, I don't consent to your moderation because I think that what we really need to be able to do is you, you know, we need to question who really has the control at any given point, right? So we are talking about pulling certain amounts of control away from companies and service operators and, and things like that. And I think that that is important for all of the reasons that for example, mark was bringing up and giving purposes to things like that.

I think that was all absolutely vital that said, if we go through and just step to the model of, oh, we will just explicitly ask consent for everything. And something like that, it's going to be like the ridiculous cookie popups that you get on every European site that nobody reads, right? Those are meaningless. We're starting to get there with, with these cross domain authorization screens.

You know, I do a lot of work with oof and open ID connect. This is foundational to how the protocol works.

You know, do you allow this system to do this thing for you? NA Saur works for Nour research Institute over in Japan has started to call these Pavlos authorization screens, right? Because what happens is people see this screen and there's, there's a button there that says, make it go. They don't see anything else. There's just one button here. I need to find it. And this is the, make it go button. So in those cases, are we really asking consent? Doesn't matter how much information we're throwing at the people, how much data we're throwing at the people.

Are we really providing people with information? I would argue that in a lot of cases, no. And if we are simply putting ourselves in that bucket, are we really giving control to the users or should we instead be modifying where that control actually takes place? Maybe it's something that I do consent implicitly and that I can clean up after and like legitimately clean up. Now that's a very hard question. That's a very hard problem, but perhaps that's how we need to start looking at this and looking at different models of what consent means and how it happens. And you have to get it.

You can take away, take my M away that you consented. So a little bit over time that have not one or two questions from the audience. Anybody have a question or comment? No sense to speak. Right. Okay. Little great.

Well, thanks to the family then. Thank.