Consent receipts: the future of personal data sharing?
Tatiana C. Styliari, PhD Candidate from Horizon Digital Economy CDT at the University of Nottingham, talks about how giving more transparency and control to consumers, and designing consent receipts, can shape the future of personal data sharing.
During my internship with Digital Catapult I took on a very interesting project on ‘Researching transparency in personal data sharing practices: the case of a consent receipt’, supervised by Lead Technologist for Personal Data and Trust Michele Nati. The project’s overarching aim was to increase people’s awareness, trust and control over the data that they share with organisations and explore how organisations can give more control over the data individuals share when conducting personal data transactions. We focused on personal data sharing and trust using user experience (UX) design and prototyping methodology.
The motivation of this project was to help citizens understand why we capture their personal data, how it benefits them, and evaluate the idea of a consent receipt. A consent receipt being a receipt that tracks a user’s consent by making a record of it, just like a regular receipt is used to track purchasing of products.
Consent receipts allow:
- users to understand the data their share, where it goes, who has it and why
- users and organisations to keep a proof of consent and enable consistent consent practices
- organisations to simplify terms and conditions.
Following this, we wanted to leverage the consent receipt standard to design and take to market a consumer-centric consent process, ultimately increasing consumers’ trust in organisations. We implemented several research methods, from mapping visitors’ different experiences within the Digital Catapult Centre, to exploratory interviews with visitors to investigate what they value in terms of data capture. This led to our first prototype of a consent receipt.
We then refined this prototype further with visitors’ feedback, and conducted a participatory design workshop with 12 participants. It was vital that those participants were not previous visitors to the Digital Catapult Centre, so we could explore how people outside the Digital Catapult network viewed the consent receipt.
Below is the final prototype of the consent receipt as formed after all of the data-collection phases. To reiterate, this project referred to Digital Catapult, however, it explored how the consent receipt would affect consumers in other circumstances and contexts as well. Therefore, the list presented below might be broadened depending on the data collection each organisation makes.
The ‘content’ section refers to the ‘what’; which kind of data an organisation collects. The ‘storage’ section refers to the ‘where’ and potentially the ‘when’ as well as the ‘how long’ the data is stored. The ‘purpose’ section answers the ‘why’ an organisation asks for your data: what is the main purpose behind their data collection? The ‘sharing’ section refers therefore to whether the organisation shares its customers’ data with others and if so, who should be stated in a list to provide transparency.
This work contributed to the design of a meaningful consent receipt – from assessing its value in creating transparency and trust in different contexts, to understanding consumers’ personal data sharing patterns, and finally by informing future research.
Read the research report
A detailed report about the process we undertook in designing consent receipts is included here researching-the-transparency-of-pd-sharing. It describes the process we followed, key findings and concludes on how the outcomes of each Phase encouraged us to further develop the prototype. The outcome of this project is currently being used and developed further within Digital Catapult, with real visitors to the Digital Catapult Centre, with the creation of Personal Data Receipts (providing transparency to individuals on all of their personal data collected by the organisation). It is anticipated that the adoption of such transparency practices could be a first foundation of the future of personal data sharing.