Thoughts on Voluntariness

Voluntariness, the requirement that consent be “freely given” is probably the hardest issue in consent, at least from a conceptual point of view. In this post, I’m going to try and summarise the key points of the debate, as I see them. At it’s heart, though, it’s an issue that fairly quickly expands to encompass issues like social power, moral philosophy, and theory of mind. In practice we need to find a reasonable way through. This isn’t an empirical question; it’s a question of values – basically, it’s politics.

Defining “will”

I struggled with where to put this section, so I’m putting it here; think of it as useful background.

Research in consent is hard because it represents the point at which people’s beliefs, attitudes and values crystallise into a behaviour: accept, or decline; use or walk away. The problem is basically that, for well-documented and reasonably well understood reasons of bounded rationality, there is often a far from perfect link between attitudes, beliefs and behaviour. There is huge scope in human decision making for behaviour in the moment to ignore even deeply held convictions and our own sense of longer-term wellbeing.

The observed disconnection betweens attitudes, beliefs and actual behaviour is usually referred to as the privacy paradox. In many ways, the privacy paradox would be better referred to as the consent paradox, as it only applies in scenarios where processing is contingent on the data subject’s decision. There are two basic interpretations of the observed incongruence between behaviour and attitudes – that the mechanisms for eliciting our attitudes are somehow misleading us into behaviour that we don’t really mean, or that the means of eliciting our attitudes are somehow getting us to say things that we don’t really mean. My personal feeling is that both are probably true to some degree (which is also to say that both are also wrong to some degree).

In any case, I contend that the goal of consent design should be to make attitude and behaviour consistent with one one another, because then the nasty problem of which one is ‘truer’ conveniently goes away. The goal is not strictly to avoid data subjects feeling like they’ve made the ‘wrong’ decision, but that they feel like they made a ‘good’ decision in the circumstances.

Voluntariness on a Spectrum

For the sake of expediency, we have something of a spectrum when it comes to views on voluntariness. At one end is the “any inducement undermines voluntariness” position, in which any kind of reward of payoff from giving consent renders it involuntary. (I think the recent ICO draft might come a little bit too close to this end of the scale.) At the other end is the position that any non-compulsory action must be voluntary (compulsion probably defined legally, or with respect to some other actor that has significant power over the individual). This latter argument is, essentially, that the “null action” of walking away always exists.

There are problems at both ends of this spectrum that make adoption of either extreme undesirable. Let’s consider them in turn.

Any reward from giving consent renders it involuntary”

The obvious problem here is that classical economics predicts people won’t accept a cost without a benefit that’s more valuable to them. Why would anybody consent to something if they get nothing in return? Even accepting that classical economics is flawed, it strikes me as ethically problematic to ask people to consent to something that delivers no benefit. There is undoubtedly risk to a data subject in giving consent to any data collection or processing, and arguably any consent given in return for nothing would be based on the subject not understanding that.

Any non-compulsory action must be voluntary”

I don’t have much sympathy for this end of the spectrum, either. Opportunity cost – the value that you miss out on from not taking an action – is an important economic principle and probably the main argument against this position. If everyone else obtains £100 of annual value from giving consent, then you’re comparatively worse off by £100. Not using Facebook, for instance, would entail a large social cost to many users.

The upshot of a spectrum with two undesirable ends is probably that we need to be looking at the middle of it. As a rule of thumb, we might define voluntariness as requiring that any cost from not consenting is relatively small (easily borne by the subject).

Complications

As an inconvenient counterpoint to what I just said, I’d like to introduce a thought experiment.

In December 2014, a surgeon screwed my elbow back together following a fairly nasty compound fracture resulting from exercise. This procedure was done with my consent, but in a scenario where my options were contextually limited. The risk of undergoing olecranon surgery is that the ulnar nerve, which controls the hand, might be damaged. I retained the option of just going home, but that would involve a huge opportunity cost of still having a very badly fractured olecranon.

How does this example work with the rule of thumb framed above? The cost of not consenting was huge; potentially losing significant use of my left arm. Nonetheless, I would not not contend that the surgery I underwent was involuntary.

I had, of course, already incurred the direct cost of not consenting a couple of days before. This example is purely about the opportunity cost of not consenting. A surgeon was not threatening to break my elbow if I didn’t consent to something else.

We might also consider that the surgeon themselves had nothing to gain from performing the surgery; that it is ethically relevant what the motives of the other party are. Except that that isn’t really true; the (NHS) surgeon only has a job because people consent to having operations, and in other health systems the value exchange is even clearer – you (or your insurance) pays the surgeon directly.

Using the notion of economic cost doesn’t seem to work in all circumstances, then; nor does questioning the motives of the other party. Neither asking for consent, or giving it, is entirely selfless. We could reframe the previous statement, and say that consent is the basis for finding a value exchange that is agreeable, and beneficial to both parties.

In Practice

In practice, determining whether a consent signal passes the test set out above will be incredibly difficult. Not least because it’s hard to quantify the value obtained by each party, especially if they don’t even know it themselves, and particularly since external factors – or inherent risk – can result in an expected payoff never actually emerging. Few would contend that entering the national lottery is involuntary, even though the average payoff is less than the cost of entering and the potential payoff is – for the overwhelming majority – never realised.

A more tractable alternative would be to consider voluntariness through the eyes of people who are giving consent; if they feel the exchange is fair, and were happy to provide consent, we might conclude that it’s voluntary. This takes the complex context into account naturally, without inviting endless speculation and “what if..” scenarios. It’s also a dimension that we’re experimenting with in our consent metric (“consentfulness”) research.

Equally practically, we need consent to work in – broadly – the way that classical economics says it should. In essence, consent should be a mechanism that supports consumer choice and a functioning market in personal data driven services. It’s the only real means of data subjects directly exerting pressure on data processing practices. There are two ways that consent can fail – both, ultimately, disempower citizens and leave us in a consent-less scenario.

First, consent can fail in the way it traditionally has failed – where it becomes weakened to the point that it’s essentially meaningless, and doesn’t actually signify understanding or choice on the part of the data subject.

But consent could also fail because it becomes too hard to obtain. If the practical implications of gaining consent become too onerous, if the legal risk becomes too high, then the hard reality is that organisations will have to find ways to weaken it, or gradually expand their other legal bases to avoid ever having to rely on consent. Consent is the only legal basis that necessarily gives explicit consideration to the wishes of the data subject. It is valuable as a mechanism for consumer preference, and it is valuable in and of itself as a means to enact our personal agency. We must avoid a situation where reasonable-but-imperfect consent is discarded in pursuit of perfect-but-ultimately unobtainable consent.

Pareto may be applicable here; for the time being I think we have to be prepared to settle for 80% of consent, for 20% of the cost, in order to make it practically deployable.

Conclusions

Ultimately, whether consent is voluntary or not is – like all things in consent – hugely contextual. An interaction that is voluntary to one person, may be involuntary to another. At scale, an interaction that provides voluntary consent in one setting or with one demographic may not delivery voluntary consent in another setting or with a different demographic. The consentfulness of an interaction – whether defined in terms of understanding, or voluntariness, or both – is never just a function of the consent mechanism, or the service being offered, or the organisation itself, but of the complex contextual interaction between the consentee and the person requesting their consent.

The challenge here is, realistically, not to get it right in every case, but to put in place interactions, procedures and practices that get it right as often as possible. As ever, this is not just a case of complying with the law, but of building trustworthy relationships with the people whose data is being held and processed. I’ve come up with a few likely implications of the consent rules, and the complexities that they entail regarding voluntariness:

1. Monopoly providers probably need to act differently to start-ups

The opportunity cost associated with being excluded from a monopoly (or defacto monopoly) service is likely to be very different to that of being unwilling to consent to a smaller service that none of your friends use. Supporting, through a basic service, those users who don’t consent will become a cost of success. “We have to make some processing voluntary because we’re a defacto monopoly provider” is kind of a nice problem to have.

2. Trying to understand necessity is probably a poor strategy

I have a feeling that the concept of necessity is too nebulous, and that it’s too hard to constrain what “necessary” really means. Economic necessity is no less real to most organisations than technical necessity. Equally, defining whether a particular processing activity is a cost or a benefit to the end user is fraught with difficulty; some users do like the idea of targeted advertising, receiving coupons, and hearing about new features via their email inbox. One person’s unwanted side-effect is another’s reason for saying yes in the first place. Moving towards an understanding of consent that’s based on managing surprise, and empirically evaluating how well people’s expectations match up with reality is probably a more tractable approach.

3. Voluntariness will often be in the eye of the consentee

This sort of follows from the above. In the absence of being able to measure and constrain the relative payoff (or costs) to the parties involved in consent we should defer to something more empirical. We’re experimenting with a voluntariness dimension in our work on consent metrics; asking people simply if they felt they were “happy” to give consent feels like a tractable way to identify scenarios where consent isn’t being given voluntarily for some reason.

4. Consent is not a solution to all social ills

It’s probably not practical to try and render other social issues like inequality irrelevant by the way that we define consent. A choice between paying for a service or seeing targeted adverts is, to my mind, a positive step forwards that delivers choice, despite the fact that a sizable minority in our communities can’t afford such expense. I don’t think consent is a good vehicle for addressing systemic economic inequality, there are better policy areas for tackling that problem; scoping it do so feels like the path to unworkable consent requirements in return for no actual impact on the underlying inequality. (Which is, absolutely, a problem that needs to be tackled.)

5. Sometimes data subjects will be in hard positions

Like someone with a broken arm, sometimes data subjects need a service that is being provided. The test for voluntariness will be whether they’re happy with the agreed exchange, or whether they feel like they’ve been exploited as a result of the position. It’s also ethically important to consider whether the person asking for consent had a role in putting them in that situation – a surgeon who breaks someone’s arm cannot be said to have sought voluntary consent upon offering surgery to correct it.

ICO fines 11 charities for abusing donors’ personal data

The ICO today announced that 11 charities are being fined for abusing their donors’ personal data over a number of years, among them some high-profile names such as Great Ormond Street and Oxfam.

ICO have a good overview of who they fined, and why, but I wanted to touch on the bigger picture briefly. Fining charities has some fairly obvious ethical implications; these aren’t organisations that are out to make a profit, they’re there for a social good, and the money that will pay these fines was donated by people who expected their money to fund these charities’ work.

On the other hand, the people who gave up their personal data along with their money have a set of fairly common sense rights enshrined in law, which derive from our Article 8 right to respect for private and family life. On balance, the argument that charities should be immune to financial penalties seems to be an argument that the ends justify the means, and so I can’t say that I find it all that persuasive – as much as I admire the work that these organisations do.

Longer term, the ongoing damage to these charities is likely to be reputational rather than financial. Many donors will, rightly in my opinion, feel aggrieved that their support was rewarded with secretive (and ultimately illegal) background checks and cross-referencing. As always, complying with data protection isn’t just about the law, it’s about the trust between individuals and the organisations that they engage with. Working within the guidelines set by data protection law doesn’t just avoid financial penalties, it’s a fantastic step towards building sustainable long-term trustworthy relationships.

On balance, we should probably be welcoming today’s action. Partly for protecting the rights of donors, but mostly because in the long term these trust-breaking practices will make it harder for any charity to build positive relationships with their supports.

At the University of Southampton’s Meaningful Consent Project, we’re trying to understand trusted, consentful relationships – and helping to design the tools and infrastructure that will help build them .  For a real-life example of consent management infrastructure, check out consentua.com