When One Affects Many: The Case For Collective Consent

Read the full essay on the Mozilla Blog.

Data breaches, micro-targeting, advertising based on our data, nudges and gamification, they are not all bad all the time, but for the most part we, users and citizens, never asked for it and were never asked about it. The mass amounts of data about us, about our cities, about our health and our environment were mostly collected and used without our consent and often without our knowledge. It makes sense that the go-to response to this myriad of problems has been a move towards notice-and-consent, where the individual gets to decide what data they want to have collected about them (at least in theory). The thinking goes: if we just give users more insight into how data about them is used and allow them to sign off on that usage, the world (or at the very least the online world) would be a better place.

But what may work for us in the brick-and-mortar world is failing us online. When data can be stored forever, connected to other data sets and aggregated, it becomes hard for us individually to understand how making data accessible today will impact us tomorrow. What’s clear now is that informed consent as a solution is broken, and the wreckage extends beyond impossible-to-navigate privacy settings and ever-confusing popups asking you to accept cookies. We can fix the interfaces. We can even give users some real choices, but none of that fixes the larger underlying problem: that without real agency, without a way to opt out, without a good sense of how data will be used, individual consent is meaningless. What is more, one person making data available often holds repercussions for society at large. In order to fully encapsulate both the negative and positive externalities of data usage, we need to look beyond the individual.

In this piece I explore the concept of “collective consent:” ways to collectively decide how to govern data about us; to collectively decide who to give access and usage rights and what to collect in the first place. In addition, I argue data protection rights need to be extended to allow for data rights to be managed collectively. Read the full piece here!