I was invited to London last week for an OIX/GSMA function to present our recent whitepaper on the ARPU of Identity. While there was definitely interest in the ARPU-I model I received the most comments and had the most post-session conversations about the paper's challenges section on consumer consent. The problem with consumer consent's current status is that consent is analog. It is subjective. Consent needs to be digital and objective. Without this transition, consumer consent can never be interoperable.

Interoperability matters. Currency works because exchange rates are standardized and use of "money" is interoperable.

The internet works because the IP protocol on which it is based is standardized and interoperable by multiple parties. Credit cards work because the banks agree on network transactional standards like those from Visa and MasterCard. If every bank built their own protocol and used their own proprietary transaction structure, credit would not be interoperable and, therefore, what would be the point of it. So when something is interoperable its use can be broadened from one or two parties to many. Hence, interoperability is the 'ante' for scalability.

The parts of consumer consent that must be interoperable are identity (who the consumer is) and permission (what the consumer is allowing). For any transaction to work multiple entities must know they are talking about the same thing. This "same thing" can be the same consumer granting consent, or the same entity to whom consent is being granted, or the same permission to perform the same kind of function like preventing fraud or allowing their information to be used for a particular purpose. But that’s not what we have now. We have proprietary consent; everyone writes their own rules and interprets them subjectively. Unfortunately, as long as everyone writes their own consent verbiage into their own contracts and decides what consent means to them and what their particular definition is of a consumer, or of what a consumer's permission is and means, we will continue to live in this dark age of consent where everyone's definitions are their own.

I hear many privacy experts talking about how badly consent is managed, but it's not going to improve until there is a common, digital language that allows those who collect consent to know what is required and those who require consent to know what has been collected. As I saw in London, it's clear that many are starting to see consent interoperability as the new challenge now that we have at least a semblance of some structure around how authentication and credentialing can be interoperable. Hopefully it won't take us another 10 years to figure this out.