In order for consent to be informed, end-users must understand what data is being gathered, who will have access to it, and how it will be used. However, ethically, it is also incumbent upon organizations gathering data to ensure that potential harms are conceived of and shared with users. These harms should be shared in a way users can understand, and proportionate to their potential impact and the statistical likelihood of their occurrence. It’s possible that companies managing private data advertise the “side effects” of sharing data the same way drug companies must do in their advertisements. In order to request and achieve informed consent, organizations must first understand, and then clearly communicate, how they and their partners will 1) use data and 2) ensure that the data will not be accessed or used in ways that fall outside of the scope that has been, or will be, communicated to endusers. This is the “consent” element.
Common sense dictates that users should also derive value from the disclosure of the data they share in some way. If not, no matter how good the messaging around the data usage is, companies will struggle to receive consent.
The requirements necessary for informed consent fall under the larger concept of “data literacy”— awareness of how digital data is affecting all parts of modern life. Discussion of data literacy raises questions about the feasibility and responsibility for education around data collection and use on a public and enterprise level. How much time and attention should people reasonably be expected to devote to understanding the intricacies and implications of data collection and use? What is the level of responsibility that should be placed on organizations that play a role in how users interact with consent?
Selecting “accept” on an End-User License Agreement (EULA) may count as informed consent from a legal perspective. But is the information in the small print really accessible to most users in a way that satisfies the ethical challenges surrounding data monetization, data sharing, and the myriad other ways that individual data may be used, or could be used in the future? The uses of data and the distinctions of who benefits from those uses (and how) are constantly evolving and in flux, and imagining those uses is part of data literacy. As a result, it’s difficult to define an endpoint for consent in this context. There is perhaps no such thing as being truly data-literate in the general sense; we can only attend to specific uses and types of data, and on an organizational level, commit to transparency and iteration of consent agreements as organizations continue to explore the value and dangers of personal data as a resource in the digital age. End-user license agreements are premised on the idea that organizations and end-users are digitally literate— prepared to imagine the impact of their disclosures—and that both organizations and end-users speak the same language about data. Without that awareness, and that shared language, informed consent in EULAs is not present.
With the information and understanding required for consent and ethical use of data constantly changing and hard to measure, best practices for organizations that collect and use data must focus on improving transparency and communicating intent. From a customer and partner relationship perspective, there’s an obvious benefit for organizations which make a visible and genuine effort to provide information about their data use. Critically, that information must be provided in terms that everyday users can understand and accept—or reject—with confidence. One might also propose that the process of converting the most common jargon in EULAs and Terms of Service (TOS) documents to everyday language would go a long way toward having people within organizations understand, and be honest with themselves, about the ethical nuances of data collection and use.
There is a disincentive for many companies to disclose data uses when their data use is either not in the obvious interest of the user (e.g. marketing/advertising emails) or because incomplete understanding of how data is actually collected, transformed and protected—or made vulnerable—scares users. An example of this gray area created by a lack of digital literacy can be seen in misunderstandings between Google and some of its users about how it was (or was not) using the content of customer emails to provide targeted ads through free versions of its gmail service.⁷ Because users did not understand (and Google did not effectively communicate) where customer data was being processed and what the implications of that were for users, stories of upset customers raised skepticism about the integrity of Google’s handling of private information.
Ethical practice is particularly complex when intent, consent, and benefit are subject to very different interpretation. Consider Facebook’s massive, longitudinal study on the impact a positively or negatively skewed news-feed had on a user’s own posts.⁸ When this study was announced (after the fact), there was immediate backlash. While Facebook may have been within the bounds of their EULA to conduct this study, the response shows that they had misjudged how users would react. Users responded poorly to the news that their behavior was being studied based on a manipulation of the information being presented in their feeds. In addition, it was unclear whether their unwitting participation in the study would lead to better products and services (which might at least provide some positive outcome), or if their results would be used to steer spending or ad placement (which might make the study feel exploitative). This study existed in a controlled environment with an institutional review board (IRB), responsible for ensuring study participants were treated fairly, but the response when the information was made public was not entirely positive.⁹ In response to this reaction, Facebook has taken steps to publish a framework that details the guidelines and best practices they will utilize in research, with the goal of preventing miscommunication around future studies.¹⁰, ¹¹ However, typical A/B (and multiple variable) software testing is not required to go through these same review processes. When changing variables ‘A’ and ‘B’ in ways that could have real impacts on emotional response (or in the physical world), organizations need to be clear about how they intend to use the resulting data.
Data transformation and use
Informed consent requires sufficient understanding by all parties of how data will be transformed into meaningful information. It is in this transformation that many of the unintended consequences of data sharing and data collaboration take form. Use implies access, but the real issue at hand is accessing data to transform it into something else—information. This information is then used on its own, as insight, or to trigger actions. Whether those actions are executed by humans after manual digestion of those insights, or those actions are a response to logic programmed in advance by humans, the world of human ethics collides with the world of binary logic in a messy, hard-to-track decision tree with effects often more evocative of chaos theory than simple branched charts. Given this complexity, the best approach to managing user expectations around data transformation and use of resulting information is to provide clarity at the time of data collection as to intended and potential future uses. The goal is to ensure that meaningful consent is achieved.
Complexities of law and jurisdiction
While it is a common method of securing consent from a legal perspective, requiring users to grant use of data before accessing necessary services is often not in the user’s best interests. Moreover, such agreements may play on a lack of data fluency, even more so with use of complex legal language. End-User License Agreements (EULAs) and Terms of Service (TOS) agreements are the places where most of these data exchange agreements occur. The Electronic Frontier Foundation has been warning users of the rights they relinquish in these agreements since at least 2005. Case law in the United States and other jurisdictions provides limited protections to end-users and corporations, so the enforceability of EULAs and TOS agreements varies by jurisdiction.
There has been widespread debate over enforceability within complex data relationships—especially those in which companies, users, and strategic data partners may exist in jurisdictions with conflicting case law. Perhaps most notable is the European Union’s decision to insist that all European user data be stored on servers housed in the EU, both to protect users from environments with less privacy-focused regulatory controls than the EU, and also to prevent government-sponsored surveillance and tampering.¹² However, this approach is incomplete because it is based on the belief that data being used is primarily at rest—stored statically—and primarily accessed by the same parties who stored it, on behalf of the same users. When data is often in motion between various servers and algorithms with massively complex interdependencies across state and corporate lines, such regulation provides little real protection for users. At the other end of the spectrum, strict interpretation could silo data about users in a way that limits meaningful use of the data by the people furnishing, storing or transforming it.
Mechanisms for consent
Informed consent is especially challenging in the digital age. The rapid transit of data from server to server, transformed through algorithms and intermingling with other data, means that the intentions and realities of each organization and individual that touches that data must to be understood in order to give fully informed consent. This happens in one of two ways: either through data-fluent, savvy users with access to transparency throughout the data supply chain; or through proxies of trust, where a trusted third party, approach, or standard is used as a proxy for trust in all entities along the data supply chain. For the latter category, there are multiple approaches to establishing trusted data use:
Facebook, Google, other single-signon and API aggregators, consortia or other trusted groups assure users that private data is passing through only systems with certain standards of protection.
Apple’s App Store (and how, for example, its review process caught data leaks introduced across many apps through spurious analytics tools for developers) is an example of an approach where users trust new services (provided by apps, in this case) based on their vetting by a familiar party.
Kit (trusted core) approach
Software Development Kits (SDKs) are sets of common tools, often hosted by a single party or consortium, which empower app developers to create value without having to invent their own frameworks and tools. Apple’s HealthKit and related ResearchKit manage data about users, and if a user trusts HealthKit’s standard for privacy, they may be more likely to use apps which abide by the privacy standards set out by such an ecosystem.
Industry standards and compliance
Trust can be established through industry standards and/or governmental compliance, like health codes, security clearances or other commit-and-audit by- third-party strategies. These allow organizations to opt-in to standards that are sufficient to meet government regulations.
Embedded trust/trusted technologies
Technology-based strategies (such as blockchain) assure users that their data is protected not on the basis of where it is stored, but by the mechanisms that encrypt data, record, and provide proof that exchanges have occurred. Inhardware protection, such as specific forms of encryption or embedded SIM cards, can also be considered a point of embedded trust.
Communicating and verifying intent
Users must be aware of the intended uses of the data they furnish to an app or service in order to provide informed consent. This communication is not complete if users don’t actually know or understand what data already exists or could be gathered by devices, such as location data in a mobile device or a microphone embedded in a smart television remote which they didn’t realize is “voice-capable.” Once users understand both what the data being gathered about them might consist of and also how an application or service intends to use that data, informed consent can be established. However, it’s critical to ensure that the communication generated to achieve consent is created using language that truly informs, rather than obfuscates.
From obfuscation to clarity: Decoding the EULA
While End-User License Agreements may use technical language that renders them insufficient to achieve truly informed consent (as discussed earlier), there are several existing models for translating the complex technical concepts of user consent agreements into accessible language for the public. One such model is the “Privacy Nutrition Label” developed by a joint team from Carnegie Mellon University and Microsoft.¹³ Their project catalogued the types of information required on safety and nutritional labels and approached the problem of informed consent and data fluency as a design problem. The result of their work is a comparison chart which distinguishes opt-in data from that which is automatically collected, states how various types of data would be used, and includes a glossary of terms for further clarification.¹⁴
The Carnegie Mellon’s CyLab Usable Privacy and Security Laboratory has developed an online platform that allows users to decode complex privacy agreements for themselves.¹⁵ Their website lets users search by URL or website name, then pulls the privacy agreement language from the source site. The agreement is then presented to the user in its original form, along with a sidebar that categorizes each statement by function or topic, and offers common language explanations clause-by-clause.¹⁶ An added benefit of this platform is that the common language phrases are visually linked to the “legalese” in the original—the translated text is highlighted when mousing over the corresponding explanation. This allows users to gradually become familiar with the practical meaning of the more complex privacy notice language, encouraging and enabling them to read and translate data-use agreements in the future, without the need for a translation tool. In this way, this particular solution acts as a vehicle to further data fluency, while simultaneously preparing the user to self-educate in the future.
Both of these solutions point to an important consideration: not all users understand information through the same mediums. Some people need visual examples and graphical representations of information, others prefer concise statements that focus on consequences and impact, and others may want to know all the details. As we consider what informed consent requires in regard to communication, education, and understanding, adult learning styles become a design consideration in a way that legal departments and traditional UX developers cannot be left to solve for on their own.
Managing consent over time
The best implementations of informed consent manage consent not just at the beginning of using a service, but over time, especially at critical junctures.
Privacy checkups: adjusting and maintaining consent while educating users
One example of actively managed consent over time can be found in Apple’s Location Services function within iOS. It prompts users not just when an app first asks to know the location of the user, but also when an app has been using the phone’s location in the background for an extended period, to confirm whether the user intended to let that app continue accessing their location. This both ensures that the user consents initially to a specific app’s request (rather than simply granting access to all apps), but also that they can continue to enjoy the benefits of allowing location access or revoke consent to that usage if they change their mind.
In another example of actively managed consent over time, Google’s security check up helps Google users understand how the data they disclose is used in delivering Google products and services.¹⁷ The six-step process, which is periodically offered to users but can also be accessed any time on request, walks the user through different permissions that may or may not have been granted when the user last agreed to Google’s terms and conditions. Users are given the ability to modify these permissions either through restricting data use, pausing data collection, or updating basic information like telephone numbers. For example, if a user does not want to be served targeted ads, the checkup allows them to turn off targeting entirely or to adjust the topics for ads that Google deemed relevant to that user. As terms of services and end-user license agreements are updated, reviewing this information allows users to reconfirm that their expectations around data use are being met, and modify permissions if they are not.