You haven't heard much from us over the summer, but not because we've been vacationing. We've been working on a whitepaper most of the summer called the ARPU of Identity. The whitepaper, published this week by the Open Identity Exchange (OIX), was written with the telecom community in mind, especially those who want to consider the pros and cons of participating in various identity management initiatives. The full white paper is available on OIX's website here.

ARPU, the Average Revenue Per User, is the four-letter-word the telcos use to quantity revenue in their business. The paper encourages them to consider the potential impact that identity projects can have on their ARPU. Over the next few weeks we will be including excerpts from the whitepaper here that we think are particularly important for the broader identity and data communities. Some of what we say might be controversial, but we welcome your feedback.

This week I would like to echo the comments of Don Thibeau, the Executive Director of OIX about consumer consent and why it's time to rethink the notice and consent laws that have been, remarkably, unchanged for the last 35 years. We know regulatory changes are almost always on the trailing edge. (The original telecommunications regulatory act became law in 1934 and wasn’t materially modified until 62 years later in 1996.) But we think it's time to do something about the antiquated state of notice and consent laws. (

When they were established in 1980 by the OECD they were designed to protect the privacy of consumer information that primarily moved via paper a couple times a year in the form of a contract or release. Needless to say things have changed. Consumers are now presented daily with consent requests totaling thousands of words that they are supposed to read, understand and respond to in order to obtain online services. And these requests don't just happen a couple time a year; they can happen hourly for a consumer who is active online.

But lest my friends in the privacy community think I've gone over to the dark side, let me clarify that I'm not saying we should remove all data control restrictions and let the business world regulate themselves. This is the very thing the OECD guidelines were setup to prevent and we still think that purpose is good and necessary. We're not criticizing the goal of OECD's privacy guidelines; we are criticizing their current ineffectiveness. They no longer protect consumers because, as we all know, very few consumers actually read the T&C or privacy statements before they click "I accept" and get on with their lives. I'm guilty of this myself probably several times a week. It is our contention that OECD's guidelines (and the various governmental regulatory constructs that were constructed on OECD principles) are no longer a cure, but a contributing factor to the illness.

We believe the time has come to change the nature of data protection and consumer consent in an on-line society where virtual transactions far outnumber in-person transactions and where thousands of data points are collected for millions of individuals by hundreds of entities.

We are actively looking for ways to facilitate this change and welcome your suggestions. We hope this whitepaper might be a catalyst for such a change.