From a Business Centric Consent Management Paradigm to a User Centric One

My name, Isabella DEIS. I'm the founder of a tech company, which has a product and a name that it's the same Ernie app. And this is a quite unique software solution that sits very much back into one of the biggest challenges the industry is facing today. That it's how to win the user consent, how to make it persistent. And what is the future for the digital identities management, when it's related to the level and quality of consent that can be associated to the data that are associated with the profile of the user?

So my contribution to this conference today is essentially to bring you a very novel perspective. That is the one of user centric consent management, as opposed to what we've been seeing for years, being a business consent management framework and the whole world with being, knowing around cookies and trackers and IDs. What's next, what's really next. We think we have a response to that, and we'd like to contextualize a little bit. So I'm giving now you thank you to show the next slide, a brief Eyelight of the agenda. What I will be going through as illustration of this particular subject.

First of all, I would like to share with you that this is a very crowded space. Consent is a such fundamental piece of the digital story, that there are a lot of companies looking to what potential solutions we can bring to the market, whether these are B2B or B2B to C C2 B at their web or their mobile. We'll talk a little bit about how much this crowd is actually intense around the world, but also why it is not really taking us in a lot of good places. Another very important part of the presentation is going to be on the, what we call the data gap.

Data are much and much more needed than they even wear before, before everybody knew about the digital advertisement use case. And it seemed that all the data were about that particular world, but with AI, things is changing and with the digital transformation phase, we're going to face, there's a lot more need for data than there has been in the last 20 years. The user express consent rule it's been designed in Europe. It's a very peculiar, important asset to factor in when we talk about strategies for companies. So I'll expand a little bit on the, what the boundaries of that laws implies.

And then we go into really what it is the belief we have that is this notion of user-centric consent management system, the actual product we designed out of the notion of user consent management system and the, what we believe being the positive effect on the landscape, on the stakeholders ecosystem, where the, the landscape we are addressing it's very, is really very, very broad. And I'll expand a little bit on what it is the current stage of acceptance of this new notion.

And of course, what is the resistances that goes with this new notion of giving a lot more power and a lot more importance to the users that it used to be its passive engagement on the, on the acceptance of the right level of consent next please.

So this is quite an old, an old slide, but it was so beautiful that I decided to use it in today's conference because it really shows massive effort and innovation that has come out of this important waiver regulation that was GDPR in Europe, back in 2016 when it was designed and 2018, when it entered into force at that time, really the cookie tracking thing was a little bit less obvious and evident than it is today that it's really not working anymore. And so people were more focused on the personal data than the other data.

The world we're seeing today is a lot of the companies that you'll see represented in this slide have, have disappeared. They tried something and it didn't work. And others that you see there have tried something and they have really grown big and the lesson to take out of this slide, it's that privacy consent and automation of consent and privacy requirements has become an important area of investment, not just for VCs and startup. It has really become also very important for large companies, but again, they're pretty much going all into the same direction.

Let's try to find the way that overcomes user resistance. Let's find a work around to the user fatigue in giving consent. Let's find ways for making it faster for us to get the consent and keep it in our databases and back hands, because this is where we need to monetize the data we've collected. And this is a little bit the limitation that we see next slide please.

And why we see a limitation, first of all, because the amount of data that are going to be needed for monetization purposes, whether it is for scientific research, whether it is for the public administration, revamping of the, how it provides public services, or it is purely commercial, private purposes reasons. The reality is that the amount of data needed is it's growing exponentially, but the level and quality of consent that is required to collect store process and analyze those data, it's becoming a lot more standardized than it used to be. In the past.

You remember the times we had the differences between the cookie banners and the login and the interfaces when a user is getting into a signup process, rather than a non signup process, there were differences. Those differences comes from the very different, different ways of, of handling data in a web or no on a mobile software environment. But the use case were not that different. We still needed a lot of IDs.

We, we still needed a way to track back the user. If we want to retarget the user, if we want to find the user, if we want to profile the user, we have a way to put things in order. And if we don't have an ability to do that, our, our life cycle as companies that are in tech it's, it's, it's really impacted, negatively impacted.

So we, we took pictures of actually this mega trend data being more and more needed. And 95% of data user people generated the remaining part that we can, socalled define, non-user generated and, and more belonging to the IOT environment. It's still produced by people because the IOT devices sits back and resides back on, on user experience.

Somehow, whether it's a meter or it's a connected car, we can't say that there is no correlation back to a person. So the whole domain of first party, second party, third party data without the right level of consent going forward while AI is impacted the whole connected world of the connected cities it's impacted and the data flows, the data exchange. If they're not a companionate with the right level of consent, that they're not going to be transacted between businesses.

What I mean is that businesses can still survive with the first party data, but their ability to correlate the first with a second and second with a third and the first with a third party data is going to diminish and less. They can secure a proper system to exchange data with the appropriate level of consent to be verifiable. Next slide please.

So the amplitude of the challenge, it's big, it's big because also the market has consolidated the so-called data brokers who operated in the market for many, many years and very successfully are now facing quite a hurdle because they broker third party datas and third party datas can entail a very high risk of not being consented. The gatekeepers, the so-called gatekeepers, the old fashioned name was OTTs over the top have become a lot more entrenched and a lot bigger.

And they are very good in capturing user retention and with user retention, user first party consent, and for privacy reasons, they are also finding very easy to justify that they're not passing more personal data to other partners because of privacy regulation. So users find themselves using 1, 2, 6, 10 apps the same every day, they're going to consent on first party basis to those applications. And those applications are going to operate those data under a wallet garden scheme, which makes it very difficult for the outsiders to have access to those data.

So we diagnose this a little bit like a need for a redesign of the relationship between user and the companies is not just the business between companies and companies or companies and users. It's also pretty much between users and all the parties that somehow at some point can take data from them and use it to develop new products, new services, applications, things that are useful for people.

But again, there is a gap between the amount of data needed. The quality of consent needed to process those data and the generation of those data coming always from the same people, but the same people, not knowing that they're so important to the equation. Next slide, please. A quick reminder of what GDPR says about consent express consent in how it has to be easy to make and revocable.

This is a quite challenging thing for companies to live with because everyone likes pretty much getting something, but it doesn't like very much when that's something it's taken off and unfortunately, or fortunately privacy has been very clearly defined in Europe. And it's a little bit beyond what a protective behavior of the user is because we talk about privacy a little bit, like with the idea that it's data we want to protect. We want to keep private.

We, we want others not to use because they're our, but the way that GDPR has been designed is a little bit more than that. It has actually crafted a kind of scheme, a very, pretty much dynamic scheme that serve two use cases, protection and sharing. Because if you are bound as a company to offer an interface, to give consent, to let your user consent and revoke when the user consent he's collaborating with you, when the user is revoking that consent, it's not collaborating. So that's, it's called an economic theory. It's dynamic, it's not static.

And because it's dynamic, it can be associated with geographic and time properties to make that user experience going beyond the pure protection. And also what GDPR says is that the user needs to be given tools ways for deleting his data and transferring his data. And I would like to draw your attention that this is again, another element of dynamisms because to delete or transfer. It goes back again to what users has in mind between non-cooperation. I delete cooperation. I transfer somehow with the concept of transferring there's an inherent meaning of reuse of data.

And when you reuse data as a user, you think of other companies wanting to access your data for a reuse. There is a kind of a very, very important element of efficiency that comes along with, because to the extent that user today do not know that they can share and to whom to share and the how to share with very few exception. Most people know a little bit about how to transfer emails from one provider to another, but for other applications is a lot more complicated.

So to the extent that people do not know a that their data, if they're consented are more valuable and B that they can associate properties to be used to be associated with their data transfer with their data reuse, it's a kind of missing part of the equation as how users would need to understand why they have to consent and why that consent should stay persistent in company's databases. But the GDPR has set very clearly very, very clearly that user rights is about protecting or sharing deleting or transferring. Next slide, please. It has gone pretty far GDPR.

It has set that requirement for personal data. And as you know, there is, EPRI now in discussion in Brussels to be revamped reframed.

And you, you could see already, especially Germany has been very much upfront in, in wanting to make very clear that EPRI requirements in term of consent could not be lower compared to GDPR. The French government has had a little bit of a different opinion with that particular strict definition, but we also know that there are some very important judicial cases being discussed in German quotes and in the European quote of justice, which will probably lead Europe to define consent and express eggs onto consent in a very, very unique way. I am a firm believer Europe.

It's going to become the place where the golden standard for consent. It's going to be framed and how then technically it's gonna be implemented, but I don't want to anticipate too much what's gonna happen. And no one knows exactly what the European quote of justice it's going to rule on the WhatsApp famous case that it's been brought by the German up to the European court of justice.

But what I'm saying here is that if the problem is the relationship, is the user not understanding why data are collected in to be used for what purpose and for how long, and by whom of course the cookie banner, it's not a good fit because it doesn't explain anything to user. And we need something a little bit more sophisticated and simple, sophisticated because the users need to understand that the data market it's a competitive market. And if they generate data, there may be maybe multiple companies that would want to access those data.

At the same time, users don't want their life to be complicated. So it has to be very basic, very simple. The scheme must be as simple as the GDPR designed it, which is opt in, opt out, delete and transfer the article six a was extremely sophisticated in 2018 when it was designed. And it is a pretty tricky thing to implement in technical terms.

I'll, I'll show you later. Some, some interfaces that actually have gone into that direction, but the, what it is also worth sharing with you. After our analysis research, we've been doing a lot of work with partners that are retail companies, telecommunication operators, digital pure companies ranging from food delivery companies to logistic companies. Everyone is running after the right consent, the right consent log and that to be persistent. So at the end, it boils down to loyalty and marketing strategies.

So if for 20 years we've not taught users other than clicking a yes without really understanding what they were consenting to. But now the market, the laws, the framework, the competition, and simply the need of disposing of huge amount and quantities of good contextual data to design the new product and services of the future is so important. We have to, we have to, we have a responsibility to instill in the users, the confidence and the trust that when they consent, it is not extort this consent. It is absolutely freely given, and it is given for a purpose for a time, maybe for a geography.

And we can then collide that into a very nice profile of a particular user who remains faithful in the expression of its persistent consent to share by purpose. So we are very, very focused on this evangelization of this notion, please, next slide, and why we call user-centric. I dunno if you can, we're almost outta time. So I dunno how far you are in on your Yeah, yeah, yeah.

Web I can, I can drop up quickly because I've already used some of the, the content of the next slide. So why we call it user-centric because it, it ties back to article six, the GDPR, the opt team, the optout, the delete and the transfer, the way we think is important is because the participation of the market players and the users are participating to the market players is going to be vital for businesses.

And then it unleashes a lot of opportunities because it also ties back with the notion that the European commission is pushing for the data governance act and the ways, and for the businesses and the users and the users and the businesses to reuse data. Next slide.

The, how we did it is a little bit less, maybe interesting to debate. You can download the app, you can see it by yourself. The what is important, it's that it's a very, very big effort to go into the direction of user centricity and give power to the user to allocate efficiently is consent by purpose, time and geography, as opposed to everybody else in the first line, when you saw the big crowded landscape with lots of companies, finding ways to convince people without really explaining anything to people, not even half of the, what they need to know for giving consent. Next slide.

And this is an example of actually what we mean by simplicity. And one click rule and teaching to user the value of data and the value of consent and the, the market demand in term of more data and these, and these data to be consented. We call this service, the privacy knowledge manager. It's an engine. It combines the privacy and the sharing functionalities next slide.

And it allows for business businesses to really change dramatically the way they deal with the compliance issues on privacy, on the consent specific consent management and consent log, update, and maintenance, and including when privacy authorities, they come into the companies and do inspection and audits and et cetera. So my, my call on next slide, please.

My, my call on everyone is to basically face the situation in a very, very honest way with ourselves. We are part of the digital industry and the digital industry needs data. If this data needs to be consented, there's no other ways than finding a proper way to ask the users to participate and probably share roles to the benefit of sharing with in, with, within their daily life. Next slide, please.

And that, that means explaining coaching, incentivizing users with easy interfaces as to what they share when they share for what reason they share and to whom they share it. And also more importantly, explain to users that can share it, that they can share their data with more than one beneficiary at the time.