Elizabeth M. Renieris, founder of HackyLawyer wrote this important piece for organizations thinking about consent as part of their #GDPR / #CCPA planning. Adopting the ideas of contextual identity will reduce the risk of your propositions failing.
“Contextual integrity ties adequate protection for privacy to norms of specific contexts, demanding that information gathering and dissemination be appropriate to that context and obey the governing norms of distribution within it.”⁴ A simple example of norms of appropriateness is that while I would likely find it acceptable for my doctor to ask about my weight, I likely would not deem it appropriate for my employer to do so. As for norms of distribution, an example is that while I might deem it appropriate for my doctor to share my prescription information with my pharmacist or another doctor or specialist treating me (under the condition that it remains confidential), I probably would not be ok with my doctoring share the same information with my employer (at least not without my consent). The real world is replete with such easy-to-intuit examples.”
https://medium.com/berkman-klein-center/its-time-for-contextual-identity-ea65f8395123
In 2005 I was thinking about this problem as I tried to build a single view of customer for a conglomerated organization with multiple operating companies and customers interacting with each independently. The solution we came up with was a model where the data was federated and the identity was externalized for the sole purpose of access control.
A customer would maintain an identity that was biometrically authenticated (which could be replaced with SSID), but the data would be held by whichever organization created it. Then the customer would manage the data sharing at each portal contextually. For example going to the healthcare portal enabling a limited set of data to be shared with for instance, an insurance provider for a limited time, or their career data vault providing authenticated employment history to prospective employers during the application process.
These matters are now more critical than ever as customer awareness, privacy regulation and the availability of technology are converging. Professor Sylvia Delacroix’s work on Trusts that will act on the collective behalf of customers in how their data is used is a more effective way of managing this (also termed ‘operators’ by the MyData movement)
My belief is that the permissioning system for personal data will be granular, contextual and time-bound, and hopefully revokeable. However, we as consumers already struggle to manage more tangible things like money, that managing of data will be even more of an undesirable chore. So I feel that the answer lies in organizations that will manage my data on my behalf, and these will more than likely be domain specific such as the Challenger Banks under the UK’s Open Banking system.”