The Netflix show Social Dilemma has rekindled the eternal controversy over privacy, tracking, and manipulation by digital companies.
As consumers, many of us outrage at brands for using our private information to target us with personalized communications, ads and targeted offers.
In this post, I’m going to go out on a limb and argue that brands have received consumers’ consent for all those allegedly outrageous actions – explicitly or implicitly.
Let’s see how.
Explicit Consent is when a consumer knowingly takes – or gives permission for – a certain action A. For example, find credit score. This would happen when they use a credit score checking service like Credit Karma (USA) or Credit Mantri (India).
Implicit Consent is when a consumer knowingly takes – or gives permission for – a certain action B, which requires another action A to be completed as a pre-requisite. By giving explicit consent for B, they have given implicit consent for A. For example:
Action B: Apply for a loan.
Action A: Have lender run a credit check.
The lender’s Terms & Conditions will inevitably state that, by taking – or giving their consent for – Action B, loan applicants have automatically given their consent for Action A. An average consumer may not read T&Cs but that’s a topic for another day. See my Quora Answer for background on this example.
Per se, brands have taken consent in both situations.
Borrowers who want a loan in 5 mins should be prepared to face the lender's recovery actions in 5 mins after defaulting. Digital disbursement can't coexist with "analog" recovery actions like 3 reminders via regd post over 90 days etc. etc. https://t.co/UPBz2EMl8J
— Ketharaman Swaminathan (@s_ketharaman) March 4, 2020
Consent is a broad subject. It goes beyond pings and pokes on social networks and enters the picture in many everyday actions by companies. For instance:
- Send goons to your doorstep to collect money you owe them e.g. PayTM, India
- Suggest savings products based on your bank balance e.g. Betterment, USA
- Sign you up for Payments Bank when you top up your Mobile Phone prepaid connection e.g. Airtel, India
- Access your Utility Bill when you use a payment app to pay a Mobile Phone bill e.g. Bharat Bill Pay Service, India
- Show personalized ads in return for free content from friends, favorite brands and news outlets e.g. Facebook, worldwide.
In my opinion, all these companies have received consent for these actions. Just that some of them take explicit consent whereas others take implicit consent.
In the above set of examples,
- PayTM seeks explicit consent for its loan recovery measures in its sign-up form.
Time will tell how many of PayTM Postpaid's T&Cs comply with loan recovery laws. But I appreciate that they’re at least stated upfront – instead of being hidden behind an “I Agree” button. pic.twitter.com/uIPP0Wc3Zh
— Ketharaman Swaminathan (@s_ketharaman) December 13, 2018
- While signing up, Betterment asks its users to enter their banking credentials (via Plaid). Users who have done so have provided consent to the wealth management app to access their bank balance. While the anonymous commenter on the Finextra article titled TD Bank accuses Plaid of duping customers by ripping off its trademarks feels that the consent was obtained “unknowingly”, to me it seems like totally explicit consent.
"That is not an interface for Chase; it is Plaid, effectively training end users (of Betterment) to enter their bank credentials in an app that is not their bank's!" ~ https://t.co/2BnTYLI6HH via @stratechery .
Isn't that the classical definition of phishing? pic.twitter.com/sM4d4bcP5L
— Ketharaman Swaminathan (@s_ketharaman) February 13, 2020
- Airtel was denounced for sneaking in an implicit consent.
Going by this screen, Airtel Payments Bank has obtained the required consent for opening an account. For a digital bank, a check in the box and tap of I AGREE button should be sufficient proof of "informed consent". Nobody's going to explain fineprint face-to-face. pic.twitter.com/OKdbjZkOWs
— GTM360 (@GTM360) April 30, 2019
The disconnect between Explicit Consent and Implicit Consent regularly fuels faux outrage on social networks.
Apart from the type of consent and the manner in which it was taken, there are three more questions related to the topic:
- Is the consent granular or carte blanche
- Will consumers give consent or not?
- Will consumers realize that they have given consent?
According to me, the exact language of the consent-seeking statement is critical in framing the overall narrative around consent. Given below is a handy primer:
Primer for Consent Statement
(Context: Fintech App ACME seeks Banking Data)
(A) I permit ACME to access all data in tables CUST_TRXN, CUST_MORTGAGE, but not in tables CUST_LOAN_TRXN and CUST_CREDITCARD_TRXN
(B) I permit ACME to access all data related to current account and mortgages but not loans and credit cards
(C) I permit ACME to access all data it requires to give me tips to maximize my yield but not to switch banks.
As you can see, the language shifts from technical to feature to benefit.
Years ago, I issued guidance to my retainer clients that people are more likely to give consent if the consent statement is worded around a Benefit rather than as a Feature or in Technical terms. See my post entitled How Brands Can Leverage The Eternal Disconnect Between Want & Like and Finextra blog post entitled Open Banking: Consent is Key for context.
A recent study by ING confirms my prediction. In a recent article reporting on this study, Finextra says:
UK polling firm Ipsos has found strong evidence of a disparity between what people say they want and what they say they are prepared to do. One of the firm’s surveys found 75% of people would like to have access to data on how they spend their money, but only 40% said they were comfortable providing the information that could lead to that. (emphasis mine)
Despite years of planning and hype, EU Open Banking / PSD2 regulations have not stipulated the consent language. That’s a shame. If at all Open Banking takes off in the European Union, I predict that there will be a Fintech version of Social Dilemma in the forseeable future.
On the other hand, California has done a good job in this regard. While it’s still early days, the most populous American state’s new California Consumer Privacy Act (CCPA) is the first data protection regulation I know of that expressly recognizes the role of language in obtaining consent.
Not just that, the state’s regulators have shrewedly forseen the potential for brands to use dodgy language to create deception via Dark Pattern. More at California outlaws wording, webpage buttons designed to hoodwink people into handing over their personal data. Maybe it comes from the proximity of California’s lawmakers to Silicon Valley or whatever but credit where credit’s due.