Get started Bring yourself up to speed with our introductory content.

We need a totally new approach to consent and privacy for the IoT era

Historically, businesses have been able to treat user consent purely as a risk management exercise, something they have to do simply for privacy compliance. However, the rise of the internet of things combined with a fast-changing regulatory environment means this mindset needs to change — and soon.

A fast-changing landscape

The move to a genuine “internet of things” is undoubtedly going to be the next major phase of digital transformation, one that will lead to a wave of new business models, services and behaviors. However, IoT brings one change that is not often discussed: the fundamental reshaping of our interaction and consent options.

The classic web and mobile models of gathering permission will simply not be practical for the IoT era. A huge range of IoT devices and services will be accessed and operated without the use of a conventional interface, raising major questions regarding how we can properly manage user consent and data privacy.

Regulations like the EU’s General Data Protection Regulation (GDPR) make consent an increasingly important value, one that goes far beyond basic “data protection.” The GDPR, which will impact any business that operates in the European Union or who sells to EU citizens, requires organizations gathering consent from individuals to make consent as easy to withdraw as it was to give. In practical terms, this means it had better be a convenient and pleasant experience.

More broadly, businesses need to change the way they think about consent in order to build — and maintain — trusted relationships with customers. The increasing digital transformation of business puts pressure on personal data to flow farther and faster. However, consumers are increasingly sensitive and savvy about their personal data — and will not be slow to take action if they feel they are being taken advantage of.

So, what’s the solution? We must imagine a positive new approach to privacy and consent, one that takes a holistic view of the individual-business relationship based on a balanced view of risk management and business aims. Often “user consent” is optional according to the letter of the law. To succeed in building trusted digital relationships, we must be bold about taking that option — lean in to consent! We cannot be trustworthy if we don’t act trustworthy. Luckily, with new “consent tech” that puts the user back in control, it’s possible to live up to this vision.

Rethinking consent

As an industry, we need to recognize a more comprehensive paradigm for consent and permissions that can guide the evolution of our digital consent strategies. Personal data should be thought of as a joint asset, something that is valued by both users and service providers. Users do want to take advantage of the features and benefits of smart devices. However, they also want control over their own data — and control sometimes means sharing for personal benefit.

Imagine all the ways in which an Airbnb host wants to be in charge of selective sharing, not just of smart-home device data, but also device functions. If you are renting out your spare room or apartment for a series of short-term tenants, you will probably want to share limited access to certain devices or services with your renters for the duration of their stay, and then revoke that access when they have left. And with smart beds and connected cars part of today’s landscape, both device owners and renters have an incentive to ensure that data is associated with the correct “body” and shared only with correct parties. As the sharing economy becomes increasingly mainstream, companies should be building this kind of relationship-focused identity and permissioning control into all of their services.

In a professional context, where connected assets such as a police car or body camera might be used by different officers throughout the day, this is even more important. For instance, it might be necessary to check the data from these assets to investigate specific events. Doing this accurately requires the ability to associate the right car or camera with the right officer at any given time. The ability to associate and disassociate human and device identities seamlessly is critical to making this work effectively.

Among privacy advocates in the healthcare sector there’s a saying: “No data about me, without me.” This should become the core principle for IoT players as well. An identity-centric approach to security and privacy is key to making this possible. You have to be able to look at the relationships between people, devices and services and make adjustments accordingly.

As founder and chair of the working group for the User-Managed Access (UMA) standard at the Kantara Initiative, I have been working to innovate a way to give individuals a unified point for controlling who and what can get access to their cloud, mobile and IoT services. The essence of the UMA approach is that organizations need to be focused on delivering convenient control for users.

Trust is essential for businesses and users reaping the advantages of IoT and in fact all facets of digital transformation. The businesses that can prove their trustworthiness will reap the benefits in the form of better customer relationships and greater insight into user need.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.