Back To The Future (Of Consent)

Some historical perspective on consent management can help steer teams building for robust privacy operations today. Here are 3 steps to enable more effective consent management in 2021.

What is Data Privacy if not Trust Persevering?

As the concept of ‘privacy’ has evolved throughout history, consent has endured as a key demarcator of trust. On its own, consent constitutes a clear affirmation from a subject that information about their identity can be leveraged by another party. But the types of information collected, the manner of collection, and the processing of that information have all grown more complex with time. What does a nineteenth-century camera have to do with an Ethyca-powered Privacy Center? The answer – as is often the case in our field – involves consent.

As engineering teams, marketers, and compliance pros grapple with building consent frameworks into wildly complex modern infrastructure, some historical perspective can help preserve a firm grip on the fundamental principle that is to be upheld.

Let’s head back to the beginning of what we might consider modern privacy: the invention of the photographic camera.

From Daguerreotype to “Do Not Sell”

The concept of consent figures heavily in Samuel Warren and Louis Brandeis’s famous 1890 article “The Right to Privacy,” one of the earliest legal writings on modern privacy in the US. The invention and widespread usage of cameras led individuals to voice concerns of photography invading their privacy. In short, Warren and Brandeis lay out the principles of a right to privacy and how the laws of the time did not sufficiently enshrine such a right.

Warren and Brandeis’ words reverberate still in modern-day legislation. For instance, they point out that a right to privacy could be considered as:

[A] principle which may be invoked to protect the privacy of the individual from invasion either by the too enterprising press, the photographer, or the possessor of any other modern device for recording or reproducing scenes or sounds.

Importantly, they mention that this principle would be waived under several predefined circumstances, including if an individual consents. I’m no lawyer, but this sounds like an opt-in consent framework! Some of the other exceptions, like situations of significant public interest, echo what we find today in GDPR’s Article 6 on the legal bases for personal data processing.

Warren and Brandeis considered privacy in the context of nineteenth-century technology. In particular, their writings were motivated by the innovation of the camera and the harms of photographing an individual without their consent. While the essence of their work rings true today, it’s important for today’s teams to consider privacy in the context of today’s technology.

Consent Fit for Today’s Tech

Whether the year is 1890 or 2021, consent management frameworks need to achieve two goals:

• They must present a fair request for the individual’s informed consent.
• They must take that consent choice and implement it throughout a corresponding system.

Both of these objectives were much more straightforward to achieve in 1890. At that time, an individual could easily understand the scope of the activity – a picture being taken – and could implement the consent choice by deciding whether to take the picture.

It’s more complex today, to say the least. Look at online advertising.

Tracking for advertising creates a complex web of personal data. Much of the backend systems remain hidden from the end-user such that only a very small group of ad-tech experts can fully account for all the data processing involved. We can’t all become ad-tech whizzes overnight. But it’s crucial for user trust that consent requests accurately reflect what users are signing up for.

Thus, it’s vital that companies have understandable consent requests, right? Well, some scholars see shortcomings in the plainspeak approach to online consent. In “A Contextual Approach to Privacy,” Helen Nissenbaum describes a transparency paradox; plain-language explanations will inevitably miss out on important details about how companies share and protect users’ data.

While I don’t discount Ms. Nissenbaum’s argument that trade-offs come with simplified consent, at Ethyca we believe teams should work to make the process as accessible as possible. This might look like presenting consent requests to users with drop-down text presenting details of data processing cases in understandable terms. In this instance, teams provide an approachable experience that balances detail with accessibility.

3 Steps Toward Effective Consent Management in 2021

For a photographer in 1890, the relevant tech stack was a camera and the photographer’s personal decision-making. For a company in 2021, the relevant tech stack includes tag managers, CRMs, data enrichment platforms, and more. To build sound consent management into today’s data systems, here are a few important considerations:

• The UI should make consent straightforward for users, with clear descriptions of each processing activity requiring user consent.
• A user’s decision to withhold consent should connect with relevant platforms to suppress personal data from downstream processing. Note that cookie-based consent models don’t capture the totality of data flows from a website into the business back-end. Products like Ethyca go a level deeper than cookies to provide all-encompassing suppression of data flows for users who do not consent to data processing.
• Users can and do change their consent preferences over time. The entire consent management system should be equipped to update data flows when a user adjusts their consent preferences.

In short, modern privacy engineers must translate user-facing consent options into functional controls on backend data operations. It’s a technical task, but the core motivation is straightforward. It doesn’t matter whether information is flowing into a primitive camera lens or a complex ecosystem of web applications. Users should be able to make informed decisions about their data, and data systems should respect those decisions.

To learn more about the myriad requirements of modern privacy infrastructure, check out Ethyca’s Privacy Knowledge Base.