Consent on The Blockchain

When the European Union passed the General Data Protection Regulations (GDPR), it marked a pivotal point in the fight to protect user privacy. Following the Cambridge Analytica scandal, the State of California passed the California Consumer Privacy Act (CCPA).

The GDPR requires:

1) “The right to be forgotten” if a user requests their data be erased, the service provider must comply.

2) Terms of Service must be readable.

3) Service providers must record user consent.

The new consent requirements may seem insignificant, but they present new challenges for these services that collect and use this data. In many cases, companies will be forced to restructure their databases to store this new consent information. Alternatively, companies can leverage an external solution, but that presents new ownership, risk, and cost challenges.

What if we implemented a smart contract to serve as the user’s specific consent? A smart contract is executable logic held in a blockchain. When a user is creating an account with a new online service, consent given can be recorded in a specific smart contract for that user. Creating an immutable record of consent. If the user wishes to alter their consent, or the service must make the user re-consent to new terms of service, that update will be reflected, while the previous version will still be there it will not be valid.

Blockchain adds transparency to the process. The user has visibility and control of their consent. This can be altered at any time, as their preference may change. If the consent is held in an internal database, the trust would be in the service provider’s hands, without any record or control for the user. The importance of this step is to create accountability for the service provider, putting the user’s consent outside of their own service and somewhere a regulator can easily view.

If we use a smart contract to delegate consent, each time the user’s data is accessed we can record this action. Smart contracts can also control how and to what degree the service interacts with a user’s data. Providing a clear, transparent view of how the service provider is using their user’s data, giving the user complete control.

If you have any thoughts or questions, leave them below and I will respond.