Once again, the cybersecurity and privacy tech world is convened in San Francisco for the annual RSA Conference. From the keynotes and sessions I’ve attended so far this year, it’s clear cybersecurity is at a crossroads, driven in part by fast-moving developments in privacy regulations and the progress of the Internet of Things across many sectors public and private. These trends will be at the center of the presentation I’m giving at RSA the morning of Thursday, February 16th:
A little background on my talk: The move to a genuine ‘Internet of Things’ is undoubtedly showing itself to be the next major phase of digital transformation, one that’s leading to a wave of new business models, services and behaviors. However, the IoT brings one change that is not often discussed: the fundamental reshaping of our interaction and consent options.
The classic web and mobile models of gathering user permission will simply not be practical for the IoT era. A huge range of IoT devices and services will be accessed and operated without the use of a conventional interface, raising major questions regarding how we can properly manage user consent and data privacy.
The fact is that businesses have traditionally treated user consent as a risk management exercise for privacy compliance. But as regulations like GDPR increase consent’s role in compliance, as the IoT reshapes interaction options, and as users become more demanding, businesses need new ways to build trusted digital relationships. It’s time to devise a new strategy based on a richer taxonomy of permission types and new “consent tech.”
Our traditional understanding of consent is not rich enough to admit a useful set of permission types in our connected, data-driven world. Key drivers of change:
1) New privacy regulations include a bigger role for consent that goes beyond basic “data protection.”
2) The increasing digital transformation of business puts pressure on personal data to flow farther and faster.
3) The Internet of Things puts pressure on classic web and mobile models of gathering permission, and presents new reasons for users to want to share data selectively.
4) Businesses are driven harder to build trusted digital relationships with consumers for the long haul, which puts them at greater risk of brand damage and loss of business if they are found untrustworthy.
5) People are becoming more savvy and cynical, and are more willing to walk when they feel taken advantage of.
The familiar model of consent spells out explicit vs. implicit consent, opt-in vs. opt-out consent, rules for disclosure, and when consent isn’t required at all by law…and that’s just about the end of the story.
This model was already proving to provide insufficient guidance in a world where businesses could suffer because a compliance-oriented approach to consent could cause a stampede to the exits or a social media firestorm, as Spotify discovered in August 2015 and Evernote discovered in December 2016.
It’s certainly insufficient in a world where a connected car might need to ask a user for permission without a mobile app handy; where the EU General Data Protection Regulation (GDPR) has a requirement for a data subject to be able to “…withdraw consent without detriment”; and where web APIs can allow client applications not just to draw data out of services but to push data back in, protected by new “consent tech” such as OAuth or User-Managed Access (UMA).
Given these realities, I have developed a more comprehensive classification system of permission types that can guide the development of consent strategy for digital services. Using this system to develop your consent strategy will help your organization be more successful in building trusted digital relationships and capturing and acting on user intent.
Please join me at RSA to hear my full presentation on Designing a New Consent Strategy for Digital Transformation.