Informed Consent

Katy McKinney-Bock | July 3, 2024

A full version of this report is available:

This report explores the concept of informed consent, looking at formal definitions and applications, and then summarizing resources that question whether and how consent is possible in the context of today’s technologies. What does it mean to give consent, for example, to participate in or utilize a service? How is consent managed, both by institutions and via technologies?

The full report is a preliminary sketch of our understanding around consent and approaches to managing consent; there are many open questions and active areas of developing work around this that I have not covered. The goal is to present some of the background context around informed consent that has a deeper history of practice, and begin to uncover some emerging approaches that rely both on governance and technology itself – to begin to address some of the challenges of the status quo of notice and choice.

For legal and ethical perspective(s) on consent, I summarize and share three resources. Kemp et al. (2023) define an umbrella concept of consent around data sharing as: “an individual has agreed to the use of their personal data.” Turow et al.’s (2023) perspective on consent points to Robert Levine’s definition of consent, which requires two conditions to be present in order to obtain informed consent: understanding and autonomy. From Kim’s (2017, 2019) perspective under contract law, there are three components of consent that must be in place: “an intentional act or manifestation indicating consent”, “knowledge,” “and voluntariness” (Kim 2017: 169, emphasis my own). Legally, there is no “uniform definition” of consent, so all three authors discuss relevant laws, noting the shortcomings or incomplete legal contexts in the US (in particular). A key takeaway from these authors is that there is a patchwork of laws that protects certain types of data, and there are cases where consent is required to share this data – though, not always.

U.S. ethical standards for research with human subjects also includes ‘informed consent’. Part C of the Belmont Report defines informed consent using a set of three standards: information, comprehension, and voluntariness. Informed consent is required when research is being conducted with human subjects if the research is federally funded. This is governed by the Common Rule. The Belmont Report is mentioned or cited as one of the foundational documents about the ethics of research with human subjects and that influenced the Common Rule (Kirsh, 2019; National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, 1979).

The consumer data use perspective, and the practice of obtaining consent for the use of commercial data, is more closely linked with the legal perspective on consent and with privacy law (e.g. HIPAA, FERPA) than on the research perspective on consent, reflecting more the “patchwork” of state and federal laws around specific types of data (educational, medical) vs. a more uniform ethical standard around obtaining consent for participation in research. Turow et al. (2023) explore current practices of consent specifically in the context of corporate/business entities; their study demonstrates that Americans don’t have sufficient knowledge of the commercial use of their data to provide any type of consent.

One of the challenges/research questions in this report was whether there are emerging practices to obtain and manage consent that change the status quo. It is useful to consider two types of approaches that seem to be emergent, which rely on either one or both of: (i) changing which technologies are used to collect and manage data/consent, or (ii) changing the humans’ decision-making power (governance).

“Beyond Consent:” Social License to Operate: One perspective on consent explicitly states that it goes “beyond consent” into another kind of decision-making process that enables data use in a way that provides more agency to the data subjects. Verhulst et al. (2024) state: “At the heart of the Social License framework is the shift from relying solely on individual consent to complementing it with community engagement and consensus building.” (p. 6)

Data Rights Protocol: The Data Rights Protocol [also here] (DRP, see Consumer Reports Digital Innovation Lab, n.d.) is a technical standard which enables digital systems to help consumers leverage their data rights under the California Consumer Privacy Act (CCPA), which is a state law that protects individuals’ personal data (see California Consumer Privacy Act (CCPA), 2018).

Solid Protocol: The Solid specification is a technical specification for storing data locally/with the user, as opposed to storing the data with the service or application itself – for example, your email address would be stored in a Solid pod and shared with the applications you select, rather than storing your email with each application you use (About – Solid, n.d.). The specification allows the user to authorize who views what data. Its goal is to decentralize user data and provide user control over data sharing.

Trust Alliance NZ: The Trust Alliance New Zealand has created two technology projects through a collaborative process with agricultural providers. They have a Farm Wallet that enables decentralized data sharing and digital identity services, so that farmers can manage who they are sharing data with. TANZ is also developing a tool for digital farm planning that allows for groupings, or collections, of data to be created and then shared as desired (Trust Alliance New Zealand, n.d.).

Digital Identity Services Trust Framework: New Zealand’s government is working on a framework for identity services that creates a legal system for digital identities that builds trust. A key concept in their framework, which bridges governance and technology, is that consent is required (Trust Framework for Digital Identity, n.d.).

One fundamental question is whether there exists an end-to-end model of obtaining consent that succeeds in achieving both conditions for informed consent, where a participant has true knowledge and understanding of how their data is being collected and used, as well as actually enabling voluntariness of participation without harm. Given the above resources, it seems to remain an open question.

This work is licensed under CC BY 4.0. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

This work is supported by a subaward from OpenTEAM as an initiative of Wolfe’s Neck Center for Agriculture and the Environment, specifically funded by the U.S. Department of Agriculture under agreement number NR233A750004G032. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author and do not necessarily reflect the views of any funder. In addition, any reference to specific brands or types of products or services does not constitute or imply an endorsement.

Please send feedback via email to [email protected].

References

About—Solid. (n.d.). Retrieved July 1, 2024, from https://solidproject.org/about

California Consumer Privacy Act (CCPA). (2018, October 15). State of California – Department of Justice – Office of the Attorney General. https://oag.ca.gov/privacy/ccpa

Consumer Reports Digital Innovation Lab. (n.d.). Data-rights-protocol: The technical standard for exchanging data rights requests. Retrieved July 1, 2024, from https://github.com/consumer-reports-innovationlab/data-rights-protocol

Kemp, D., Hawn Nelson, A., & Jenkins, D. (2023). Yes, No, Maybe? Legal & Ethical Considerations for Informed Consent in Data Sharing and Integration. Actionable Intelligence for Social Policy. https://aisp.upenn.edu/resource-article/consent-brief/

Kim, N. S. (2017). Relative Consent and Contract Law. Nevada Law Journal, 18(1).

Kim, N. S. (2019). Introduction. In Consentability: Consent and Its Limits. Cambridge University Press. https://papers.ssrn.com/abstract=3367917

Kirsh, D. (2019, February 8). How the Belmont Report clarified informed consent. MassDevice. https://www.massdevice.com/how-the-belmont-report-clarified-informed-consent/

National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. (1979). The Belmont Report: Ethical Principles and guidelines for the Protection of Human Subjects of Research. https://www.hhs.gov/ohrp/regulations-and-policy/belmont-report/read-the-belmontreport/index.html

Trust Alliance New Zealand. (n.d.). Easily Share Trusted Data. Retrieved July 1, 2024, from https://trustalliance.co.nz/

Trust framework for digital identity. (n.d.). New Zealand Digital Government. Retrieved July 1, 2024, from https://www.digital.govt.nz/standards-and-guidance/identity/trust-framework/

Turow, J., Lelkes, Y., Draper, N., & Waldman, A. E. (2023). Americans Can’t Consent to Companies’ Use of Their Data: They Admit They Don’t Understand It, Say They’re Helpless to Control It, and Believe They’re Harmed When Firms Use Their Data–Making What Companies Do Illegitimate (SSRN Scholarly Paper 4391134). https://doi.org/10.2139/ssrn.4391134

Verhulst, S. G., Sandor, L., Mejia Pardo, N., Murray, E., & Addo, P. (2024). Responsible Data Re-use in Developing Countries: Social Licence through Public Engagement. Technical Reports, Agence Française de Développement, 76. https://www.afd.fr/en/ressources/responsible-data-re-use-developing-countriessocial-licence-through-public-engagement