Why “#Privacy-by-Design” is more than playing the game of #ethics of opt-in or the #morals of opt-out.




Key message: decisions regarding the right type of initial explicit and informed “consent” sort from customers is currently a delegated authority from the board. This article argues that there is an imperative to bring back “consent” decisions to the board; at least for a while. The board needs to debate “consent” in light of ideas such as “privacy by design”, ethical AI, brand values, privacy policy, cookie policy and culture; given that consistency across these critical business areas are increasingly core differentiators.

- -

As a context, much of the classic(al) thinking and definition(s) of consent are here on wikipedia. There is excellent technical work on consent from Kantara for both the user interface and back office processes based on new consent thinking. MEF is publishing really helpful thinking on UI/UX.

In the idea of implementing “privacy by design”, I published this blog exploring the concept of Approval vs Forgiveness as the method of gaining consent when considering, specifically, innovation. We explored that the purity of a position on consent is not as easy as we would like to think, especially when you need to grow and innovate. Here we explore decision making.

With a focus of the regulators’ focus on informed and explicit consent (genuine & valid) following best practices in the medical industry, how do we deal with this proof, the issues of layered / sharing consent which adds even more technical and ethical complexity? However, ignoring the technical issues, this post proposes that we need to re-examine the implications of Explicit Consent vs Implicit Consent when thinking about our positioning for "Opt-in/out" and how consistent choices affect the entirety of an organization’s approach and sentiment towards privacy and its customers; we can interpret this as a culture towards privacy.

To Opt-In or not Opt-In - is that the question?


The need for society to be “opted in” to organ donation has been debated for over 20 years. The need for businesses to pre-tick Opt-In for marketing materials is an economic pressure and measurable KPI; however, the desire for consumer protection ensures opt-out by default in alignment for privacy first and privacy by design thinking.

If you read your own Privacy Policy what does it say about “do not track.” How does your advert follow users across all their online experience and social media; what is your policy on specific informed consent or do you depend on a generic statement “we may share your details with third parties” and do you have an effective method to see how the data when passed is controlled. Do you know what type of consent that data you just accessed to reach new customers has? We all know consent has got complex.

The simple choices of opt-in/ opt-out default can drive the culture of your company, management, and teams; it positions your attitude towards your customers and partners, it has massive operational impact as it is the start of customer/ partner engagement and provision of controls to customers and it is becoming a defining competitive differentiator.

To be clear; companies, citizens, government, the law, your board, and each department remain confused about what is right and will disagree. This table is one example of organ donation by country.

There are reasoned and weighty arguments for both opt-in and opt-out. Since there are economic conflicts to having a unified approach driven by: time, measures and survivability; the decision is delegated down. Indeed there is no right answer to either case in all situations.

https://www.researchgate.net/figure/Arguments-in-favor-opt-in-and-opt-out-procedures_fig1_230686310




We also are aware that within opt-in and opt-out there are variants by industry





We have developed and expanded the Kantian model of ethics when thinking about consent (opt in/ out) but maintaining this in the light of economic pressures is what makes these simple but ethical consent decisions so hard - and often lacking consistency.





An example from last week. My old aged neighbour has just lost email contact with me. I call round to see if the computer is working, I check the broadband, settings, software and batteries in the keyboard and mouse. We sit down over a cuppa and he has been opt-in to him Talk-Talk upgraded email interface. He can no longer work it, it is so different he cannot even find his email in the mayhem of marketing and banner ads. Marketing say has to be automatic to keep the best UX experience, legal says implements new regulations, our contract says it is what they agreed to, tech says it saves money not running two systems and commercial says we will see 10% more ads served and more income; all the management agree “just do it” as that is my job.

Marketing and commercial KPI’s looks amazing, tech has one system, my elderly neighbour has just been cut off. Did he really opt-in? How does the board bring back this decision and start to drive consistency in the belief of putting the customer first?



The Board Issue : consistency


The board owes a duty of care to customers, suppliers, employees, investors and society. This balancing act of keeping everyone happy is always in an unstable or changing state as power shifts amongst the stakeholders, depending on say performance, competition or funding requirements.

It was somewhat easier 10 years ago but then came along came a new economic model based on data (data is data and not oil); along came hacking, the fast growth of the cyber-security industry, privacy breaches resulting in bad press and damage limitation for the brand, along came new regulations, along came the ideas that #privacy could be the new differentiator. Then came the reality. To put the customer first will have massive implications on performance, income, adoption, survival and access to funding.

  • Is our decision to pick/ force opt-in/out (or not select either):
  • putting our customers first ?
  • aligned to the culture we want on privacy?
  • in-line with our privacy policy and T&C’s?
  • consistent with our branding and marketing messages?
  • affecting our supply chain and ecosystem?
  • changing our ability to gain new customers?
  • creating short or long term value and how?

How as a board do we get the facts and data to ensure this and determine if we have made the right decision. We need to examine the implications of consent starting from the very first opt-in/out and how consistent our choices are and what effect they have on the entirety of our organisation.

The option of an inconstant approach has gone, so is the lose sentiment towards privacy. This means that the delegated authorities, for what appears to be simple choices of optin/optout needs to be revoked and dragged back for a period. During this time we can create the consistency we need towards #privacy, if it is to be a differentiator.