Why the “notice and consent” model is broken, and what we can do about it instead.
The Problem with Consent-driven Privacy Models
For as long as we can remember, the fundamental tenets of privacy regulation was to put folks in control of their own data by deciding three basic things:
- whether to share their data
- how their data may be used
- by whom their data is accessed/processed
But this model is outdated in the age of big data, in which there are so many secondary uses for user information that transcends what was imaginable at the time that the data was gathered. Privacy, cannot be guarded when the framework for protecting it hasn’t kept pace with the ingenuity of how parties might use (or abuse) user data beyond its original intended use.
The biggest problem with the original principles was that it unevenly distributed responsibility to the individual (data generator). It assumes that the user — by virtue of giving “informed consent” — is able to imagine all of the potential use cases for which their data may be consumed, processed, accessed, and utilized. This assumption is naive at best, and completely manipulative at worst.
