User Agency, Not User Consent

Consent Is Toxic For Privacy

Consent is increasingly seen as the primary basis upon which to process personal data, in much the same way that it was long considered to be an acceptable foundation atop which a security model could grant an application access to elevated privileges. It was by and large a dreadful approach to security, it is hardly any better for privacy.

Relying on consent to the processing of personal data suffers from numerous issues, amongst which:

• It leads to consent fatigue such that users — even when educated to the underlying issues — will eventually give up and simply accept.
• It strongly incentivises dark UX patterns from the party expect to garner consent. This has led to a race to define increasingly precise guidelines as to what constitutes fair and informed consent (the WP29 “Guidelines On Consent” run to 31 pages with dozens of footnotes referring to other sources for further detail). The likelihood that regulators can beat thousands of designers working to defeat user protections in this race is low.
• It is grounded in a simplistic vision of personal data processing. In today’s Web economy, even a relatively simple service will be tied up in a know of personal data processing that is by far too complex to convey to a user within a single dialog (no matter how often WP29 calls for creativity in this domain), and users do not have the time (or desire) to make such decisions several times a day.
• It puts the onus of enforcement and decision on the user, representing an abdication of responsibility from service providers and user agents. If the option for individual controls over privacy is desirable, the broad application of consent is inherently a surrender of privacy by design and by default.
• While the literature describes cases in which after-the-fact consent is meaningful, and in some less-invasive cases implied consent is acceptable, overall consent tends to imply modal interfaces. These, in turn, inherently lead to fatigue and automatic bypassing. It could be argued that consent is structurally problematic.
• Overally, when consent is relied upon excessively it becomes toxic for privacy both at the individual and collective levels.

This is not to say that consent should never be used when processing personal data, there are situations in which it is the best option — when it is rare enough to catch the user’s attention, typically when sensitive personal data or potentially harmful processing are involved.

Traceability & Provenance

More so than security, privacy can benefit from curative approaches in addition to — or at times instead of — preventative ones. With rights of erasure, privacy can (assuming no illegal actors, which aren't the primary threat) be recuperated after the fact.

This opens up avenues in which privacy would not be handled synchronously — a requirement that is at the root of many of the problems with consent — but through after-the-fact cleaning up (either by the user, or by services the user could rely upon).

Regulation-backed rules requiring user agents to track which data they share, and require services to provide machine-readable traceability of which other parties they then share data with would enable the production of the transitive tree of data sharing for a given user, would expose the full breadth of sharing, and thereby would enable cleanup sessions in which data erasure requests would be automatically dispatched to most if not all of those third parties, inclusive of data shared outside of direct oversight by the user.

I am deliberately not jumping into solutions (though many suggestions have been made, from reliance on .well-known descriptions of sharing and provenance to new session mechanisms replacing cookies). The point is to replace modal, synchrono us consent with amodal, asynchronous agency over a user's involuntary data footprint while enabling auditability of the data sharing by trustworthy third parties.