A man typing on a laptop with a white check mark superimposed

The Benefits of Dynamic User Consent

Colocating consent and data with Solid and ESS
Geoff Pirie, Director of Product
April 4, 2024

The concept of user consent has long been confined to a static, one-time interaction — a mere checkbox clicked and forgotten amidst the whirlwind of digital activity. This antiquated approach fails to address the evolving nature of data usage and user preferences, leaving individuals vulnerable and disempowered in the realm of data privacy. It is time to transcend this outdated paradigm and embrace a more progressive framework. 

Enter Solid technology, a web-standards-based protocol invented by Sir Tim Berners-Lee that flips the traditional model of storing data in application silos. Solid offers a user-centric data store called a Pod, through which organizations can interact with user data via dynamic user consent that seamlessly integrates with applications and transcends siloed boundaries. Pods provide a fine-grained level of control over the data that’s stored within them and, crucially, provide a consistent and convenient mechanism for an organization to dynamically manage and operationalize consent for discrete data items.

About the ESS v2.2 Release

Enterprise Solid Server v2.2 (ESS) brings a range of new features and enhancements including significant improvements to the compliance, audit, and traceability capabilities that complement existing features for operationalizing consent management. The relationship between a business, its customers, and the data it holds about them is increasingly scrutinized and regulated. As data is propagated through systems and services it is imperative that an organization can remain compliant with data regulations.

It’s for this reason that ESS v2.2 introduces a new feature to enable client applications to supply metadata that flows with every request into and out of ESS. The client-supplied metadata is propagated into the logs and audit events that ESS generates, making simple the correlation between an application’s action and the data it’s interacting with in the Pod. 

By using this feature, it's easy for application developers to express the start and end of a “business action” — a business action being something that has meaning within the organization — in a way that allows an operator or compliance officer to trace the business action through all systems and services that the application interacts with, including ESS.

Colocating data and consent

Solid Pods create a new kind of dynamic channel to customers. Using Pods, organizations have a foundation in their data infrastructure that allows for two-way communication to form. Customers can give their consent for an organization to use their data, and by enabling customers to see how their data is used — beyond the moment of consent, and throughout the lifecycle of the data — organizations can foster greater trust with their customers. 

Longer term, organizations who foster greater trust will be better placed to gather accurate and effective first-party data. Rather than having to collect or generate data surreptitiously, or buy data from third parties, an organization can foster a dynamic, authentic relationship with their customer and their customer can supply and validate data about themselves directly.

The Pod model enables consent to run dynamically alongside applications — two applications can each have separate consents to process data in a Pod, and a user can be given visibility and control over both. This dynamism allows organizations to offer the kind of robust consent envisioned by the GDPR, without the complications associated with traditional data infrastructures that make such implementations challenging. 

Why is colocation of consent and data needed?

The World Economic Forum (WEF) observes that trust in data sharing ecosystems is broken. Perhaps the single largest shift in consumer sentiment was triggered by the Cambridge Analytica scandal, where Facebook data was harvested without users’ consent. Beyond this incident, there are numerous reasons consumer sentiment is changing: the increasing number of data breaches exposed through the media, unethical practices for gathering data, hiding the specifics of data uses in detailed policy documents, and various other mechanisms that undermine the trusted relationships that organizations have with their customers. 

While these practices are not true of every organization, a Visa study cited by the WEF found that more than 90% of individuals in major markets were “somewhat concerned” about data privacy and the data they share online.  

When consumers lose trust in organizations, they modify their behavior:The International Association of Privacy Professionals reports that 85% of respondents they surveyed have deleted a mobile app due to concerns about privacy. 82% of those same respondents have opted out of sharing their personal data, and 67% have decided not to make an online purchase. If consumers don’t trust organizations with their data, they will walk away from those organizations. 

How Can Organizations Rebuild Trust?

Fundamentally, the answer is to improve customer experience. Organizations must focus on developing a new relationship between customers and their data, focused on:

  • Traceability with transparency of data usage for organizations and individuals alike
  • Being transparent and engaging the customer directly when data processing requires consent 

In order to do this, organizations need new technologies that support this goal. 

Traditional data infrastructures weren’t built with consent in mind. Typically, consent has become an added-on silo that needs to be integrated with every existing process. In the traditional model, consent is often captured once early in the customer journey and rarely revisited by customers. 

ESS shifts the role of managing consent away from being a simple moment-in-time capture. Instead, consent becomes a dynamic relationship between a customer and an organization. ESS achieves this by incorporating consent into the access control model of a Pod, colocated with the data, in addition to familiar permission-based mechanisms.

Applications and services that need to gain consent to process data can easily do so by issuing an Access Request. If a customer approves, providing their consent, their approval triggers the creation of an Access Grant. An Access Grant is like a key that allows the requesting app to access the data it needs. All of these actions, from the initial request to the subsequent data interactions the app makes, and including the customer's own action of approving the request, are traceable in a way that can drive increased traceability and transparency for the customer. 

Traceability and transparency of data usage will become increasingly important as more services incorporate AI processing. Understandably, there is concern about how personal data will be used by AI: The International Association of Privacy Professionals reports that 57% of global consumers agree the use of artificial intelligence in the collection and processing of personal data poses a significant threat to user privacy. By issuing Access Requests that clearly explain the nature of the processing and how AI will be used, an organization can be more transparent with its customers about how it’s using data about them. 

When a customer approves a request, the Access Grant that is generated captures customer consent. As data is processed by various connected systems, ESS generates audit events, giving an organization a clear view of when data is being used and for what purpose. Moreover, it can respond to dynamic changes in consent, triggered when a customer revokes an Access Grant. These dynamic changes are captured in the audit trail by ESS, allowing compliance teams to monitor data processing practices, and serve as a clear record should a customer query how and when their data is being used.

Critically, for an organization to be able to operationalize consent, it’s imperative (and legally required) that consent can be easily withdrawn by the individual. By co-locating the consent with the data — by making it part of the access control mechanism — the withdrawal of consent can take immediate effect without having to propagate the change across many discrete silos. Organizations can move to a model where consent has a life cycle that is directly connected to the data, effectively allowing consent to flow with the data.

Standards and Governance 

ESS provides the necessary capabilities for consent. By making use of Solid’s fine-grained access control and combining it with elements of the Data Privacy Vocabulary — a W3C specification — as well as ESS’s Access Request and Access Grant feature, it’s possible to capture dynamic consent and colocate it with the data.

Inrupt’s role as a member of the Solid W3C Community Group (evolving to a working group at time of writing)  is to bring these technical advances, proven in real-world deployments such as the Government of Flanders, and incorporate them into the open Solid specification. In turn, these efforts will further the development of capabilities and ensure that the foundations are interoperable between vendors.

The need for standards for consent are clearly described in an earlier blog post we published. In this post we explain how consent is often captured once, but then “disappears and dies forever." ESS enables organizations to adopt a dynamic approach to managing consent, where the customer is engaged and aware of how their data is used. With this approach, an organization is inviting the customer to participate and take an interest in their data. Engaged customers are more likely to consent to high quality data — data they have validated themselves — because they understand that it will positively impact the service they receive.

How Does This Benefit Organizations? 

The future success of organizations will increasingly depend on their ability to develop and maintain trust in their use of personal data. Without trust, an organization will struggle to convince customers to use their products and services and share their data. Increasingly, as the provision of services to customers becomes dependent on the ability to process their data, an organization that doesn’t foster trust will lose out.

The foundation of trust begins with increased traceability and transparency of data usage within an organization. It must extend to visibility for customers and include real options for customers to opt in and opt out of how their data is used. The International Association of Privacy Professionals survey shows that 62% of respondents want more control over their personal data. 59% want companies to allow them to opt-in and opt-out of data collection, and 57% want more granular control over their privacy settings. We should expect these numbers to rise as personal data is increasingly used for new purposes like AI.

Organizations that adopt ESS can bring its user-centric model to bear as an infrastructure for building better, trusted relationships with customers. Its features and capabilities allow an organization to truly operationalize consent when it’s appropriate to do so, and all data interactions benefit from the increased traceability and transparency ESS provides. The colocation of data with consent within ESS allows an organization to build better, more dynamic, and more responsive services, where customers have a voice. It’s better for customers and it’s better for organizations. 

Moving Towards Trusted Customer Relationships 

Building better customer relationships that create long term value, for both the organization and the customer themselves, demands trust between both parties. Organizations can only deliver quality services when the data they are using can be trusted and is of high quality. Engaging customers with better data practices and dynamic consent management, connected to a system that provides traceability and transparency, can engender trust and create better data.

Using Inrupt’s Enterprise Solid Server, an organization can lay the foundation for trusted relationships. It can offer a customer experience that values user engagement, capturing customer consent for data processing and ensuring that consent is present throughout the lifecycle of data usage. Better use of consented data delivers better customer service and increased lifetime value.

With Solid's innovative data architecture, consent becomes not just a fleeting moment, but a persistent companion, fostering transparency, accountability, and user agency in the digital sphere. It's clear: The time for change is now, and Solid paves the way for a more ethical and sustainable future of data governance.

To learn about how Inrupt’s Enterprise Solid Server helps organizations drive better customer relationships, get in touch today.

View All Posts

Stay connected

Stay up-to-date with Inrupt and Solid. Receive notifications on the latest features, releases, and new products.

Your subscription could not be saved. Please try again.
You have successfully signed up for the Inrupt Newsletter!