First thing’s first: what do I even mean when I say ‘data’? Let’s just look at data as information. It could be information about yourself, about someone else, about the colour of your bike, or even information that you just made up.
Second thing’s second: what do I mean when I say ‘consent’? Okay well… this is an icky word with various connotations. I feel that many things about the internet need to change, and just one of those things is the language we use when describing stuff like this. What we’re talking about here is users ‘consenting’ to their data being processed. And what I’m talking about is this: stop saying ‘consent’ and think of a different word.
First of all, the language in both of these sentences magically makes it so that you can ‘give consent/permission’ simply by just continuing to browse a website - a very passive, non-explicit action. Am I still technically ‘browsing the site’ if I walk away from my computer immediately after opening the page? Furthermore, it feels wrong to be told that you are giving consent/permission, rather than being asked to give it.
Second of all: consent is softer than permission. ‘Implicit consent’ feels like a real thing. ‘Implicit permission’ does not. Permission is purposeful and concrete. Consent is that too, but can also be implied and indirect. Like when you walk into any shop on the high street, you implicitly consent to being recorded on security cameras. By being in the shop, you’re saying it’s okay. Hardly anyone really refers to this as giving permission.
So then, what about receiving planning permission from a local authority to get an extension on your house? Well… congratulations for somehow buying a house in this economical climate. But more importantly, planning permission is a formalised thing that you receive, and you can also call it planning consent.
It seems that the way we use and understand the word ‘permission’ is much narrower than how we use and understand ‘consent’. The word ‘consent’ is somehow flimsier and more open to interpretation - and therefore open to misuse. And I guess that’s why it’s used so much online when talking about data 🤔
So we’ve unpacked the first problem with ‘consent’: the way the word is used. Now to look at the fact that it’s the only word used.
Consider this: you’re bored, and have decided to buy yourself a cool custom t-shirt with your name on it (yes, you’re that person). You find mytee.shirt which is an online service that lets you put your full name on your t-shirt, if you want.
So you create an account which means that you give them your name and email address (and also set a password). Then you get to the t-shirt making screen where you decide what will go on the t-shirt. There’s a button that says ‘just use my name’. This button, of course, would not do anything had you not already provided them with your name. There’s another button that says ‘do more custom stuff’. You ignore that second button and obviously just use your name because yeah, obviously.
Then you go to pay. You enter credit card information. You click the pay button and are shown a screen that confirms your purchase. It also informs you that your credit card information will be used to speak to your bank and then process the payment (as well as letting your bank know how much you spent and where). This is obvious - they need to do that otherwise they can’t take the payment and you won’t get your awesome t-shirt. Duh.
Right, what’s the point in me explaining this bit?
So in this case there is no asking for permission/consent - you’re just handing a bit of data over in order to perform a necessary action. Data sharing is more nuanced than a site barking stupid questions at you about using your email for marketing purposes and personalising ads (because personalised ads are somehow so much better 🙄). In the case of mytee.shirt, if you didn’t want them to use your credit card details, you just wouldn’t share them and your purchase would not be made. Simple.
In other cases, handing a piece of data over could be a simple acknowledgement of the rules. Like entering a computer game website and being asked to enter your age. You literally cannot use the site until you tell them that you are over 18. Obviously these mechanisms are ineffective in actually verifying your age, but my point is, data can be handled and processed, and consent doesn’t come into it at all.
Language about how data is processed by organisations has become shady and gross. ‘Opting in’ used to be reserved for pension schemes. Now It’s for marketing emails and other crap which is notoriously difficult to opt out of. This sneaky repurposing of language has become an accepted new vocabulary for both businesses and consumers.
And this new vocabulary has made it possible for organisations to ‘opt out’ of being GDPR compliant while you, the user, unwittingly ‘opts in’ to the data you share being monetised and spread across ad networks.
Further to this, a now accepted part of our new internet vocabulary is to ‘ask’ for consent or permission in a way that does not empower the user at all. Simply telling a user that they are consenting to data being shared by browsing a page should not be how this works. There is one key word missing here that I have not used in this entire article yet…
Knock knock oh, who’s that? Ah yes it’s transparency trying to join the conversation. There’s not been space at the table for transparency so far, but I’m making it now * wheels Mark Zuckerberg out of the room * cool that’s better.
In the name of transparency, I would like to argue that simply asking for permission to use someone’s data is not enough. Even if you ask for that permission in the best, most explicit way. Simply being informed about data usage is important too. Think back to your mytee.shirt purchase. They informed you that your credit card details were going to be used. This is one step towards actual transparency - knowing, as and when it happens, what the data that you have provided is being used for.
How would this manifest in the wild? One way could be that after signing up to a site, they inform you that your email will be used in the future to notify you of any suspicious account activity. By telling you this, they are simply being transparent in a way that your email may be used in the future. There is no opting in or out of this because this ties in with their policies surrounding account security.
Simply by making this statement, they imply that your email is not being used for anything else. This is very different from not saying anything at all; a practice widely recognised as the norm with the majority of organisations. Putting things in writing with a bit of informative text very aptly sets the user’s expectations where they should be.
With this transparency it becomes clearer that the sharing of data is not limited to trying to find the ‘decline’ button on an annoying cookie banner. The conversation is about more than just giving consent, and consent really is not the right word any more.
How we use and understand this language is important - it helps us see that sharing data is also an acknowledgment of the rules, a necessary transaction, or a vital step in getting your full name printed on a cool t-shirt. Limiting the words we use for these things will only slow us down.