Data Protection and Financial Inclusion: Why Consent Is Not Enough

To ask for a person’s permission, or consent, has been the cornerstone of privacy and data protection around the world. The argument is that once someone has carefully considered their options and provided consent or ticked a box saying, “Yes, I agree to the Terms and Conditions,” they fully understand what will happen to their information and are in control of how their data will be used and disclosed.

But here is a long known but often overlooked fact: Virtually nobody reads online contracts, license agreements, terms of service or privacy policies. We say we do when we click to confirm we’ve read and agree to terms and conditions, but several studies show this is far from the truth. A recent Deloitte survey of 2,000 consumers found that 91 percent of people consent to legal terms and services conditions without reading them. For younger people, ages 18 to 34, the rate is even higher with 97 percent agreeing to conditions before reading. Even if someone wanted to be diligent and carefully read privacy notices, research shows it would take them 76 work days to read all the notices they should.

One of the fundamental notions underlying data protection and privacy policy is to ensure autonomy for citizens over their data and what is done to it. In theory, it is the individual who decides where their data goes and what is done to it. In practice, whatever is stated in a provider’s privacy policy usually dictates usage and disclosure of personal — sometimes sensitive — information. As a result, consent is insufficient to protect our data rights and individual autonomy .

Attempts to make consent more customer-centric have yielded mixed results

In an ideal world, consent requests would be designed to help consumers carefully consider their privacy options and consent only to the parts with which they agree. But today, privacy notices are often long, complex documents written by legal teams to ensure that companies limit liability and protect against regulatory scrutiny by granting themselves close to free reign over customers’ personal data.

Some regulators and companies have experimented with ways to make privacy notices more customer-centric and empowering. Solutions have included breaking notices into smaller chunks of information and asking for consent at more relevant times, such as when data is about to be shared, transmitted or processed, as opposed to before a service is accessed. An example of the latter approach is when Facebook asks users to consider whom to share their pictures with, just before posting. While sometimes successful in making people think before they click, it is unclear whether these measures change behavior considerably. In some cases, these deceptively simple notices have been used to justify undisclosed and widespread information sharing.

Even if such improvements enticed more people to read consent agreements, they do little to address the problem of flexibility. Whether a consumer wants to download an emoji app or access an online credit service, they usually have two choices: either accept the terms and conditions completely or don’t use the service at all. There’s no flexibility to negotiate an individualized contract or tailor a service to one’s comfort level. When the only other option is not accessing a service they want or need, people are inclined to click “yes.” As data privacy lawyer Rahul Matthan noted in LiveMint earlier in 2018, “Our need to participate on these platforms often overrides our instinct to refrain from agreeing to clauses we disagree with.”

But consumers do care about their privacy and their rights

Consent may be broken, but do people care for protection and control at all? Some suggest that privacy is a thing of the past and that we may be fine with sharing data and losing privacy. While there is some growing ease with sharing data, research shows that data security breaches in the past five years have prompted citizens to adjust their preferences, limit use or opt out entirely.

In 2017, CGAP, Dalberg and Dvara conducted a qualitative study in India, where Aadhaar has stirred public debates about the appropriate use of data. It showed that rural and urban residents strongly asserted their right to have personal information treated responsibly. They indicated clear and strong preferences for a system that gives them agency and control over their data.

A similar study by Deloitte in the United States in 2018 showed that 73 percent of all consumers across all generations said they would be more comfortable sharing their data if they had better control.

Consent is necessary but no longer sufficient for empowering consumers

New solutions may improve consent, but as the digital age progresses the consent model is becoming less fit for its purpose . Today, many of us own devices like Alexa that can listen to us all day at home. This may be fine if we’ve given our consent, but what about the guests who enter our homes and who haven’t consented? Cameras also frequently capture our image and movements without our consent. Advances in data sharing are also making consent less feasible. For instance, open APIs are enabling data to flow from one app to another. Machine-learning algorithms of the future may combine disparate forms of personal and non-personal data to create deep individual profiles. If a financial institution used your location data to help determine your creditworthiness, for instance, this could mean that failing to pay attention to your phone settings could cost you a mortgage or small business loan.

As these services proliferate, consent is becoming an even more complex task and unfair burden for consumers. It’s hard to imagine that the world will completely abandon some form of consent in data protection policy; consent of some kind is fundamental. Nevertheless, consent alone is not enough to protect individual autonomy in the 21st-century digital economy . In addition to improving the way consent is obtained, some responsibility for data protection should be shifted to the entities that collect and process data. At the same time, we must also ensure autonomy by enshrining rights for citizens that allow them to delete, transfer, question and, where appropriate, correct their own data.

What would an approach to data protection that goes beyond consent look like? We’ll explore this question in upcoming posts in January. In the meantime, please share your comments and questions with us below.