Why informed consent is more than playing the game of ethics for opt-in or morals for opt-out?

Image: https://cdn-grid.fotosearch.com/CSP/CSP462/opt-out-vs-in-marketing-consent-agree-clip-art__k60530152.jpg

Key message: the simple decision about seeking the right “consent” is currently an unseen delegated authority. There is a need to bring back consent decisions to the board. At the board we need to debate consent in light of the ideals such as “privacy by design” and brand position; given that consistency across a business is now more important than a single commercial decision.

- o -

As a context, much of the classic(al) thinking and definition(s) of consent are here on wikipedia. There is excellent technical work on consent from Kantara for both the user interface and back office processes based on new consent thinking.

In the idea of implementing “privacy by design”, I published this blog exploring the concept of Approval vs Forgiveness as the method of gaining consent when considering, specifically, innovation. We explored that the purity of a position on consent is not as easy as we would like to think, especially when you need to grow and innovate.

With a focus of the regulators focus on informed consent (genuine & valid) following best practices in the medical industry, how do we deal with this proof, the issues of layered / sharing consent which adds even more technical and ethical complexity. However, ignoring the technical issues, this post proposes that we need to re-examine the implications of Explicit Consent vs Implicit Consent when thinking about our first "Opt-in/out" and how consistent choices affect the entirety of an organisations approach and sentiment towards privacy and their customers; we can interpret this as a culture towards privacy.

To Opt-In or not Opt-In - is that the question?

The need for society to be opted into organ donation has been debated for over 20 years. The need for businesses to pre-tick Opt In for marketing materials is an economic pressure and measurable KPI; however, the desire for consumer protection ensures opt-out by default in alignment for privacy first and privacy by design thinking. Consent is a messy.

If you read your own Privacy Policy what does it say about “do not track.” How does your advert follows users across all their media; what is your policy on specific informed consent or do you depend on a generic statement “we may share you details with third parties” and do you have an effect method to see how the data when passed is controlled. Do you know what type of consent that data you just accessed to reach new customers has?  Consent has got complex.

The simple choices of opt in/ opt out default can drive the culture of your company, management and teams; it positions your attitude towards your customers and partners, it has massive operational impact as it is the start of customer/ partner engagement and provision of controls to customers and it is becoming a defining competitive differentiation. Consent has got value.

To be clear; companies, citizens, government, the law, your board and each department remain confused on what is right and will disagree. This table is one example for organ donation by country. Consent has got personal.

There are reasoned and weighty arguments for both opt-in and opt-out. Since there are economic conflicts to having a unified approach driven by: time, measures and survivability; the decision is delegated down. Indeed there is no right answer to either case in all situations.

source: https://www.researchgate.net/figure/Arguments-in-favor-opt-in-and-opt-out-procedures_fig1_230686310

We also are aware that within opt-in and opt-out there are variants by industry

We have developed and expanded the Kantian model of ethics but maintaining this in the light of economic pressures is what makes consistent consent decisions so hard.

An example from last week. My old aged neighbour has just lost email contact with me. I called round to see if the computer is working, I check the broadband, settings, software and batteries in the keyboard and mouse. We sit down over a cuppa and I find he has been (auto) opted-in to the Talk-Talk upgraded email interface. He can no longer work it, it is so different he cannot even find his email in the mayhem of marketing and banner ads.

I can hear the debate: Marketing say has to be automatic to keep the best UX experience, legal says implements new regulations, our contract says it is what they agreed to, tech says it saves money not running two systems and commercial says we will see 10% more ads served and more income; all the management agree “just do it” as that is my job and access to my bonus.

Marketing and commercial KPI’s looks amazing, tech has one system, my elderly neighbour has just been cut off. Did he really opt-in? How does the board bring back this decision and start to drive consistency in the belief of privacy first?

The Board Issue : consistency

The board owes a duty of care to customers, suppliers, employees, investors and society. This balancing act of keeping everyone happy is always in an unstable or changing state as power shifts amongst the stakeholders, depending on say performance, competition or funding requirements.

It was somewhat easier 10 years ago but then came along came a new economic model based on data (data is data and not oil); along came hacking, privacy breaches resulting in bad press and damage limitation for the brand, along came new regulations, along came the ideas that #privacy could be the new differentiator. Then came the reality. To put the customer first will have massive implications on performance, income, adoption, survival and access to funding.

Is our decision to pick/ force opt-in/out (or not select either)

  • putting our customers first
  • aligned to the culture we want on privacy
  • in-line with our privacy policy and T&C’s
  • consistent with our branding and marketing messages
  • affecting our supply chain and ecosystem
  • changing our ability to gain new customers
  • creating short or long term value and how

We need to examine the implications of consent starting from the very first opt-in/out and how consistent our choices are and what effect they have on the entirety of our organisation.

The option of an inconstant approach has gone, so is the lose sentiment towards privacy. This means that the delegated authorities for what appear to be simple choices need to be revoked and dragged back for a period whilst we create the consistency we need towards privacy, if privacy is to be a differentiator.